Apple and Google Fix Browser Bug. Microsoft Does Not.

Catalin Cimpanu, reporting for BleepingComputer: Microsoft has declined to patch a security bug Cisco Talos researchers discovered in the Edge browser, claiming the reported issue is by design. Apple and Google patched a similar flaw in Safari (CVE-2017-2419) and Chrome (CVE-2017-5033), respectively. According to Cisco Talos researcher Nicolai Grodum, the vulnerability can be classified as a bypass of the Content Security Policy (CSP), a mechanism that allows website developers to configure HTTP headers and instruct the browsers of people visiting their site what resources (JavaScript, CSS) they can load and from where. The Content Security Policy (CSP) is one of the tools that browsers use to enforce Same-Origin Policy (SOP) inside browsers. Grodum says that he found a way to bypass CSP -- technical details available here -- that will allow an attacker to load malicious JavaScript code on a remote site and carry out intrusive operations such as collecting information from users' cookies, or logging keystrokes inside the page's forms, and others.

At least they're being honest now.

[Duckeenie]

Their products are insecure by design.

Re:At least they're being honest now.

[sysrammer]

Your calculation is also misleading. It's quite possible that a Windows CVE spans a number of Windows versions which would lead to counting the same CVE by up to 5 times. I'm willing to bet that the number of unique Windows CVEs is about a third the number that you arrived at.

I'll bet you'd win. This indicates that MS doesn't fix their bugs over multiple releases.