The vulnerability has been found in Microsoft Edge too

Sep 7, 2017 08:42 GMT  ·  By

Cisco’s security research group Talos has brought to light a new security vulnerability that exists in all major browsers in use these days, including Google Chrome, Apple Safari, and Microsoft Edge.

But as opposed to Google and Apple, who have already patched the flaw in their browsers, Microsoft says it won’t deliver a fix because this “is by design” and an update is not needed.

Specifically, Nicolai Grødum of Cisco says that the vulnerability (detailed in CVE-2017-5033 and CVE-2017-2419) exists in older versions of Google Chrome and Apple Safari, so to remain secure you need to update to Chrome 57.0.2987.98 or later, Safari 10.1 and iOS 10.3. In the case of Microsoft Edge, version 40.15063 is the one where the bug has been found and without a patch, newer versions are vulnerable too.

Information disclosure vulnerability

The security flaw resides in the way the browser handles about:blank, allowing for XSS attacks that in the end would expose user information online. Information disclosure vulnerabilities aren’t as critical as RCE flaws, but Talos warns that without a patch, confidential details could be stolen if the attacker manages to bypass the Content Security Policy set by the server.

“XSS attacks that may allow an attacker to exfiltrate confidential data and even take over a user account are considered a serious issue. Content Security Policy is specifically designed with XSS attack prevention in mind and allows the server to whitelist trusted resources that are trusted to be safely executed by a web browser,” Talos explains, emphasizing that with this vulnerability, attackers could be able to bypass the CPS and steal information they weren’t originally allowed to access.

It remains to be seen if Microsoft changes its mind and ships a patch for this vulnerability, but in the meantime, no matter what browser you’re using, you should install the latest version as soon as possible to make sure you aren’t exposed to any cyberattacks.