End users continue to reap the benefits of stiff competition in Silicon Valley. A vulnerability in the Microsoft Edge web browser was recently uncovered by none other than Google employee, Jake Archibald.
As he recounts in a June 20th blog post, Archibald uncovered a bug in Microsoft Edge that allows malicious websites to retrieve data from other websites. So what does this mean for Edge users?
Peering over the Edge
“It means you could visit my [proof-of-concept] site in Edge, and I could read your emails, I could read your Facebook feed, all without you knowing,” Archibald explains.
Archibald attributes this phenomenon, which he dubs the “Wavethrough” vulnerability, to a flaw in Microsoft Edge’s Cross-Origin Resource Sharing (CORS) feature. When functioning as intended, the CORS feature prevents websites from loading resources from other sites. But in Microsoft Edge, this configuration does not issue a CORS request for the receiving malicious site. This allows the attacking site to load and retrieve content from random domains—potentially exposing a user’s most sensitive and private data.
A teachable moment
It may be surprising to learn that Microsoft—arbiter and, arguably, inventor of cyber security—could overlook such a critical flaw in its product’s code. But Archibald maintains that the oversight is no rookie mistake. He admits that an earlier incarnation of Google’s Chrome web browser suffered from a similar hole.
The discovery of Edge’s Wavethrough vulnerability is the latest example of a cyber landscape in which any and all weakness can and will be exploited by attackers. Incidents such as these highlight the importance of a comprehensive cyber security system.
The foundation of any cyber security system is up-to-date software. In the case of Edge, Microsoft acknowledged the Wavethrough vulnerability and released a patch as part of its June 2018 Patch Tuesday updates. Edge and Firefox users are encouraged to update their browsers to guard against the bug.
Other popular web browsers like Google Chrome and Safari aren’t affected. However, in general, all end users should make a habit of updating their software as patches become available. Studies indicate that 70-80% of the ten most common malware strains are unable to infiltrate up-to-date software, so a little caution goes a long way.
Of course, two forms of protection are better than one. eMazzanti offers 24/7 IT monitoring, comprehensive endpoint security solutions, and other products and services designed to stop cyber threats well before they reach the web browser. To find out more, contact our cyber security experts today.
