Edge web browser, affected by a bug that allowed the use of a compromised site to extract information from other open tabs


Demonstrated earlier in Google Project Zero, vulnerability corrected with the latest set of patches distributed through the Windows Update service could be exploited for indirect attacks where simply visiting a compromised website allowed an attacker to read e- and data entered on other legitimate websites currently open in Microsoft Edge tabs

According to the explanations provided by Microsoft itself, the vulnerability called Wavethrough is manifested by the inappropriate way in which Edge manages requests with different origins to provide information. Specifically, the vulnerability allowed Same-Origin Policy (SOP) to be circumvented, and the browser met requests that would otherwise have been ignored.

Simultaneously, Microsoft was also informed of another vulnerability, assessed by high-risk Google experts. However, this was treated by Microsoft only with the "Important" sign, its correction not being considered an immediate emergency. Located in an operating system component called Windows Storage Services, responsible for managing file transfers and data storage operations across the entire OS, vulnerability could facilitate unauthorized access to information for applications that do not have the necessary privileges. Still, the bug that affects Windows 10 alone is, according to Microsoft's explanations, less dangerous, and exploitation is not possible from a distance.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *