A security researcher has recently disclosed two significant zero-day vulnerabilities affecting Microsoft’s web browsers—Internet Explorer and Edge. These flaws, left unaddressed by Microsoft after a responsible private disclosure nearly a year ago, allow attackers to bypass the same-origin policy, exposing sensitive user data and enabling potentially harmful exploits.
The vulnerabilities affect both browsers running on a fully patched version of Windows 10. The same-origin policy (SOP), a critical security measure that restricts web pages from interacting with resources on different origins, is central to web security. By circumventing this policy, malicious actors could perform universal cross-site scripting (UXSS) attacks, compromising data integrity for users navigating various sites.
James Lee, the 20-year-old researcher behind the disclosure, noted that the vulnerabilities stem from issues with Resource Timing Entries in Microsoft’s browsers, which improperly leak cross-origin URLs following redirection. This lapse can be exploited via a specially crafted malicious website, which, when opened by a victim, enables the attacker to exfiltrate sensitive information such as cookies and login sessions from other sites visited within the same browsing session.
Lee first reported these vulnerabilities to Microsoft ten months ago, but the company has yet to take action to mitigate the risks posed. As the details and proof-of-concept (PoC) exploits are now publicly available, the risk escalates for Microsoft users, as attackers may quickly develop strategies to exploit these weaknesses.
The recent revelations echo previous vulnerabilities, such as CVE-2018-8351 and CVE-2018-8545, which Microsoft addressed last year. The ongoing uncertainty surrounding these new flaws serves as a reminder of the need for robust cybersecurity measures. Until Microsoft issues a patch, users may need to consider switching to alternative browsers such as Chrome or Firefox, which are not impacted by these vulnerabilities.
With the potential for exploitation of these weaknesses, businesses must remain vigilant. According to the MITRE ATT&CK framework, applicable tactics in this situation likely include initial access via malicious websites, and the advantages of using persistently vulnerable software. The failure to address these vulnerabilities emphasizes the importance of proactive cybersecurity strategies in protecting sensitive data from potential breaches.
As the cybersecurity landscape continues to evolve, awareness and adaptability remain crucial for businesses. Keeping browsers up to date and scrutinizing security updates can be vital in mitigating risks associated with such vulnerabilities. It is essential for organizations to consider the implications of these vulnerabilities and implement preventative measures to safeguard against potential exploits.
For continuous updates regarding cybersecurity developments, business owners are encouraged to follow platforms dedicated to these issues, including news outlets and professional networks focused on the evolving threat landscape.