nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Microsoft won't patch Edge browser content security bypass

Bronze badge

Microsoft products - exploitable by design.

47
5
Silver badge

re: Microsoft products - exploitable by design.

Microsoft products - exploitable.

There fixed it for you.

{they simply don't care as long as they get all that lovely data they insist on slurping from you}

33
6

Re: re: Microsoft products - exploitable by design.

Chrome of course pure as the driven snow in this respect.

31
8
Silver badge
Big Brother

Re: re: Microsoft products - exploitable by design.

maybe the "design" HELPS with the data slurp? Is Micro-shaft getting payola for leaving this security crater as-is?

10
4
Anonymous Coward

Re: re: Microsoft products - exploitable by design.

"Chrome of course pure as the driven snow in this respect."

Compared to Microsoft, Google is saintly in the browser department.

At least there are various competent forks of Chromium if you dislike the official Google Chrome browser.

IE/Edge? Proprietary turd. And it's not even good.

16
3
Bronze badge

Re: re: Microsoft products - exploitable by design.

@Steve Davies 3

Microsoft products - exploitable.

There fixed it for you.

No. As per the quote in the article:

“Microsoft stated that this is by design and has declined to patch this issue”.

It is not shabby coding, a bug, a mistake, carelessness, they designed it to behave in this exploitable fashion and are happy it is working as designed.

4
0
Silver badge

That's the spirit!

10
0
Anonymous Coward

never learnt from the directX times

Did they ?

23
4
Silver badge

Re: never learnt from the directX times

They did, but then Sadnad disbanded their trustworthy computing group because it wasn't agile and cloudy enough.

28
4
Anonymous Coward

Re: never learnt from the directX times

"never learnt from the directX times "

Direct-X has not had many holes. Also it's still in Windows - Direct-X 12 now.

4
5
Silver badge

Re: never learnt from the directX times

Someone doesn't know their activex from their directx. Who cares? MS bad!! Bad MS!!!

12
5
Silver badge

Re: never learnt from the directX times

Someone doesn't know their activex from their directx. Who cares? MS bad!! Bad MS!!!

That's because like most Microsoft technologies, it's an ex-technology.

Its hard to keep up with that they killed off this week - either by dropping the technology or doing stupid things to it in the name of "innovation" or "cloud" or whatever the unicorn is that their strategy says they are chasing this week.

Customers - yep, many of them are ex too.

13
1
Anonymous Coward

Re: never learnt from the directX times

"never learnt from the directX times

Did they ?"

Wow, I really meant ActiveX, of course, not directX, which is MS 3D API. Can't understand how I wasn't down-voted to death here !

4
0

Re: never learnt from the directX times

We knew what you meant.

0
0
Anonymous Coward

Hmmmm

I use firefox with noscript. We've just started using MS teams to run our sprint board. Noscripts ABE continually breaks MS teams as teams hosts content from lots of different domains on the one page. I wonder if this kind of mash up is what's driving MS to leave this vulnerability in place....

25
3
Silver badge

Re: Hmmmm

I still shudder whenever I read the term "mash up" because it inevitably winds up a different type of "**** up"...

11
0

Looks like Edge really will be the new Internet Explorer.

33
2
Silver badge
Coat

"Looks like Edge really will be the new Internet Explorer."

yeah I suspected they've been "Edging" for a while now...

7
3
Silver badge

Looks like Edge really will be the new Internet Explorer.

TBH, despite Microsoft PR's protestations, I've always just assumed that Edge is IE, merely re-skinned with a new even-more-dumbed-down UI and lots of marketing spin.

As I've said before around here, I use it to download Firefox on a new PC installation, and then remove all signs of it.

10
0

This is to support Microsoft Technical Support

How else will Microsoft Technical Support be able to pop up a browser window to let you know that your computer is infected with serious viruses and let you know the number to call to pay only $200 to fix it?

25
2
Anonymous Coward

Re: This is to support Microsoft Technical Support

Only explanation why Edge still allows any random jackass on the internet to throw a modal dialog box on the screen and jam the whole browser.

Not content with frustrating your Gran by making them call you at work for tech support, they coded the default action in Edge to auto-open up all of the pages that were open in the last session.

even if it crashed...

Crash, Alt-F4, loop, crash, loop...

There is a handy setting buried in preferences that that you can turn of that won't help at all, because Edge ignores the setting completely unless Edge closes normally, which of course it can't.

So then you have to talk you Gran through hitting the command prompt to dig up:

"C:\Users\USERNAME\AppData\Local\Packages\Microsoft.MicrosoftEdge_SOMERANDOMSTRING\AC\MicrosoftEdge\User\Default\Recovery\Active" and deleting it's temp files, which for some reason aren't in ANY of the various ..\TEMP folders.

Note that AppData is both a Hidden and System folder and will not be visible to normal users in File Explorer without changing settings.

I want to lock whomever is currently maintaining this code in an Escape room with nothing but a jammed up Edge browser on a windows laptop. Let's see if they can unlock it before they die of thirst when they can't just google the answer up. What was that path again? Why didn't you put it in \temp ???

