Apple and Google Fix Browser Bug. Microsoft Does Not.

Catalin Cimpanu, reporting for BleepingComputer: Microsoft has declined to patch a security bug Cisco Talos researchers discovered in the Edge browser, claiming the reported issue is by design. Apple and Google patched a similar flaw in Safari (CVE-2017-2419) and Chrome (CVE-2017-5033), respectively. According to Cisco Talos researcher Nicolai Grodum, the vulnerability can be classified as a bypass of the Content Security Policy (CSP), a mechanism that allows website developers to configure HTTP headers and instruct the browsers of people visiting their site what resources (JavaScript, CSS) they can load and from where. The Content Security Policy (CSP) is one of the tools that browsers use to enforce Same-Origin Policy (SOP) inside browsers. Grodum says that he found a way to bypass CSP -- technical details available here -- that will allow an attacker to load malicious JavaScript code on a remote site and carry out intrusive operations such as collecting information from users' cookies, or logging keystrokes inside the page's forms, and others.

At least they're being honest now.

[Duckeenie]

Their products are insecure by design.

Re:At least they're being honest now.

[zieroh]

It's not like Microsoft has ever been mistaken about security, right?

Right?

Re:At least they're being honest now.

[lucm]

At the moment, the security of Microsoft products is vastly superior to that of Google and Apple. This is not 1999 anymore.

Re:At least they're being honest now.

[zieroh]

You really need to stop smoking crack before posting on Slashdot.

Re:At least they're being honest now.

[lucm]

top 10 products with highest number of CVE:

1 Linux Kernel Linux OS 1930
2 Mac Os X Apple OS 1890
3 Chrome Google Application 1453
4 Firefox Mozilla Application 1438
5 Iphone Os Apple OS 1274
6 Android Google OS 1255
7 Flash Player Adobe Application 1035
8 Debian Linux Debian OS 1022
9 Windows Server 2008 Microsoft OS 956
10 Safari Apple Application

https://www.cvedetails.com/top...

Re:At least they're being honest now.

lets look at that linux kernel number. how many of those have been addressed? and within what timeframe?

compare *those* numbers to that of microsoft's products... where the closed source nature makes it more difficult to even find the damn bugs in the first place.. that, on top of relying on microsoft, only, to fix instead of a legion of developers.

Re:At least they're being honest now.

[gnunick]

Okay, since we're talking about recent history ("at the moment", as you said), how about we have a look at recent CVE "scores", not the all-time list that you pasted in?

Here's the top of the "winners" list for 2017:

1 Android Google OS 564
2 Linux Kernel Linux OS 366
3 Imagemagick Imagemagick Application 303
4 Iphone Os Apple OS 290
5 Mac Os X Apple OS 210
6 Windows 10 Microsoft OS 195
7 Windows Server 2008 Microsoft OS 187
8 Windows Server 2016 Microsoft OS 183
9 Windows Server 2012 Microsoft OS 176
10 Windows 7 Microsoft OS 174

But just for fun let's see #11:
11 Windows 8.1 Microsoft OS 167
(on the "all-time" list you pasted in, #11 would have been Internet Explorer)

source:
https://www.cvedetails.com/top...

Aha! You're right, "it's not 1999" any more (in 1999, Microsoft occupied only 4 of the top 10 spots).

So let's see now... if you add up all the CVEs for all Microsoft products in the top 10 (everyone else seems to want to pretend Windows 8.1 never existed, so let's go with that), Microsoft scores a dazzling 915 CVEs so far 2017.

Re:At least they're being honest now.

[lucm]

Those were "all time leaders". Here's the current year:

1 Android Google OS 564
2 Linux Kernel Linux OS 366
3 Imagemagick Imagemagick Application 303
4 Iphone Os Apple OS 290
5 Mac Os X Apple OS 210

Re:At least they're being honest now.

[gnunick]

Hahaha! Nice job with your selective editing.

