Two unpatched zero-day vulnerabilities lurk in Microsoft Edge and Internet Explorer, and there’s even proof-of-concept code available.
The flaws were discovered by 20-year-old security researcher James Lee, and they could allow a malicious website to perform universal cross-site scripting attacks against any domain visited via the above-mentioned web browsers.
Researchers Finds Vulnerabilities in Microsoft’s Browsers, Microsoft Does Not Patch Them
The two vulnerabilities which affect the latest versions of Internet Explorer and Edge, could allow a remote attacker to bypass same-origin policy on vulnerable browsers.
What is Same Origin Policy (SOP)? Shortly said, SOP is a crucial concept in the web application security model. Thanks to this concept, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin.
How can the vulnerabilities in the two browsers be exploited? To exploit the flaws, an attacker would have to trick the potential victim into opening a malicious website.
In a conversation over email with The Hacker News, Lee said that “the issue is within Resource Timing Entries in Microsoft Browsers which inappropriately leak Cross-Origin URLs after redirection.”
The researcher got in touch with Microsoft and reported his findings with the company ten months ago. Unfortunately, the company did not pay any attention to the flaws and hasn’t responded to the researcher to this very day, leaving the bugs unpatched and open to exploit.
So, it comes to no one’s surprise that Lee released proof-of-concept (PoCs) code for both vulnerabilities. Attackers will likely be quick to find ways to exploit the issues in actual attacks – zero-day flaws open the door to a range of opportunities.
It is noteworthy that Lee’s vulnerabilities are similar to two other issues that were addressed by Microsoft last year in the same browsers: Internet Explorer (CVE-2018-8351) and Edge browsers (CVE-2018-8545).