Microsoft won't patch Edge browser content security bypass
Tells Cisco's Talos it's a feature, not a bug. Apple and Google disagree and fixed it
Which of Google, Apple and Microsoft think a content security bypass doesn't warrant a browser patch?
Thanks to Cisco Talos security bod Nicolai Grødum, who found the cross-site scripting bug that affects older Chrome and Safari plus current versions of Edge, we know the answer is "Microsoft".
Grødum posted news of Microsoft's attitude here, explaining that if you use Chrome 57.0.2987.98 or later, you're already protected against CVE-2017-5033. Ditto users of iOS later than 10.3 and Safari later than 10.1, who are spared the ravages of CVE-2017-2419. However, Talos writes, “Microsoft stated that this is by design and has declined to patch this issue”.
The bug/feature is that the browser mishandles
about:blank in a way that lets an attacker:
- Set Content-Security-Policy (CSP) to allow inline script code (the “unsafe-inline” directive);
- Use window.open() to open a new blank window; and
- Call document.write to write code into the blank window object, in a way that bypasses CSP restrictions.
about:blank has the same origin as the loading document, but without the CSP restrictions.
As Talos explains, the CSP specification is clear that “restrictions should be inherited” – whatever restrictions apply to an origin page should also apply to pages opened from it. ®
- Internet Explorer
- Microsoft 365
- Microsoft Build
- Microsoft Edge
- Microsoft Office
- Microsoft Surface
- Microsoft Teams
- Office 365
- Patch Tuesday
- SQL Server
- Visual Studio
- Visual Studio Code
- Windows 10
- Windows 11
- Windows 7
- Windows 8
- Windows Server
- Windows Server 2003
- Windows Server 2008
- Windows Server 2012
- Windows Server 2013
- Windows Server 2016
- Windows XP
- Xbox 360