Gee, in a comparison to the all-time top 10, why would you list only the top 5 for 2017?

I think we both know the answer. The hell you didn't see 'em, indeed.

Re:At least they're being honest now.

[sexconker]

Why would you add them up across Windows7, 8, etc.? Just to get a bigger number by counting the same vulnerability multiple times?
With that logic, you'd be counting each Android vulnerability once for each Android build it occurs in.

Re:At least they're being honest now.

[tomxor]

Aha! You're right, "it's not 1999" any more (in 1999, Microsoft occupied only 4 of the top 10 spots).

So let's see now... if you add up all the CVEs for all Microsoft products in the top 10 (everyone else seems to want to pretend Windows 8.1 never existed, so let's go with that), Microsoft scores a dazzling 915 CVEs so far 2017.

You're missing the point, recent history or not... total CVEs discovered does not matter, all that matters is total number of unpatched, open source will always have more CVEs. This difference for once clearly stated in the headline. And the result is that if you want to use Microsoft products you are expected to use antivirus, because they would rather you keep bailing out water than bother pluging the holes, M$ most common answer is: "Wont Fix"

Re:At least they're being honest now.

[David_Hart]

Okay, since we're talking about recent history ("at the moment", as you said), how about we have a look at recent CVE "scores", not the all-time list that you pasted in?

Here's the top of the "winners" list for 2017:

1 Android Google OS 564
2 Linux Kernel Linux OS 366
3 Imagemagick Imagemagick Application 303
4 Iphone Os Apple OS 290
5 Mac Os X Apple OS 210
6 Windows 10 Microsoft OS 195
7 Windows Server 2008 Microsoft OS 187
8 Windows Server 2016 Microsoft OS 183
9 Windows Server 2012 Microsoft OS 176
10 Windows 7 Microsoft OS 174

But just for fun let's see #11:
11 Windows 8.1 Microsoft OS 167
(on the "all-time" list you pasted in, #11 would have been Internet Explorer)

source:
https://www.cvedetails.com/top...

Aha! You're right, "it's not 1999" any more (in 1999, Microsoft occupied only 4 of the top 10 spots).

So let's see now... if you add up all the CVEs for all Microsoft products in the top 10 (everyone else seems to want to pretend Windows 8.1 never existed, so let's go with that), Microsoft scores a dazzling 915 CVEs so far 2017.

Your calculation is also misleading. It's quite possible that a Windows CVE spans a number of Windows versions which would lead to counting the same CVE by up to 5 times. I'm willing to bet that the number of unique Windows CVEs is about a third the number that you arrived at.

Re:At least they're being honest now.

[gnunick]

Why would you add them up across Windows7, 8, etc.? Just to get a bigger number by counting the same vulnerability multiple times?
With that logic, you'd be counting each Android vulnerability once for each Android build it occurs in.

Um, gee... where do I start? I mean really, do you see Android (or any non-Microsoft product) broken down by version in that list? It seems to me that for a (lowercase) apples-to-apples comparison, adding up the counts for every version of Windows would be the only fair way to compare it to any OS (or Kernel) which isn't listed with a similar version-by-version breakdown.

In any case, the total number of CVEs for Windows in the top 10 had little to do with the premise of my post, which was a rebuttal to an intentionally misleading post that tried to back up the ridiculous claim that "[a]t the moment, the security of Microsoft products is vastly superior to that of Google and Apple" by posting a part of an all-time list of vulnerabilities (which conveniently only includes one Microsoft product in the top 10). Well, the moment that I'm living in resides firmly in 2017. Once again, the 2017 list is here: https://www.cvedetails.com/top...

I have no idea if cvedetails.com's numbers are in any way reliable. lucm cited them as "proof" of how fuckin'A-awesome Microsoft is these days, so it seemed fair to turn their source around to disprove the original, ridiculous, premise.