No NORMAL person should be expected to fix this on their own. No SANE programmer would build it that way. None of US should have to clean up this mess.

15
0

Re: This is to support Microsoft Technical Support

Pull the network cable or disable the wifi then try. Pages should fail to load, rather than crashing, giving you the chance to close them and then shut down Edge and change the default browser.

Bit awks if you are skyping granny to talk her through this of course.

1
0
Silver badge
Linux

Re: This is to support Microsoft Technical Support

which for some reason aren't in ANY of the various ..\TEMP folders

Which shows it really is just standard IE. I recall that IE used to put it's history stuff etc in a couple of locations - if you cleared out the "visible"1 one then on the next reboot/when Windows thought you weren't looking it'd re-populate it with stuff from the even more hidden one. Which, IIRC, could not be cleared from within the OS (at least not in any normal boot, maybe in "safe mode"). Easier to fix from a live-Linux disk. Preferably by double-clicking the "Install" icon.

1 After jumping through enough hoops that'd kill a dog-trials champ from exhaustion, IIRC

1
0

Technically Pointless

So in order to inject the blank window to take advantage of this CSP bypass :-

Scenario A. The CSP allows inline-scripting already and the app renders user content as html without really sanitising it first. (so no real need for the CSP bypass anyway)

Scenario B. You have found another CSP bypass so that you can inject the code to open a blank window (so you need a CSP bypass to then use a CSP bypass, pointless)

Scenario C. The site is served over HTTP and you have managed to set up a man in the middle, enabling you to inject content into the page directly, again, you don't relly need the blank window CSP bypass because you can just remove the CSP header completely and do what you want.

Anyone got a theoretical example that works in a real situation where a properly defined CSP is in place?

5
0
FAIL

Welcome to the Windows Open A Security Hole Wizard.

Using this wizard you may open all ports, shut off firewall software, terminate anti-virus protection, install any malware desired. Simply click "Next" to begin. Or do nothing - this is Windows after all.

15
4

Like all vulnerabilities, I wonder how exploitable this vulnerability is.

Some vulnerabilities require you to be the biggest dumb @ss in the world as the only way a vulnerability could be exploited. If this one is one of those, who gives a crap.

No mention of IE. So IE was safe [for once]?

1
1
Silver badge
Pirate

"No mention of IE. So IE was safe [for once]?"

Maybe it was on the "not hip enough to warrant testing" list . Like Lynx and Mosaic. ;)

6
0
Silver badge
FAIL

how long before...

how long before someone does another "infinite popup window" "you are an idiot, ha ha ha ha ha ha" type of page, designed especially for Edge. And then... feeds it through Microsoft's ad network.

Do you think they'd fix it THEN? Yeah, probably not...

12
2
Anonymous Coward

If you're using Edge the rebranded IE

You fully deserve all the bugs and vulnerabilities of it.

7
1
Anonymous Coward

Microsoft won't fix these kinds of security bugs

But it loves to push Windows updates to you that have frivolous features e.g. Paint 3D.

Lovely priorities they have, the brilliant folks at Redmond.

7
1

"its a feature, not a bug"

As bugs are a feature of Microsoft software...

I'm confused.

5
0
Bronze badge
Black Helicopters

Required Security Hole

"By design" is nonsense if you assume that it's the spec that forced their hand.

We already know that the US government accumulates security holes. They may have just ordered Microsoft to build this one in. It would certainly explain the bizarre "by design" response.

Indeed, it may be intentionally bizarre. Perhaps they are publicly balking so that everyone will understand that they are not in control of their own destiny.

1
2

Im sure all 12 Edge users are currently filling their nappys over this......

4
1

Perhaps lighter-shade-of-grayhat hackers should make a point of scanning for and exploiting this vulnerability to shove in users' faces how their browser (IE, Edge,) is currently being exploited and, if the exploit(er) were of a malicious bent rather than trying to alarm the user into getting a browser worthy of the name, they could be completely pwned right now.

Offer links to Wikipedia pages relevant to various ways having your PC pwned could be bad (such as identity theft, ransomware, etc,) and links to better browsers with a strong admonition that the next time they come across a website exploiting this vulnerability that Microsoft insists is a feature, not a security hole, it might be someone less kind.

1
0
Silver badge
Linux

Perhaps lighter-shade-of-grayhat hackers should make a point of scanning for and exploiting this vulnerability to shove in users' faces how their browser (IE, Edge,) is currently being exploited and, if the exploit(er) were of a malicious bent rather than trying to alarm the user into getting a browser worthy of the name, they could be completely pwned right now.

There's various forms of "computer misuse act" that can make it illegal to notify someone of an exploit on their machine if you weren't explicitly given permission to exploit the exploit.

That said, a possible defence would be to simply point the judge to MS's response and tell them that MS designed their system to be {ab}used like that.

1
0

Noscript

For the win

1
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing