back to article Microsoft won't patch Edge browser content security bypass

Which of Google, Apple and Microsoft think a content security bypass doesn't warrant a browser patch? Thanks to Cisco Talos security bod Nicolai Grødum, who found the cross-site scripting bug that affects older Chrome and Safari plus current versions of Edge, we know the answer is "Microsoft". Grødum posted news of Microsoft' …

  1. eldakka Silver badge

    Microsoft products - exploitable by design.

    1. Steve Davies 3 Silver badge

      re: Microsoft products - exploitable by design.

      Microsoft products - exploitable.

      There fixed it for you.

      {they simply don't care as long as they get all that lovely data they insist on slurping from you}

      1. Alan Bourke

        Re: re: Microsoft products - exploitable by design.

        Chrome of course pure as the driven snow in this respect.

        1. Anonymous Coward
          Anonymous Coward

          Re: re: Microsoft products - exploitable by design.

          "Chrome of course pure as the driven snow in this respect."

          Compared to Microsoft, Google is saintly in the browser department.

          At least there are various competent forks of Chromium if you dislike the official Google Chrome browser.

          IE/Edge? Proprietary turd. And it's not even good.

      2. bombastic bob Silver badge
        Big Brother

        Re: re: Microsoft products - exploitable by design.

        maybe the "design" HELPS with the data slurp? Is Micro-shaft getting payola for leaving this security crater as-is?

      3. eldakka Silver badge

        Re: re: Microsoft products - exploitable by design.

        @Steve Davies 3

        Microsoft products - exploitable.

        There fixed it for you.

        No. As per the quote in the article:

        “Microsoft stated that this is by design and has declined to patch this issue”.

        It is not shabby coding, a bug, a mistake, carelessness, they designed it to behave in this exploitable fashion and are happy it is working as designed.

  2. J. R. Hartley

    That's the spirit!

  3. Anonymous Coward
    Anonymous Coward

    never learnt from the directX times

    Did they ?

    1. Dan 55 Silver badge

      Re: never learnt from the directX times

      They did, but then Sadnad disbanded their trustworthy computing group because it wasn't agile and cloudy enough.

    2. Anonymous Coward
      Anonymous Coward

      Re: never learnt from the directX times

      "never learnt from the directX times "

      Direct-X has not had many holes. Also it's still in Windows - Direct-X 12 now.

      1. sabroni Silver badge

        Re: never learnt from the directX times

        Someone doesn't know their activex from their directx. Who cares? MS bad!! Bad MS!!!

        1. Dwarf Silver badge

          Re: never learnt from the directX times

          Someone doesn't know their activex from their directx. Who cares? MS bad!! Bad MS!!!

          That's because like most Microsoft technologies, it's an ex-technology.

          Its hard to keep up with that they killed off this week - either by dropping the technology or doing stupid things to it in the name of "innovation" or "cloud" or whatever the unicorn is that their strategy says they are chasing this week.

          Customers - yep, many of them are ex too.

    3. Anonymous Coward
      Anonymous Coward

      Re: never learnt from the directX times

      "never learnt from the directX times

      Did they ?"

      Wow, I really meant ActiveX, of course, not directX, which is MS 3D API. Can't understand how I wasn't down-voted to death here !

      1. LionelHutz

        Re: never learnt from the directX times

        We knew what you meant.

  4. Anonymous Coward
    Anonymous Coward

    Hmmmm

    I use firefox with noscript. We've just started using MS teams to run our sprint board. Noscripts ABE continually breaks MS teams as teams hosts content from lots of different domains on the one page. I wonder if this kind of mash up is what's driving MS to leave this vulnerability in place....

    1. Nick Ryan Silver badge

      Re: Hmmmm

      I still shudder whenever I read the term "mash up" because it inevitably winds up a different type of "**** up"...

  5. David Lawton

    Looks like Edge really will be the new Internet Explorer.

    1. bombastic bob Silver badge
      Coat

      "Looks like Edge really will be the new Internet Explorer."

      yeah I suspected they've been "Edging" for a while now...

    2. David 132 Silver badge

      Looks like Edge really will be the new Internet Explorer.

      TBH, despite Microsoft PR's protestations, I've always just assumed that Edge is IE, merely re-skinned with a new even-more-dumbed-down UI and lots of marketing spin.

      As I've said before around here, I use it to download Firefox on a new PC installation, and then remove all signs of it.

  6. TraceyC

    This is to support Microsoft Technical Support

    How else will Microsoft Technical Support be able to pop up a browser window to let you know that your computer is infected with serious viruses and let you know the number to call to pay only $200 to fix it?

    1. Anonymous Coward
      Anonymous Coward

      Re: This is to support Microsoft Technical Support

      Only explanation why Edge still allows any random jackass on the internet to throw a modal dialog box on the screen and jam the whole browser.

      Not content with frustrating your Gran by making them call you at work for tech support, they coded the default action in Edge to auto-open up all of the pages that were open in the last session.

      even if it crashed...

      Crash, Alt-F4, loop, crash, loop...

      There is a handy setting buried in preferences that that you can turn of that won't help at all, because Edge ignores the setting completely unless Edge closes normally, which of course it can't.

      So then you have to talk you Gran through hitting the command prompt to dig up:

      "C:\Users\USERNAME\AppData\Local\Packages\Microsoft.MicrosoftEdge_SOMERANDOMSTRING\AC\MicrosoftEdge\User\Default\Recovery\Active" and deleting it's temp files, which for some reason aren't in ANY of the various ..\TEMP folders.

      Note that AppData is both a Hidden and System folder and will not be visible to normal users in File Explorer without changing settings.

