[German]Current versions of Internet Explorer and Edge has 0-day cross-site scripting vulnerabilities that attackers can exploit to steal data from other tabs. Although the vulnerabilities were reported to the company 10 months ago, Microsoft hasn't reacted, so there are no patches.
Advertising
The Hackers News reported within this article about the discovery of 20-year-old security researcher James Lee, who shared his findings with the site. Lee published details and a proof-of-concept exploit for two "unpatched" zero-day vulnerabilities in Microsoft's web browsers. Lee had informed Microsoft before the release. However, the company allegedly did not respond to his private disclosure 10 months ago.
(Source: Pexels Markus Spiske CC0 Lizence)
Same Origin Policy (SOP) verletzt
The 0-day vulnerabilities (since no patch is available yet) affect the latest version of Microsoft Internet Explorer and the latest Edge Browser. The vulnerabilities allow a remote attacker to bypass the Same Origin Policy (SOP) in the victim's web browser.
Same Origin Policy (SOP) is a security feature implemented in modern browsers that prevents a Web page or script loaded from one source from interacting with a resource from another source and prevents independent Web sites from interfering with each other. When you visit a Web site using a Web browser, SOP ensures that only data of the same origin [domain] can be requested. This prevents another website loaded in another tab of the browser from accessing data from other websites.
Exactly this Same Origin Policy policy does not work in these browsers. The 0-day vulnerabilities could allow a malicious Web site to perform universal cross-site scripting (UXSS) attacks on any domain visited with Microsoft's Web browsers. Online banking, logging into online accounts, everything is insecure.
Advertising
To successfully exploit these vulnerabilities, attackers need only convince a victim to visit the malicious website. Then you can steal the victim's sensitive data, such as login sessions and cookies from all websites visited in the same browser.
Microsoft does not respond to disclosure
Lee contacted Microsoft ten months ago and provided details. The company ignored this message and simply did not respond. No patches were available at the time of disclosure. The security researcher has released Proof-of-Concept (PoCs) exploits. The Hacker News was able to verify both 0-day vulnerabilities with the latest versions of Internet Explorer and Edge under a fully patched Windows 10 operating system.
The newly revealed vulnerabilities are similar to those that Microsoft patched last year in its Internet Explorer (CVE-2018-8351) and Edge (CVE-2018-8545) browsers. So far, there are no cases where the vulnerability is exploited. Hackers will not need long to exploit the bugs and attack Microsoft users with these browsers. All users can do is to do without their browsers and surf with Chrome or Firefox (possibly in portable versions).
