Microsoft products - exploitable by design.
Microsoft won't patch Edge browser content security bypass
Which of Google, Apple and Microsoft think a content security bypass doesn't warrant a browser patch? Thanks to Cisco Talos security bod Nicolai Grødum, who found the cross-site scripting bug that affects older Chrome and Safari plus current versions of Edge, we know the answer is "Microsoft". Grødum posted news of Microsoft' …
COMMENTS
-
-
-
-
Thursday 7th September 2017 16:33 GMT Anonymous Coward
Re: re: Microsoft products - exploitable by design.
"Chrome of course pure as the driven snow in this respect."
Compared to Microsoft, Google is saintly in the browser department.
At least there are various competent forks of Chromium if you dislike the official Google Chrome browser.
IE/Edge? Proprietary turd. And it's not even good.
-
-
Friday 8th September 2017 08:07 GMT eldakka
Re: re: Microsoft products - exploitable by design.
@Steve Davies 3
Microsoft products - exploitable.
There fixed it for you.
No. As per the quote in the article:
“Microsoft stated that this is by design and has declined to patch this issue”.
It is not shabby coding, a bug, a mistake, carelessness, they designed it to behave in this exploitable fashion and are happy it is working as designed.
-
-
-
-
-
-
Thursday 7th September 2017 16:35 GMT Dwarf
Re: never learnt from the directX times
Someone doesn't know their activex from their directx. Who cares? MS bad!! Bad MS!!!
That's because like most Microsoft technologies, it's an ex-technology.
Its hard to keep up with that they killed off this week - either by dropping the technology or doing stupid things to it in the name of "innovation" or "cloud" or whatever the unicorn is that their strategy says they are chasing this week.
Customers - yep, many of them are ex too.
-
-
-
Thursday 7th September 2017 08:00 GMT Anonymous Coward
Hmmmm
I use firefox with noscript. We've just started using MS teams to run our sprint board. Noscripts ABE continually breaks MS teams as teams hosts content from lots of different domains on the one page. I wonder if this kind of mash up is what's driving MS to leave this vulnerability in place....
-
-
Thursday 7th September 2017 21:30 GMT David 132
Looks like Edge really will be the new Internet Explorer.
TBH, despite Microsoft PR's protestations, I've always just assumed that Edge is IE, merely re-skinned with a new even-more-dumbed-down UI and lots of marketing spin.
As I've said before around here, I use it to download Firefox on a new PC installation, and then remove all signs of it.
-
-
Thursday 7th September 2017 19:11 GMT Anonymous Coward
Re: This is to support Microsoft Technical Support
Only explanation why Edge still allows any random jackass on the internet to throw a modal dialog box on the screen and jam the whole browser.
Not content with frustrating your Gran by making them call you at work for tech support, they coded the default action in Edge to auto-open up all of the pages that were open in the last session.
even if it crashed...
Crash, Alt-F4, loop, crash, loop...
There is a handy setting buried in preferences that that you can turn of that won't help at all, because Edge ignores the setting completely unless Edge closes normally, which of course it can't.
So then you have to talk you Gran through hitting the command prompt to dig up:
"C:\Users\USERNAME\AppData\Local\Packages\Microsoft.MicrosoftEdge_SOMERANDOMSTRING\AC\MicrosoftEdge\User\Default\Recovery\Active" and deleting it's temp files, which for some reason aren't in ANY of the various ..\TEMP folders.
Note that AppData is both a Hidden and System folder and will not be visible to normal users in File Explorer without changing settings.
I want to lock whomever is currently maintaining this code in an Escape room with nothing but a jammed up Edge browser on a windows laptop. Let's see if they can unlock it before they die of thirst when they can't just google the answer up. What was that path again? Why didn't you put it in \temp ???
No NORMAL person should be expected to fix this on their own. No SANE programmer would build it that way. None of US should have to clean up this mess.
-
Saturday 9th September 2017 09:51 GMT mistersaxon
Re: This is to support Microsoft Technical Support
Pull the network cable or disable the wifi then try. Pages should fail to load, rather than crashing, giving you the chance to close them and then shut down Edge and change the default browser.
Bit awks if you are skyping granny to talk her through this of course.
-
Sunday 10th September 2017 00:33 GMT Kiwi
Re: This is to support Microsoft Technical Support
which for some reason aren't in ANY of the various ..\TEMP folders
Which shows it really is just standard IE. I recall that IE used to put it's history stuff etc in a couple of locations - if you cleared out the "visible"1 one then on the next reboot/when Windows thought you weren't looking it'd re-populate it with stuff from the even more hidden one. Which, IIRC, could not be cleared from within the OS (at least not in any normal boot, maybe in "safe mode"). Easier to fix from a live-Linux disk. Preferably by double-clicking the "Install" icon.
1 After jumping through enough hoops that'd kill a dog-trials champ from exhaustion, IIRC
-
-
-
Thursday 7th September 2017 12:25 GMT billynomates3
Technically Pointless
So in order to inject the blank window to take advantage of this CSP bypass :-
Scenario A. The CSP allows inline-scripting already and the app renders user content as html without really sanitising it first. (so no real need for the CSP bypass anyway)
Scenario B. You have found another CSP bypass so that you can inject the code to open a blank window (so you need a CSP bypass to then use a CSP bypass, pointless)
Scenario C. The site is served over HTTP and you have managed to set up a man in the middle, enabling you to inject content into the page directly, again, you don't relly need the blank window CSP bypass because you can just remove the CSP header completely and do what you want.
Anyone got a theoretical example that works in a real situation where a properly defined CSP is in place?
-
Thursday 7th September 2017 13:04 GMT Gis Bun
Like all vulnerabilities, I wonder how exploitable this vulnerability is.
Some vulnerabilities require you to be the biggest dumb @ss in the world as the only way a vulnerability could be exploited. If this one is one of those, who gives a crap.
No mention of IE. So IE was safe [for once]?
-
-
Thursday 7th September 2017 19:01 GMT Bucky 2
Required Security Hole
"By design" is nonsense if you assume that it's the spec that forced their hand.
We already know that the US government accumulates security holes. They may have just ordered Microsoft to build this one in. It would certainly explain the bizarre "by design" response.
Indeed, it may be intentionally bizarre. Perhaps they are publicly balking so that everyone will understand that they are not in control of their own destiny.
-
Friday 8th September 2017 03:00 GMT ShadowDragon8685
Perhaps lighter-shade-of-grayhat hackers should make a point of scanning for and exploiting this vulnerability to shove in users' faces how their browser (IE, Edge,) is currently being exploited and, if the exploit(er) were of a malicious bent rather than trying to alarm the user into getting a browser worthy of the name, they could be completely pwned right now.
Offer links to Wikipedia pages relevant to various ways having your PC pwned could be bad (such as identity theft, ransomware, etc,) and links to better browsers with a strong admonition that the next time they come across a website exploiting this vulnerability that Microsoft insists is a feature, not a security hole, it might be someone less kind.
-
Sunday 10th September 2017 00:50 GMT Kiwi
Perhaps lighter-shade-of-grayhat hackers should make a point of scanning for and exploiting this vulnerability to shove in users' faces how their browser (IE, Edge,) is currently being exploited and, if the exploit(er) were of a malicious bent rather than trying to alarm the user into getting a browser worthy of the name, they could be completely pwned right now.
There's various forms of "computer misuse act" that can make it illegal to notify someone of an exploit on their machine if you weren't explicitly given permission to exploit the exploit.
That said, a possible defence would be to simply point the judge to MS's response and tell them that MS designed their system to be {ab}used like that.
-