But hey, since the OP's bon mot was obliquely attacking a specific vendor, not a product... let's assume cvedetails.com's numbers are somewhat accurate, and scroll to the bottom of https://www.cvedetails.com/top... that lucm originally linked to, where you'll see this juicy heading:

Total Number Of Vulnerabilities Of Top 50 Products By Vendor

There's a pretty bar chart there, but here is the sorted data list:

#1 Microsoft 8528
#2 Apple 5135
#3 Adobe 4167
#4 Mozilla 3279
#5 Google 2708
#6 2279 Oracle
#7 1930 Linux
#8 1373 SUN
#9 1022 Debian
#10 855 Canonical
#11 784 Novell
#12 560 PHP
#13 466 Wireshark
#14 452 Cisco
#15 430 Fedoraproject
#16 426 Redhat
#17 364 Imagemagick

Re:At least they're being honest now.

[gnunick]

No, I'm not missing the point. You're totally right.

But there is no run-down of patched-vs-unpatched status listed on that site, the source of a ridiculous argument that I was rebutting. My only point was that his (?) argument was ridiculous. Sorry to have provided a red herring by doing any dubious math.

Re:At least they're being honest now.

[sysrammer]

Your calculation is also misleading. It's quite possible that a Windows CVE spans a number of Windows versions which would lead to counting the same CVE by up to 5 times. I'm willing to bet that the number of unique Windows CVEs is about a third the number that you arrived at.

I'll bet you'd win. This indicates that MS doesn't fix their bugs over multiple releases.

Re:At least they're being honest now.

[gnunick]

Your calculation is also misleading. It's quite possible that a Windows CVE spans a number of Windows versions which would lead to counting the same CVE by up to 5 times. I'm willing to bet that the number of unique Windows CVEs is about a third the number that you arrived at.

Very true, but the premise of my argument was in the previous sentence. So sorry I included that last line. My argument required no calculations.

To return the point of discussion, I suggest you scroll to the bottom of https://www.cvedetails.com/top... where you'll see the list of Total Number Of Vulnerabilities Of Top 50 Products By Vendor for 2017. I don't know how cvedetails.com does its math (nor do I know why they break down Windows by version, but not Android, etc.). Maybe they're also double-counting CVEs that span multiple Windows versions. Maybe they're doing the same with Android, macOS, etc. It's still an interesting set of data to discuss.

Anyway, if I wanted to make a serious argument about this I'd do some real research into the data, the methodology of the data source(s), and clearly document my own methodology. I sure as hell wouldn't use data from a single web site whose reliability is a complete unknown to me.

Re:At least they're being honest now.

[bondsbw]

They break down Windows by version (unlike the others on the list), so they show as the next 6 items. But those versions are all based on the same code. They tend to share most exploits and fixes for versions that are supported in the same year.

Re:At least they're being honest now.

[Zemran]

It is more than a little disingenuous that they list "the Linux kernel" and "OSX" as single items yet split Windows into separate versions to minimise its ranking. If you add the separate versions of Windows together as they have done with Linux and OSX, Windows goes off the scale.

Re:At least they're being honest now.

They break down Windows by version (unlike the others on the list), so they show as the next 6 items. But those versions are all based on the same code. They tend to share most exploits and fixes for versions that are supported in the same year.

This; the comments we get from the MS shills in these threads are almost worse than the bugs themselves. Although it's much better than Windows I don't want to defend Linux because OpenBSD is better in some ways and the Linux people should learn more from that, however Linus doesn't try to pretend there are five different products called Linux to try to change the order of the lists. He also doesn't pay trolls to come around forums lying about his product. If the producer of a product has to lie about the security of their product then it's maybe a hint to use a different product. You can be pretty sure they won't tell you when there's a serious problem.

Re:At least they're being honest now.

[slashrio]

...that will allow an attacker to load malicious JavaScript code on a remote site and carry out intrusive operations such as collecting information from users' cookies, or logging keystrokes inside the page's forms, and others.

