Microsoft is opting to stand pat and not fix a content security bypass vulnerability in its Edge browser, something researchers warn could potentially lead to the disclosure of confidential information.

Nicolai Grødum, a researcher with Cisco Talos, disclosed details around the vulnerability – which also affects older versions of Webkit browsers such as Google Chrome and Apple Safari – via the company’s blog on Wednesday.

According to Grødum an attacker could trigger an information disclosure leak in Edge if they tweaked the browser’s Content-Security-Policy (CSP) header with the ‘unsafe-inline’ CSP directive to allow for inline script code. From there an attacker could use the window.open() method to open a new window and call the document.write function. By doing so Grødum says an attacker could have the ability to write code into the blank window and bypass CSP.

CSP, rooted in same-origin policy, is a standard that adds an extra level of security. It’s designed to thwart cross-site scripting, clickjacking, and data injection attacks.

The about:blank page in vulnerable browsers has the same origin as its loading document and its CSP restrictions removed, which allows for exploitation according to Grødum, assuming an attacker could trick a user into navigating to a malicious webpage.

Grødum explains the flaw, as it pertains to Edge, in the company’s vulnerability report:

“By loading a new document using window.open(“”,”_blank”) and document.write-ing into it, (being in about:blank) an attacker can circumvent the CSP restrictions put on the document that the original page’s Javascript code was running on and reach out to other sites. One could argue that the code was loaded with unsafe-inline in the CSP header, but that should still block any cross-site communication (e.g. 1x1px tracking image etc).”

The issue exists in the most recent stable version of Microsoft’s Edge browser, 40.15063, released in April this year. The company told Cisco the way the browser’s Content Security Policy is set up is by design and that it has no plans to fix the issue.

Cisco first reported the vulnerability last November. Microsoft said it didn’t consider it a vulnerability in March, but the companies went back and forth on the issue until August, when Cisco began to coordinate a disclosure.

The fact that Microsoft isn’t rushing to fix the issue isn’t entirely a surprise. The company introduced support for the previous standard, CSP2, in Edge back in January. The third iteration of the standard is still technically a World Wide Web Consortium (W3C) working draft. Microsoft said it would be adding support for strict-dynamic from the CSP3 specification, in a future version of Edge but is likely waiting until the standard is final to deploy it entirely.

If users haven’t updated Chrome, iOS, or Safari in a while they could be at risk as well. Older versions of Chrome, prior to 57.0.2987.98 – released back in March, and Safari, prior to 10.1 – also released in March, are still affected, according to Talos. Versions of iOS prior to 10.3, also released in March, are also vulnerable, Grødum warns.

According to Talos, Firefox is immune from this vulnerability, namely because when it loads a new document it makes it inherit CSP from its loading document.

It’s the second issue this week that Microsoft has said publicly it won’t fix. Researchers with EnSilo warned Thursday an API dating back to Windows 2000 could be used by an attacker to sidestep security software and install malicious executables.

Microsoft told Threatpost: “Our engineers reviewed the information and determined this does not pose a security threat and we do not plan to address it with a security update.”

Categories: Vulnerabilities, Web Security

Comment (1)

  1. Daniel Veditz
    1

    Edge behavior violates the newest draft version of the Content Security Policy (3) spec. “about:blank” is a “local resource” and should inherit the policy. That behavior was not explicit in CSP2 but was a logical extension of how iframe srcdoc was handled.

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>