Manuel Caballero has been a busy man.
If you haven’t heard of him, he’s a security researcher and blogger who made a name for himself identifying a variety of critical security flaws in the old Internet Explorer web browser. It would probably be overstating to say that he was instrumental in Internet Explorer’s eventual death, and Microsoft’s decision to try again with its new “Edge” browser, but he was certainly part of the chorus of voices expressing concerns over the old browser’s security. Now, he’s finding flaws in Microsoft Edge.
To their credit, Microsoft took the lessons they learned during the Internet Explorer days to heart and made a real effort to make Edge more robust and secure. An important part of that was the introduction of SOP, the Same Origin Policy, which is a security feature that prevents one website from loading and executing scripts that originated from a different site.
It’s a good feature, as long as it works, and therein lies the problem. Cabellero recently discovered a vulnerability that allows hackers to completely circumvent SOP. This means that they can use domainless web pages, meta refresh tags and URI’s to launch malicious code with an eye toward gaining varying degrees of control over your computer.
He released three proof-of-concept demos of the various ways attacks could be launched and made a video demo outlining how and why they work.
Of particular interest is the fact that attacks like these can be automated via malvertising, or malicious advertising that delivers poisoned JavaScript code to browsers. Using an ad-based platform like this, a hacker can infect thousands of individual users at a time.
Microsoft has been made aware of the issue, but at this time, it remains unpatched, and the company has not given an ETA on when they’ll have a fix ready. Bear that in mind if you use Microsoft Edge at home or in your office.