Yeah right, sounds like Microsoft indeed.

Re:At least they're being honest now.

[Cley+Faye]

That's the number of publicly known/published vulnerabilities. We know (and it has been proven true) that a lot of vulnerabilities are secretly kept when discovered.
Looking at it another way, I could say "look at how many flaws were fixed in the linux kernel, Mac Os X, Chrome and Firefox, and look at how many were fixed in MS products". Listing CVE says nothing about the actual number of vulnerabilities, only about their disclosure.

Re:At least they're being honest now.

[gweihir]

Meaningless statistic is meaningless. And the one posting it is stupid.

Re: At least they're being honest now.

[dougdonovan]

blame the ceo from india.

Re:At least they're being honest now.

[ElizabethGreene]

Is it common for vendors other than Microsoft to file a CVE for flaws that are discovered internally even if there is no public release and telemetry indicates no exploits in the wild, or for privately disclosed vulnerabilities with no public release?

This is not trolling; I'm actually curious to know. If that's not a common practice then it would be difficult to make an apples-to-apples comparison.

(I work for Microsoft, but this isn't part of the work I normally do.)

Re:At least they're being honest now.

[Cley+Faye]

No idea, but that's the point. Citing CVE (or any equivalent) listings as a "security gauge" is silly one way or another. And even if such list was relevant as to how secure a piece of software is, it would still be irrelevant in the real world, because you'd have to take into account how feasible each vuln. is, how effective it is, and how many systems are at risks.
The main difference between closed-source and open-source here is that one allows for more eyeballs than the other; it doesn't mean that more people will actually look, find, fix vulnerabilities, nor that such vulnerabilities will be easier/harder to exploit in the real world, and how useful they'll end up to be. There's just too much variable to say "X is better/worse than Y" in such absolute way.

Re: At least they're being honest now.

Can image magic be converted to JavaScript llvm and run entirely in the browser? No more security risk, boom, just cured 300 CVEs.

Re:At least they're being honest now.

[tomxor]

Ah ok... yes I couldn't find any stats about the state of open CVEs either, which is quite frustrating.

Re:At least they're being honest now.

[lucm]

No idea, but that's the point. Citing CVE (or any equivalent) listings as a "security gauge" is silly one way or another.

As opposed to just say "there must be secret bugs they don't tell us about"? How do you rank that? Arbitrary suspicion factor based on your own guesswork?

Re:At least they're being honest now.

[lucm]

Meaningless statistic is meaningless. And the one posting it is stupid.

Then why don't you provide meaningful content instead of just bitching about things? Oh wait, I know why.

Re:At least they're being honest now.

[zieroh]

top 10 products with highest number of CVE:

You use data like a drunk uses a lamp post: for support, rather than illumination.

You're also a dishonest shill. Go fuck yourself.

Re:At least they're being honest now.

[Cley+Faye]

I don't rank that. I don't have to. I wrote (but you omited that part in your quote) that there's no absolute way to say that one piece of software is better than another security wise, and that the only thing openness bring to the table is the ability for anyone to look into it.
I didn't say (here or anywhere else) "there must be secret bugs they don't tell us about" so I don't see why you're asking me this, aside from trying to stir a fruitless "discussion".

Re:At least they're being honest now.

[gweihir]

You make one mistake here: You think that educating the likes of you is worthwhile. I have tried and know better. Arrogant and stupid is sure-fire way to become resistant to insight.

Just one point: Anybody with some actual understanding knows that counting-metrics only make sense if the things counted are quite similar. Even a brief look at some random sample of CVEs immediately shows that this is not at all the case here and that counting is meaningless for the case at hand. Hence anybody promoting a counting-metric here is extremely disconnected from reality (or a big, fat liar) and any attempt at educating such a person is consequentially futile.

Re:At least they're being honest now.

