Apple and Google fixes browser bugs, Microsoft not

[German]There is a security vulnerability in the Microsoft Edge browser that has been discovered by security researchers. While Apple and Google have patched a similar vulnerability, Microsoft does not want to offer an update.


A (cross-site scripting) vulnerability in the Microsoft Edge browser was discovered by Talos security researchers and described in this article. In Microsoft Edge 40.15063.0.0, content security policies (CSP) can be bypassed by a special designed web page. 

Content Security Policies (CSP)

Content Security Policies (CSPs) are actually intended to prevent information from being retrieved via other pages opened within a browser. You do not want a script to be able to access keystrokes, cookies or other information in a loaded web page that is displayed on another browser tab. Just think of a browser where an online account (mail, banking etc.) was opened in one tab and a malicious script in another tab accesses these data. .

CSP may be bypassed in Edge

Microsoft Edge has a problem – an attacker can now access such information by bypassing the CSP via a malicious web page. All he need to do is create a new document using the JavaScript function: ("","_blank")

If an attacker writes with document.write writes malicious code to the document before it is loaded, the CSP restrictions that apply to the document in which the Javascript code is executed can be bypassed. The script can suddenly access other browser pages. Actually, the CPS should prevent this cross-site scripting.


Tests from Talos showed that the Firefox browser is not affected. There was a similar vulnerability in Apple's Safari browser (CVE-2017-2419). Google Chrome was also affected by the vulnerability (CVE-2017-5033). Both companies have closed this vulnerability with updates (Google Chrome 57.0.2987.98, iOS 10.3, Safari 10.1).

The vulnerability was found in November 2016 and reported to Microsoft. It is rated with a CVSS security index of 4.3 on a scale ranging from one to 10. According to Bleeping Computer, Microsoft refuses to fix this bug, because this behavior is by design.

Cookies helps to fund this blog: Cookie settings


This entry was posted in browser, issue, Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *