Microsoft does not seem too concerned about the risk posed by unpatched Internet Explorer and Edge vulnerabilities for which proof-of-concept (PoC) exploits were recently made public.
Researcher James Lee last week published PoC exploits for same-origin policy (SOP) bypass vulnerabilities affecting Microsoft’s Internet Explorer and Edge web browsers. He said he had reported his findings to the company 10 months ago, but received no reply and the flaws remain unpatched.
“The issue described does not meet our criteria for servicing and requires an attacker to convince a victim to visit a malicious website,” a Microsoft spokesperson told SecurityWeek. “We encourage our customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers.”
The company has pointed users who may be concerned about these vulnerabilities to its online safety resources.
SOP is a mechanism designed to prevent websites from interacting with each other. However, Lee discovered flaws that can be exploited by a malicious site to obtain information from the URL of another website opened by a user.
Microsoft is not concerned about the impact of these vulnerabilities as it says the only type of information exposed via this method is the URL of a frame inside the same document.
Trend Micro has also conducted an analysis of the flaws and described them as “potentially very serious.”
“Examples of vulnerable information that might be stored in the URL include cookies, sessionIDs, usernames, passwords, and OAUTH tokens, either in plaintext or hash form,” the security firm explained. “OAUTH is a way of authorizing third party applications to login to users’ online accounts, and has a history of being abused. Any sensitive information included in the URL of a website could be collected using these vulnerabilities.”
This was not the first time a researcher disclosed a SOP bypass flaw in Microsoft’s browsers after the company failed to release a patch.
In the meantime, Lee also disclosed a Content Security Policy (CSP) bypass vulnerability in Edge, but it’s unclear if Microsoft has been made aware of its existence and if it plans on patching it.