[lucm]

Hence anybody promoting a counting-metric here is extremely disconnected from reality

Actually, it's people who say "counting-metric" that are disconnected from reality since it means nothing. Is it some kind of direct translation from Polish or whatever retarded language you speak?

Anyways, there's no reason for you to throw a tantrum. Why don't you remove the stick you've got up your ass and contribute something to the discussion? You're not funny, you're not witty, and you're not good at being smug; stick to real content.

Good thing

[Billly+Gates]

Because Edge == IE 6 and it is not like Google ever refused to fix a bug while MS did first.

Why am I ever bother writing a reply here?

Re:Good thing

[Snotnose]

Why am I ever bother writing a reply here?

A) You're drunk
B) You're "compiling"
C) You're putting off something you need to do but don't wanna

Re:Good thing

[lucm]

A) You're drunk
B) You're "compiling"
C) You're putting off something you need to do but don't wanna

Here's the 2017 version.

A) You're triggered
B) You're "docker pulling"
C) You've withdrawn from real world interaction

Re:Good thing

[slashrio]

D) You're Dutch.

Re:Good thing

[Dutch+Gun]

Ya got me.

Re:Good thing

[slashrio]

A few years ago an older guy from Holland, therefore a Dutch guy, while they call their country The Netherlands -- pfff, can it be any more complicated? -- called me a 'snotneus'.
I said: "What?". And in bad English he said: "snotnose".
Maybe even it was you. ;)

Re:Good thing

[Dutch+Gun]

If it was me, I likely would have called you a kleine snotneus. But I think that insult may be a genetic trait of the Dutch, along with thriftiness. You know how copper wire was invented, right? Two Dutchmen were fighting over a penny...

Re:Good thing

[slashrio]

First, it were two Scotch men, and second: 'kleine' (= little) would on average be correct as the Dutch tend to be the tallest people in the world (again, on average).

Re:At least they're being honest now. NIGGER FUCK!

G_N_A_A (G.A.Y N1GGER ASSOCIATION OF AMERICA) is the first organization which
gathers G.A.Y N1GGERS from all over America and abroad for one common goal - being G.A.Y N1GGERS.

Are you G.A.Y ?
Are you a N1GGER ?
Are you a G.A.Y N1GGER ?

If you answered "Yes" to any of the above questions, then G_N_A_A (G.A.Y N1GGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!
Join G_N_A_A (G.A.Y N1GGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time G_N_A_A member.
G_N_A_A (G.A.Y N1GGER ASSOCIATION OF AMERICA) is the fastest-growing G.A.Y N1GGER community with THOUSANDS of members all over United States of America. You, too, can be a part of G_N_A_A if you join today!

Why not? It's quick and easy - only 3 simple steps!

First, you have to obtain a copy of G.A.Y N1GGERS FROM OUTER SPACE THE MOVIE and watch it.

You can watch G.A.Y N1GGERS FROM OUTER SPACE on Youtube.

Second, you need to succeed in posting a G_N_A_A "first post" on slashdot.org , a popular "news for trolls" website

Third, you need to join the official G_N_A_A irc channel #G_N_A_A on EFNet, and apply for membership.
Talk to one of the ops or any of the other members in the channel to sign up today!

If you are having trouble locating #G_N_A_A, the official G.A.Y N1GGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is EFNet, and you can connect to irc.secsup.org or irc.easynews.com as one of the EFNet servers.
If you do not have an IRC client handy, you are free to use the G_N_A_A Java IRC client by clicking here.

If you have mod points and would like to support G_N_A_A, please moderate this post up.

