Skip to main content

New Microsoft Edge Browser Flaw Could Leave Passwords Vulnerable

By May 17, 2017March 1st, 2023Cybersecurity

Manuel Caballero has been a busy man.

If you haven’t heard of him, he’s a security researcher and blogger who made a name for himself identifying a variety of critical security flaws in the old Internet Explorer web browser. It would probably be overstating to say that he was instrumental in Internet Explorer’s eventual death, and Microsoft’s decision to try again with its new “Edge” browser, but he was certainly part of the chorus of voices expressing concerns over the old browser’s security. Now, he’s finding flaws in Microsoft Edge.

To their credit, Microsoft took the lessons they learned during the Internet Explorer days to heart and made a real effort to make Edge more robust and secure. An important part of that was the introduction of SOP, the Same Origin Policy, which is a security feature that prevents one website from loading and executing scripts that originated from a different site.

It’s a good feature, as long as it works, and therein lies the problem. Cabellero recently discovered a vulnerability that allows hackers to completely circumvent SOP. This means that they can use domainless web pages, meta refresh tags and URI’s to launch malicious code with an eye toward gaining varying degrees of control over your computer.
He released three proof-of-concept demos of the various ways attacks could be launched and made a video demo outlining how and why they work.

Of particular interest is the fact that attacks like these can be automated via malvertising, or malicious advertising that delivers poisoned JavaScript code to browsers. Using an ad-based platform like this, a hacker can infect thousands of individual users at a time.

Microsoft has been made aware of the issue, but at this time, it remains unpatched, and the company has not given an ETA on when they’ll have a fix ready. Bear that in mind if you use Microsoft Edge at home or in your office.

Chris Forte

Chris Forte, President and CEO of Olmec Systems, has been in the MSP workspace for the past 25 years. Chris earned his Master’s Degree from West Virginia University, graduating Magna Cum Laude. He was a past member of the Entrepreneurs’ Organization, a current member of the New Jersey Power Partners and Executive Association of New Jersey, where he has previously served on its board of directors. In his spare time, Chris enjoys traveling with his family. He also admits to being a struggling golfer and avid watcher of college football and basketball. He currently lives in Boonton Township, NJ with his wife, two daughters, son, and black lab Luna.