Two Zero-Day Flaws in Edge and Internet Explorer Remain Unpatched
NEWS

Two Zero-Day Flaws in Edge and Internet Explorer Remain Unpatched

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Two unpatched zero-day vulnerabilities lurk in Microsoft Edge and Internet Explorer, and there’s even proof-of-concept code available.

The flaws were discovered by 20-year-old security researcher James Lee, and they could allow a malicious website to perform universal cross-site scripting attacks against any domain visited via the above-mentioned web browsers.




Researchers Finds Vulnerabilities in Microsoft’s Browsers, Microsoft Does Not Patch Them

The two vulnerabilities which affect the latest versions of Internet Explorer and Edge, could allow a remote attacker to bypass same-origin policy on vulnerable browsers.

What is Same Origin Policy (SOP)? Shortly said, SOP is a crucial concept in the web application security model. Thanks to this concept, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin.

How can the vulnerabilities in the two browsers be exploited? To exploit the flaws, an attacker would have to trick the potential victim into opening a malicious website.

In a conversation over email with The Hacker News, Lee said that “the issue is within Resource Timing Entries in Microsoft Browsers which inappropriately leak Cross-Origin URLs after redirection.”

Related:
A serious issue has been identified in the Microsoft Edge and Safari browsers as they have been found to allow address bar spoofing. This vulnerability allows malicious code to redirect the users and lead to potential virus infections. Address Bar...Read more
CVE-2018-8383: Microsoft Edge and Safari Exploited via Address Bar Spoofing Vulnerability.

The researcher got in touch with Microsoft and reported his findings with the company ten months ago. Unfortunately, the company did not pay any attention to the flaws and hasn’t responded to the researcher to this very day, leaving the bugs unpatched and open to exploit.

So, it comes to no one’s surprise that Lee released proof-of-concept (PoCs) code for both vulnerabilities. Attackers will likely be quick to find ways to exploit the issues in actual attacks – zero-day flaws open the door to a range of opportunities.

It is noteworthy that Lee’s vulnerabilities are similar to two other issues that were addressed by Microsoft last year in the same browsers: Internet Explorer (CVE-2018-8351) and Edge browsers (CVE-2018-8545).

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...