This post brought to you by Penisbird , a proud member of the G_N_A_A

G_____________________________________naann_______ ________G
N_____________________________nnnaa__nanaaa_______ ________A
A____________________aanana__nannaa_nna_an________ ________Y
A_____________annna_nnnnnan_aan_aa__na__aa________ ________*
G____________nnaana_nnn__nn_aa__nn__na_anaann_MERI CA______N
N___________ana__nn_an___an_aa_anaaannnanaa_______ ________I
A___________aa__ana_nn___nn_nnnnaa___ana__________ ________G
A__________nna__an__na___nn__nnn___SSOCIATION_of__ ________G
G__________ana_naa__an___nnn______________________ ________E
N__________ananan___nn___aan_IGGER________________ ________R
A__________nnna____naa____________________________ ________S
A________nnaa_____anan____________________________ ________*
G________anaannana________________________________ ________A
N________ananaannn_AY_____________________________ ________S
A________ana____nn_________IRC-EFNET-#G_N_A_A________ ________S
A_______nn_____na_________________________________ ________O
*_______aaaan_____________________________________ ________C
Gary Niger gary_niger@G_N_A_A.us G_N_A_A Corporate Headquarters 143 Rolloffle Avenue Tarzana, California 91356
Enid Al-Punjabi enid_al_punjabi@G_N_A_A.us G_N_A_A World Headquarters No.33 Kyutei Bld. 2F, Shinjuku 2-11-7, Shinjuku-ku, Tokyo, Japan ????????2??11-6
Copyright (c) 2003-2015 G.A.Y N1GGER Association of America

Ich Bindawalross (London) - G_N_A_A (NYSE:

Really, Edge? XSS-vulnerable by design?

[intellitech]

An attacker only needs to open a new page via the “_blank” method and use the document.write function to write malicious code inside this page before loading the actual content. The malicious content — the code to execute a banal XSS attack — remains, and helps the attacker bypass CSP protections.

Just choked on my coffee after reading that. What possible use case could there be for allowing a blank page to even run javascript for document.write in the first place?

Re: Really, Edge? XSS-vulnerable by design?

[corychristison]

I suspect Microsoft relies on this "feature" in one of their products somewhere...

Re: Really, Edge? XSS-vulnerable by design?

[Monster_user]

Is there some archaic manner of loading certain sites which requires they be loaded into a blank page? Or is there some requirement of a link somewhere, which Microsoft provides support for, that cannot be loaded with different restrictions by any other means than an exploit? Something about Microsoft thinks users are to dumb to tie their own shoes perhaps?

Re: Really, Edge? XSS-vulnerable by design?

[Monster_user]

Office 365?

Re:Really, Edge? XSS-vulnerable by design?

[Kjella]

Just choked on my coffee after reading that. What possible use case could there be for allowing a blank page to even run javascript for document.write in the first place?

I can't begin to phantom where the thought process comes form, but developers do the stupidest shit to make things work right now. Whether it's documented behavior, undocumented behavior, bugs, unintentional side effects, race conditions or whatever Microsoft has probably found that some developers have used this in a non-malicious way because drumroll it works. And that's really the whole of the story, if you break it you don't just break malware authors you break some website that paid idiot developers or cheap-ass outsourcing company for it. Then the get angry at Microsoft because it worked before, so they keep the broken behavior. It's not gone even though IE6 is finally exorcised.

Re:Really, Edge? XSS-vulnerable by design?

[lucm]

It's not clear in the description (I suspect the person who wrote it doesn't know how web pages work) but this just means opening a link that has a "_blank" target (new window/tab).

This is just clickbait as usual.

Re:Really, Edge? XSS-vulnerable by design?

Read the tech details of the bug

Re:Really, Edge? XSS-vulnerable by design?

[The+MAZZTer]

Well I can see poorly coded websites doing that to programmatically build up frames. Yes, writing JAVASCRIPT into a frame is odd, but I could see it happening. But when you navigate a frame everything that was in the old page should be unloaded. Old JavaScript, especially from a different origin, should not continue to run!

Re:Really, Edge? XSS-vulnerable by design?

[WaffleMonster]

An attacker only needs to open a new page via the âoe_blankâ method and use the document.write function to write malicious code inside this page before loading the actual content. The malicious content â" the code to execute a banal XSS attack â" remains, and helps the attacker bypass CSP protections.