      I want to lock whomever is currently maintaining this code in an Escape room with nothing but a jammed up Edge browser on a windows laptop. Let's see if they can unlock it before they die of thirst when they can't just google the answer up. What was that path again? Why didn't you put it in \temp ???

      No NORMAL person should be expected to fix this on their own. No SANE programmer would build it that way. None of US should have to clean up this mess.

      1. mistersaxon

        Re: This is to support Microsoft Technical Support

        Pull the network cable or disable the wifi then try. Pages should fail to load, rather than crashing, giving you the chance to close them and then shut down Edge and change the default browser.

        Bit awks if you are skyping granny to talk her through this of course.

      2. Kiwi Silver badge
        Linux

        Re: This is to support Microsoft Technical Support

        which for some reason aren't in ANY of the various ..\TEMP folders

        Which shows it really is just standard IE. I recall that IE used to put it's history stuff etc in a couple of locations - if you cleared out the "visible"1 one then on the next reboot/when Windows thought you weren't looking it'd re-populate it with stuff from the even more hidden one. Which, IIRC, could not be cleared from within the OS (at least not in any normal boot, maybe in "safe mode"). Easier to fix from a live-Linux disk. Preferably by double-clicking the "Install" icon.

        1 After jumping through enough hoops that'd kill a dog-trials champ from exhaustion, IIRC

  7. billynomates3

    Technically Pointless

    So in order to inject the blank window to take advantage of this CSP bypass :-

    Scenario A. The CSP allows inline-scripting already and the app renders user content as html without really sanitising it first. (so no real need for the CSP bypass anyway)

    Scenario B. You have found another CSP bypass so that you can inject the code to open a blank window (so you need a CSP bypass to then use a CSP bypass, pointless)

    Scenario C. The site is served over HTTP and you have managed to set up a man in the middle, enabling you to inject content into the page directly, again, you don't relly need the blank window CSP bypass because you can just remove the CSP header completely and do what you want.

    Anyone got a theoretical example that works in a real situation where a properly defined CSP is in place?

  8. Gnosis_Carmot
    FAIL

    Welcome to the Windows Open A Security Hole Wizard.

    Using this wizard you may open all ports, shut off firewall software, terminate anti-virus protection, install any malware desired. Simply click "Next" to begin. Or do nothing - this is Windows after all.

  9. Gis Bun

    Like all vulnerabilities, I wonder how exploitable this vulnerability is.

    Some vulnerabilities require you to be the biggest dumb @ss in the world as the only way a vulnerability could be exploited. If this one is one of those, who gives a crap.

    No mention of IE. So IE was safe [for once]?

    1. Pirate Dave
      Pirate

      "No mention of IE. So IE was safe [for once]?"

      Maybe it was on the "not hip enough to warrant testing" list . Like Lynx and Mosaic. ;)

  10. bombastic bob Silver badge
    FAIL

    how long before...

    how long before someone does another "infinite popup window" "you are an idiot, ha ha ha ha ha ha" type of page, designed especially for Edge. And then... feeds it through Microsoft's ad network.

    Do you think they'd fix it THEN? Yeah, probably not...

  11. Anonymous Coward
    Anonymous Coward

    If you're using Edge the rebranded IE

    You fully deserve all the bugs and vulnerabilities of it.

  12. Anonymous Coward
    Anonymous Coward

    Microsoft won't fix these kinds of security bugs

    But it loves to push Windows updates to you that have frivolous features e.g. Paint 3D.

    Lovely priorities they have, the brilliant folks at Redmond.

  13. adnim Silver badge

    "its a feature, not a bug"

    As bugs are a feature of Microsoft software...

    I'm confused.

  14. Bucky 2
    Black Helicopters

    Required Security Hole

    "By design" is nonsense if you assume that it's the spec that forced their hand.

    We already know that the US government accumulates security holes. They may have just ordered Microsoft to build this one in. It would certainly explain the bizarre "by design" response.

    Indeed, it may be intentionally bizarre. Perhaps they are publicly balking so that everyone will understand that they are not in control of their own destiny.

  15. Mandoscottie

    Im sure all 12 Edge users are currently filling their nappys over this......

  16. ShadowDragon8685

    Perhaps lighter-shade-of-grayhat hackers should make a point of scanning for and exploiting this vulnerability to shove in users' faces how their browser (IE, Edge,) is currently being exploited and, if the exploit(er) were of a malicious bent rather than trying to alarm the user into getting a browser worthy of the name, they could be completely pwned right now.

    Offer links to Wikipedia pages relevant to various ways having your PC pwned could be bad (such as identity theft, ransomware, etc,) and links to better browsers with a strong admonition that the next time they come across a website exploiting this vulnerability that Microsoft insists is a feature, not a security hole, it might be someone less kind.

    1. Kiwi Silver badge
      Linux

      Perhaps lighter-shade-of-grayhat hackers should make a point of scanning for and exploiting this vulnerability to shove in users' faces how their browser (IE, Edge,) is currently being exploited and, if the exploit(er) were of a malicious bent rather than trying to alarm the user into getting a browser worthy of the name, they could be completely pwned right now.

      There's various forms of "computer misuse act" that can make it illegal to notify someone of an exploit on their machine if you weren't explicitly given permission to exploit the exploit.

      That said, a possible defence would be to simply point the judge to MS's response and tell them that MS designed their system to be {ab}used like that.

  17. FlamingDeath Bronze badge

    Noscript

    For the win

  18. Dacarlo
    Coat

    Microsoft's response to everyone's concerns was...

    Edgy.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019