Microsoft Edge is on fire – a new security feature bypass vulnerability detected
CVE-2018-8235 — the latest Microsoft Edge vulnerability detected by an independent security researcher in June 2018. According to the security researcher Jake Archibald who discovered the bug accidentally, it is a seriously dangerous flaw as it can help the attacker read victim's emails and Facebook feed without any notification.
The most worrying fact related to this issue is that this vulnerability could allow the browser to bypass SOP restrictions and requests that should be ignored. When the attacker successfully reaches the web browser, data which is typically restricted can be sent without warning.
In this web-based attack, a hacker could use a specific website designed to exploit CVE-2018-8235 vulnerability through Microsoft Edge and convince the user to view the malicious site. As a result, content which is opened on other browser tabs becomes vulnerable and could be retrieved without warning.
This bug allows to:
- obtain files on the targeted computer;
- bypass security controls;
- use arbitrary codes;
- create certain content, which can trigger various errors.
Not the first time Microsoft Edge is dealing with the security bug
It is not the first time Microsoft dealing with the flaw in Edge browser. Earlier this year we covered the story about the scam related to shortcomings of the SmartScreen functionality. This time, the flaw was discovered by Project Zero and published by them after a deadline was missed and patching not done in time.
Google notified Microsoft about the vulnerability in the browser, but the company missed the 90-day disclosure deadline. As a result, tech giant revealed details about this flaw since it was not fixed. While Google was communicative and gave extra time to fix the issue, the vulnerability remained after two weeks period.
The second time seems different as the update addressing the vulnerability has already been presented by Microsoft.
Firefox can also be affected
While the security bug is mainly affecting Microsoft Edge, Mozilla Firefox had also been found to be vulnerable. However, only beta version was discovered to be sensitive for the CVE-2018-8235 bug. The company has already released a fix for this vulnerability. In the meanwhile, Chrome and Safari haven't been found to have any relations to this bug.