14 DAY TRIAL // Microsoft has put a lot of effort into making Edge browser more secure with the release of the Windows 10 Creators Update, but it looks like vulnerabilities still exist and, what’s worse, the company itself doesn’t seem to be too keen on fixing them.
The latest such flaw was discovered by security researcher Manuel Caballero, who came across a bug in the same origin policy (SOP) in Microsoft Edge that makes it possible for hackers not only to gain control of some services, such as Twitter, but also to steal victim’s passwords.
In a long research published recently, Caballero explains that the bug in SOP (which is essentially a security feature that prevents websites from accessing data managed by another website) allows for malicious code execution with a series of steps that involve the victim first clicking a malicious link.
As Tom’s Hardware notes, data uniform resource identifier (URI), meta refresh tags, and “about:blank” pages are being used for a successful exploit, and in one scenario, the security researcher managed to execute malicious code on Bing and then steal the user’s Twitter account to post on their behalf.
A successful attack uses the Edge password manager, which is being used by users to save their passwords and have them automatically inserted into login forms whenever they connect to a trusted website. Using the compromised links, attackers can steal the password, Caballero warns.
Patch not yet available
While at first glance it all sounds pretty simple, a successful exploit requires the victim to click a compromised website, so the first thing you should do to remain protected is to avoid opening links coming from sources you don’t trust. The security researcher says that exploits could be included in malvertising campaigns, thus exposing more users whose passwords can be eventually stolen if they use Edge.
Microsoft is yet to patch the vulnerability, and in a statement for the aforementioned source, the company offered rather vague details on whether it plans to ship a fix or not. The next Patch Tuesday takes place on May 9, and this is the date when a patch for the Edge vulnerability is likely to be pushed to Windows clients as well.
“Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is to provide solutions via our current Update Tuesday schedule,” Microsoft was quoted as saying.