Netsparker’s security researcher, Ziyahan Albeniz, discovered a vulnerability in Microsoft’s Edge browser which permitted the spreading of malware. He published his findings on CVE-2018-0871 (CVSS 3.0 Base Score of 4.3) in his report titled “Exploiting a Microsoft Edge Vulnerability to Steal Files.”
Albeniz explained that the vulnerability came out of a Same-Origin Policy feature-related flaw. When exploited, the vulnerability could be used to spread malware which can carry out phishing and information stealing attacks. A great factor in the spread of malware through this channel was the user’s own input in downloading the malicious file. This is why the vulnerability was not exploitable at a mass scale and therefore posed a lesser risk than most browser security flaws.
The Same-Origin Policy feature is a web application security model that is used in virtually all internet browsers. It allows scripts in one web page to access data in another as long as the web pages belong to the same domain, protocol, and port. It prevents cross-domain access of web pages, meaning that a malicious website cannot access your bank account credentials if you’re logged in on another tab or you forgot to log out.
The case in which the SOP security mechanism fails is when a user is tricked into downloading a malicious HTML file and running it on their computer. Once the file is saved locally, it loads in the “file://” protocol in which it does not have any set domain or port number. Since through SOP web pages can only access information on the same domain/port/protocol, as all other local files also launch in the “file://” protocol, the downloaded malicious HTML file can access any file on the local system and steal data from it.
This Microsoft Edge SOP vulnerability can be used to carry out targeted and precise attacks. Once an intended user is tricked into downloading and running the file, the hacker can snoop through the information on their PC and steal the exact information s/he is looking for, provided he knows where to look. As this attack is not automated, knowing the user and the user’s end system helps in carrying out the attack efficiently.
Zihayan Albeniz recorded a short video demonstrating this attack. He explained that he was able to exploit this vulnerability in Edge, Mail, and Calendar, to steal data from a computer and retrieve it on another device remotely.
Microsoft has come out with an update for its Edge browser which fixes this vulnerability. The update is available for all respective Windows 10 versions of Microsoft Edge in the published advisory bulletin. Despite the fact that update has been released resolving this SOP vulnerability, Albeniz still warns that users should be wary of the HTML files they receive from unknown sources. HTML is not the conventional file type used to spread malware which is why it often goes unsuspected and causes damage.