Click here to sign up for our newsletter & receive a £5 voucher![close]
×

Registration

Profile Informations

Login Details

or login

First name is required!
Last name is required!
First name is not valid!
Last name is not valid!
This is not an email address!
Email address is required!
This email is already registered!
Password is required!
Enter a valid password!
Please enter 6 or more characters!
Please enter 16 or less characters!
Passwords are not same!
Terms and Conditions are required!
Email or Password is wrong!

Microsoft Edge Browser Permission Backdoor Can Allow Remote Attacks To Steal Data

It has been nearly a week since security researcher John Page reported that he had found an Internet Explorer XML eXternal Entity (XXE) vulnerability. A new layer of this vulnerability has been recently discovered and the implications are far more serious. A Microsoft Edge feature may threaten Internet Explorer’s security.

The vulnerability is a XML eXternal Entity or XXE attack. The attack occurs when an XML parser processes an XML input that includes a reference to an external entity. This type of attack could lead to the unwanted disclosure of sensitive information and a slew of other issues. In Page’s demonstration, he opened a malicious MHL file with a file manager. Internet Explorer automatically uploaded several files to a remote server.

cyber security vulnerability

Page also noticed a peculiarity. When he downloaded and opened the file through Internet Explorer, information was not sent to the remote server. However, when Page downloaded the file through Microsoft Edge and opened it through Internet Explorer, the exploit worked as it was intended. This vulnerability was also tested by Mitja Kolsek the CEO of ACROS Security, and they reached the same conclusion.

The behavioral differences are due to a “classic ‘mark-of-the-Web’ situation”. Web browsers and email clients are supposed to add a “mark” to files that come from untrusted sources. The file is then opened in a sandbox or otherwise rather limited environment. Internet Explorer added the “mark-of-the-web”, but Microsoft Edge did not. According to James Forshaw of Google’s Project Zero vulnerability team, Edge instead “capability and group SIDs for the Microsoft.MicrosoftEdge_8wekyb3d8bbwe package.” Once Forshaw deleted one of Edge’s added entries, the vulnerability no longer worked.

Internet Explorer appears to be confused by Edge’s added entries. Internet Explorer was unable to read the malicious MHT’s data stream and therefore assumed that it did not include a mark-of-the-web. Kolsek noted, “An undocumented security feature used by Edge neutralized an existing, undoubtedly much more important feature (mark-of-the-web) in Internet Explorer.”

Page and other researchers reached out to Microsoft, but the company does not intend on fixing the bug any time soon. Microsoft insists that the exploit requires significant “social engineering” and therefore does not pose a serious threat. While it was initially believed that the vulnerability affected the latest version of IE on Windows 7, Windows 10, and Windows Server 2012 R1 operating systems, it now appears that it is only a threat to Windows 10 users.

We would encourage users to always practice caution when downloading and opening files. It may also not hurt to simply choose a different browser. Hopefully Microsoft’s upcoming Chromium-based version of the Microsoft Edge browser will be more secure.

Go to Source