Microsoft Edge bug allows attackers to read emails and Facebook feed

by Alice Woods - - 2018-06-22

Microsoft Edge is on fire – a new security feature bypass vulnerability detected

CVE-2018-8235 is a new security feature bypass vulnerability CVE-2018-8235 — security feature bypass bug in Edge that needs patching

CVE-2018-8235 — the latest Microsoft Edge vulnerability detected by an independent security researcher in June 2018. According to the security researcher Jake Archibald who discovered the bug accidentally,^[1] it is a seriously dangerous flaw as it can help the attacker read victim's emails and Facebook feed without any notification.

The most worrying fact related to this issue is that this vulnerability could allow the browser to bypass SOP^[2] restrictions and requests that should be ignored. When the attacker successfully reaches the web browser, data which is typically restricted can be sent without warning.

In this web-based attack, a hacker could use a specific website designed to exploit CVE-2018-8235 vulnerability through Microsoft Edge and convince the user to view the malicious site. As a result, content which is opened on other browser tabs becomes vulnerable and could be retrieved without warning.

This bug allows to:

obtain files on the targeted computer;
bypass security controls;
use arbitrary codes^[3];
create certain content, which can trigger various errors.

Not the first time Microsoft Edge is dealing with the security bug

It is not the first time Microsoft dealing with the flaw in Edge browser. Earlier this year^[4] we covered the story about the scam related to shortcomings of the SmartScreen functionality. This time, the flaw was discovered by Project Zero^[5] and published by them after a deadline was missed and patching not done in time.

Google notified Microsoft about the vulnerability in the browser, but the company missed the 90-day disclosure deadline. As a result, tech giant revealed details about this flaw since it was not fixed. While Google was communicative and gave extra time to fix the issue, the vulnerability remained after two weeks period.

The second time seems different as the update addressing the vulnerability has already been presented by Microsoft.^[6]

Firefox can also be affected

While the security bug is mainly affecting Microsoft Edge, Mozilla Firefox had also been found to be vulnerable. However, only beta version was discovered to be sensitive for the CVE-2018-8235 bug. The company has already released a fix for this vulnerability. In the meanwhile, Chrome and Safari haven't been found to have any relations to this bug.

About the author

Alice Woods - Likes to teach users about virus prevention

Alice Woods is the News Editor at 2-spyware. She has been sharing her knowledge and research data with 2spyware readers since 2014.

Contact Alice Woods
About the company Esolutions

References

^ Jake Archibald. I discovered a browser bug. Jake Archibal. Google Chrome security blog.
^ Bypassing Same Origin Policy (SOP). Infosec institute. Security training.
^ Arbitrary code execution. Wikipedia. The free encyclopedia.
^ Milena Dimitrova. Microsoft Fails to Fix Edge Bug on Time – Google Makes It Public. Sensor tech forum. Security and technology forum.
^ Project Zero. Project Zero. Google security team.
^ CVE-2018-8235 | Microsoft Edge Security Feature Bypass Vulnerability. Microsoft Security TechCenter.