Apple and Google Fix Browser Bug. Microsoft Does Not.

Catalin Cimpanu, reporting for BleepingComputer: Microsoft has declined to patch a security bug Cisco Talos researchers discovered in the Edge browser, claiming the reported issue is by design. Apple and Google patched a similar flaw in Safari (CVE-2017-2419) and Chrome (CVE-2017-5033), respectively. According to Cisco Talos researcher Nicolai Grodum, the vulnerability can be classified as a bypass of the Content Security Policy (CSP), a mechanism that allows website developers to configure HTTP headers and instruct the browsers of people visiting their site what resources (JavaScript, CSS) they can load and from where. The Content Security Policy (CSP) is one of the tools that browsers use to enforce Same-Origin Policy (SOP) inside browsers. Grodum says that he found a way to bypass CSP -- technical details available here -- that will allow an attacker to load malicious JavaScript code on a remote site and carry out intrusive operations such as collecting information from users' cookies, or logging keystrokes inside the page's forms, and others.

Genuine problem

The attack is to open a blank page in JS, insert your malicious code, then load the victim website. Oh look, your malicious code can run.

MSRC needs a bigger bat to force the IE team to fix this. But they have little influence in the company, which is why logging out of Microsoft websites doesn't invalidate your cookie; you can still use that old cookie to stay logged in. By Design, of course.

Re:At least they're being honest now.

[gnunick]

Okay, since we're talking about recent history ("at the moment", as you said), how about we have a look at recent CVE "scores", not the all-time list that you pasted in?

Here's the top of the "winners" list for 2017:

1 Android Google OS 564
2 Linux Kernel Linux OS 366
3 Imagemagick Imagemagick Application 303
4 Iphone Os Apple OS 290
5 Mac Os X Apple OS 210
6 Windows 10 Microsoft OS 195
7 Windows Server 2008 Microsoft OS 187
8 Windows Server 2016 Microsoft OS 183
9 Windows Server 2012 Microsoft OS 176
10 Windows 7 Microsoft OS 174

But just for fun let's see #11:
11 Windows 8.1 Microsoft OS 167
(on the "all-time" list you pasted in, #11 would have been Internet Explorer)

source:
https://www.cvedetails.com/top...

Aha! You're right, "it's not 1999" any more (in 1999, Microsoft occupied only 4 of the top 10 spots).

So let's see now... if you add up all the CVEs for all Microsoft products in the top 10 (everyone else seems to want to pretend Windows 8.1 never existed, so let's go with that), Microsoft scores a dazzling 915 CVEs so far 2017.