Microsoft's Edge browser responds to a range of built-in protocols that attackers can abuse to bypass security restrictions, to access files and run local apps remotely without user interaction.
Edge is the default web browser in Microsoft's Windows 10 operating system. The software giant has boasted of its improved security improvements against sophisticated web-based attacks.
However, Argentinian security researcher Manuel Caballero discovered it is easy to get around Edge's security features thanks to flawed design.
Caballero embarked on his voyage of protocol discovery after clicking on a link in tweet from Microsoft's official and verified @MSEdgeDev account.
To his surprise, the link opened up the Windows Store app through Google Chrome, something that would normally require the browser requesting the user's permission before taking the action.
Further investigation by Caballero revealed that the shortened link the @MSEdgeDev account tweeted redirected to a protocol - ms-windows-store:// - that was associated with the Windows Store App in the Windows 10 registry system configuration database.
Caballero discovered other protocols in the registry that could be used to run local applications, read Windows system files, and open multiple tabs in Google Chrome, with the Edge browser.
He was also able to bypass the Edge HTML 5 sandbox security feature that restricts Javascript execution with the microsoft-edge:// protocol, and to crash the browser with the read:// protocol.
The read:// protocol could also be used to access and display files in the Windows 10 system32 directory through Edge, Caballero found.
"It’s a bad idea to let all those protocols run straight out of the box because the attack surface of Edge ends up being huge," he said.
Caballero has reported the issues to Microsoft's security response team.
