Edge of darkness
More details have emerged about a recently patched cookie-stealing bug in Microsoft Edge.
The universal cross-site scripting vulnerability (CVE-2019-1030) was discovered by security researcher Abdulrahman Al-Qabandi and patched on August 13, as part of the latest round of Patch Tuesday updates.
Microsoft admits that the recently resolved “information disclosure” bug creates a means for an attacker to bypass security controls and read cookies.
“By reading a session cookie, an attacker would be able to sign into the victim’s accounts on a different computer,” it said.
Al-Qabandi said that potential exploits for the universal cross-site scripting (UXSS) vulnerability – rated by Microsoft as having a maximum severity of “important” – go beyond basic information disclosure.
“Of course, technically this is an information disclosure as I can read from any website the potential victim is logged onto but [it’s] not the only thing I can do with such a bug,” Al-Qabandi told The Daily Swig.
“It's true I can read data, but I can also perform actions on any website the user is logged into (Twitter, Outlook, Facebook etc.) like sending an email/message/DM. So, it's not strictly an information leak.”
A full run-down of the recently resolved flaw – including proof of concept and video – can be found in a blog post published by Al-Qabandi on Friday.
Both desktop (Windows 10) and server (Windows Server 2016 and Windows Server 2019) versions of Edge are vulnerable.
Microsoft’s update addresses the vulnerability by modifying how Microsoft Edge handles objects in memory.