≡ Menu

Apple and Google Fix Browser Bug. Microsoft Does Not.

Catalin Cimpanu, reporting for BleepingComputer: Microsoft has declined to patch a security bug Cisco Talos researchers discovered in the Edge browser, claiming the reported issue is by design. Apple and Google patched a similar flaw in Safari (CVE-2017-2419) and Chrome (CVE-2017-5033), respectively. According to Cisco Talos researcher Nicolai Grodum, the vulnerability can be classified as a bypass of the Content Security Policy (CSP), a mechanism that allows website developers to configure HTTP headers and instruct the browsers of people visiting their site what resources (JavaScript, CSS) they can load and from where. The Content Security Policy (CSP) is one of the tools that browsers use to enforce Same-Origin Policy (SOP) inside browsers. Grodum says that he found a way to bypass CSP — technical details available here — that will allow an attacker to load malicious JavaScript code on a remote site and carry out intrusive operations such as collecting information from users’ cookies, or logging keystrokes inside the page’s forms, and others.

Read more of this story at Slashdot.

{ 0 comments… add one }

Leave a Comment

Home | About | Contact | Disclaimer | Terms | Privacy

Copyright © 2017 by Tom Connelly | All Rights Reserved