CVE-2018-8235: Security Feature Bypass Bug in Edge, Patch Now!
CYBER NEWS

CVE-2018-8235: Security Feature Bypass Bug in Edge, Patch Now!

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

An independent security researcher has uncovered by accident quite the unusual, high-severity browser vulnerability in Microsoft Edge, identified as CVE-2018-8235. Shortly put, the vulnerability would allow a malicious website to recapture content from other sites simply by playing audio files incorrectly which would produce unintended consequences.

According to Jake Archibald, the researcher who unearthed the flaw, the bug is huge and “it means you could visit my site in Edge, and I could read your emails, I could read your Facebook feed, all without you knowing”. The researcher dubbed the bug Wavethrough.

CVE-2018-8235 Official MITRE Description

A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins, aka “Microsoft Edge Security Feature Bypass Vulnerability.”

CVE-2018-8235: the Wavethrough Bug Explained

When does the bug get “irritated”? When a malicious website employs the so-called service workers to load multimedia content within an audio tag from a remote site, in the meantime using the “range” parameter to load a specific part of the same file.

The researcher also added that:

I pretended to be a hacker and wrote down all the attacks I could think of, and Anne van Kesteren pointed out that some of them were possible without a service worker, as you can do similar things with redirects.

In addition, due to discrepancies in the way browsers handle files loaded with the help of service workers within audio tags, it is possible to load any content inside the malicious site. Usually this wouldn’t happen as CORS (Cross-Origin Resource Sharing) gets in the picture to avert sites from loading resources from other sites.

Related Story: Microsoft Fails to Fix Edge Bug on Time – Google Makes It Public

However, under this bizarre circumstances, the malicious site can issue “no-cors” requests which would not be detected as unusual by the receiving site, be it Facebook or Gmail or some news outlet. As a result, the malicious site can load otherwise “not-to-be-loaded” content concealed with authentication procedures.

Firefox Partially Affected by CVE-2018-8235

The other browser that appears to be affected by this bug is Firefox. Chrome and Safari appear to be untouched. More specifically, only Firefox Nightly in-development versions were affected but fortunately the bug has since been fixed and it didn’t make it to the official Firefox Stable release.

Microsoft has also addressed the bug in its June 2018 Patch Tuesday.

As to Chrome, the researcher believes that Google patched the vulnerability without intention when implementing other patches in 2015 in relation to another bug.




Avatar

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...