Well Microsoft seems to be living on the EDGE, when it comes to patching.
Google has found a vulnerability in Windows 10’s Edge browser, and the bad news is that this security bug has been disclosed to all before Microsoft could patch it. Ziyahan Albeniz was the Nets parker researcher who discovered the vulnerability, said it essentially involved the Same-Origin Policy or SOP security feature supported by all internet browsers.
SOP essentially functions by preventing attackers from being able to load malicious code using a link that doesn’t match the subdomain, port and protocol. Albeniz says that Edge’s SOP implementation works as intended except one case —when users are tricked into downloading a malicious HTML file on their PC and then running it. The malicious code within the HTML file would essentially be loaded using the file:// protocol whenever a user would run the file, since the file was a local one, it wouldn’t require a port value and a domain.
Since any OS file is accessible via a file:// URL within an internet browser, it allows the attacker the ability to access, collect, and ultimately steal any of the local files they want. Albeniz says that during tests he was able to steal data from local computers and send it to a remote server by executing this file in both Edge and the Mail and Calendar app. He also recorded a video of the attack, embedded below.
“There is probably no antivirus program that would recognize my file as malicious, and I could extract the files over a secure HTTPS connection,” Albeniz pointed out. “This is what makes this attack so stealthy.”
Google, through its Project Zero, notified Microsoft about a bug in November, giving the company the usual 90-day disclosure deadline.
With the three-month deadline over, the team of security analysts employed by Google tasked with finding zero-day vulnerabilities — Project Zero —went public with the details of the security flaw.
The search giant granted a 14-day extension to Microsoft after it said that the problem was complex, and it needed more time to fix it.
But, Microsoft even missed the second deadline to produce the patch of the vulnerability. However, given Edge’s small market share, the security issue was unlikely to affect too many people though it is still embarrassing for the company.
According to Albeniz, with the release of Microsoft’s June 2018 patch, the company repaired the vulnerability (CVE-2018-0871).