Microsoft won't patch Edge XSS vulnerability

By

Content security policy bypass is 'by design'.

Cisco Talos security researchers have found a way to bypass the content security policy defence mechanism that protects against cross site scripting attacks in multiple web browsers.

Microsoft won't patch Edge XSS vulnerability

The flaw has been patched in recent versions of Google Chrome and WebKit-based browsers (such as Apple Safari for macOS and iOS), but not in Microsoft's Edge for Windows 10.

"Microsoft stated this is by design, and has declined to patch this issue," Talos said.

CSP prevents cross-site scripting attacks by whitelisting servers that can be used as sources for client-side web application code.

To exploit the vulnerability, a web page can be coded to set the browser CSP to unsafe-inline which allows for inline scripts to run.

The web page will then load a new document with the window.open Javascript method, adding code to it with document.write to enable cross-site communications. 

Talos researcher Nicholas Grødum said while browsers such as Firefox work as per the explicit W3C specifications and inherit CSP restrictions from the loading document, Microsoft Edge does not. 

Talos reported the vulnerability to Microsoft in November last year. Microsoft confirmed the issue in January 2017, but said in March this year that it did not consider it a vulnerability.

Cross-site scripting (XSS) is a widespread attack vector against web applications, and can be used to run malicious scripts that glean sensitive information from browsers, unbeknownst to users.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

SA Water plans 'once-in-a-generation' core technology uplift

SA Water plans 'once-in-a-generation' core technology uplift

Ex-student charged over Western Sydney University cyberattacks

Ex-student charged over Western Sydney University cyberattacks

WhatsApp banned on US House of Representatives devices

WhatsApp banned on US House of Representatives devices

Victoria's first government tech chief steps down

Victoria's first government tech chief steps down

Log In

  |  Forgot your password?