Zero-day flaws in Microsoft’s browsers made public still remain unpatched
- The vulnerabilities discovered were affecting Internet Explorer and Microsoft Edge browsers.
- Attackers could abuse these flaws through techniques such as universal cross-site scripting.
Two zero-day vulnerabilities and their proofs-of-concept (PoCs) were released by a security researcher last week. The flaws exist in well-known browsers Internet Explorer and Microsoft Edge running on latest versions.
Researcher James Lee has disclosed them after Microsoft failed to respond to any of his queries regarding the flaws. The technical details were shared with The Hacker News (THN) upon request.
What is the flaw?
- Lee told THN that the flaw existed in the network timing of the applications. “The issue is within Resource Timing Entries in Microsoft Browsers which inappropriately leak Cross-Origin URLs after redirection,” stated Lee.
- An attacker could launch universal cross-site scripting (UXSS) attacks as a result.
- Malicious websites opened on Internet Explorer and Microsoft Edge could allow attackers to steal sensitive data from users.
- Lee had been contacting Microsoft from the past ten months but the tech giant refused to acknowledge the holes and remediate them.
- The researcher has publicly released PoCs for these flaws on Twitter.
PoCs hold good
The PoCs were found to work on both the browsers. THN also upheld the same. “The Hacker News has independently tested and confirmed both the zero-day vulnerabilities against the latest version of Internet Explorer and Edge running on a fully-patched Windows 10 operating system. The newly-disclosed vulnerabilities are similar to the ones Microsoft patched last year in its Internet Explorer (CVE-2018-8351) and Edge browsers (CVE-2018-8545),” THN reported.
Users are advised to use other browsers such as Chrome or Firefox to remain protected from this vulnerability until it has been resolved by Microsoft.