Just choked on my coffee after reading that. What possible use case could there be for allowing a blank page to even run javascript for document.write in the first place?

TFA is weak on details... what this all seems to be about has been known for a very long time.

By blank I assume they mean an HREF with a TARGET of _blank but not really limited to blank just any target that opens a new window.

What happens is when you link to the remote site if that site is malicious it can call back into the web page that opened it using "opener" like JS reference crap and modify or do shit in the window that called you.

For example your banking website provides a list of hyperlinks to third party sites. One of the sites it links to happens to be prettypleaserobmeblind.org

If hyperlink is HREF = prettypleaserobmeblind.org then you go to the new web page with no cross site implications. It doesn't matter if you open the link in a new window or tab.. your safe...

Yet instead your bank adds TARGET=_blank to the prettypleaserobmeblind.org hyperlink. The page is now always opened in a new window/tab because they want to keep you on the site... as a result the destination site can now fuck with referring site via javascript opener back references under certain conditions to for example transfer all of the cash in your bank account to themselves.

I ASSume that's what this is about. My personal opinion anyone (MS) who defends this type of behavior has a screw loose in their heads. I suspect most web developers are clueless about it... nor does there seem to be causal connection that would lead even a very careful person to infer relationship.

While there is always some merit in the should have known better category technology that is inherently so treacherous to use seems rather counterproductive to me.

I know when I learned about this I was ticked off... about as ticked off as when I learned all browsers intentionally break secure TLS version negotiation. Amazing the things I implicitly "assume" without questioning that turn out to be false... perhaps I'm just careless.

Re:Really, Edge? XSS-vulnerable by design?

[gustygolf]

You can build a new window altogether in JavaScript, apparently, with no HTTP requests taking place. I think this is what your quote refers to.

See the javascript at e.g. sheldon brown's bicycle gear calculator page, line 422 (function showit()) and forward.

It basically uses document.write to build the whole pop-up results window.

(Yes, I was surprised to learn that such a thing was possible.)

Re:Really, Edge? XSS-vulnerable by design?

[Cley+Faye]

Opening a page with "_blank" target doesn't open a blank page; it open a page in a new tab/window. It's super common, and is often used to open link to external sites without losing the current page (it's somewhat seen as a UX nightmare for some people).
So it's not just allowing a blank page to run foreign JavaScript, it's allowing any real page, following "correct looking" URL to run foreign JavaScript.

For reference, an "about:blank" is what you'd want if you want to open a blank page. But the article clearly state "_blank", which is different.

Genuine problem

The attack is to open a blank page in JS, insert your malicious code, then load the victim website. Oh look, your malicious code can run.

MSRC needs a bigger bat to force the IE team to fix this. But they have little influence in the company, which is why logging out of Microsoft websites doesn't invalidate your cookie; you can still use that old cookie to stay logged in. By Design, of course.

Re: Genuine problem

So all you need to do to compromise someone's gmail Gmail is...
1) Hack their PC or the Gmail web host and then
2) use this document.write attack?

Why is step 2 needed again?

Where?

[wonkey_monkey]

technical details available here

Here? Where?

For an internet news site you sure do have a shitty grasp of how the internet works.

Re:Where?

[fisted]

grasp of how the www works.

FTFY

Re:Where?

Step 1) Click the link in the summary to the article.

Step 2) Click the link in the article.

For someone reading an internet new site, you sure fo have a shitty grasp of how the internet works.

Re:Where?

[tepples]

With firewalls in so many places blocking everything but 443 and 80 out, and with device makers blocking native apps from their walled gardens based on ambiguous content criteria, www is the Internet as end users experience it.

Usually it's Apple...

[Ecuador]

Huh, usually it's Apple with the "Broken As Designed stuff, I guess Microsoft is playing catch up in that area too ;)

Re:Usually it's Apple...

One example provided and suddenly it's "usually". Is English not your first language?

Re:Usually it's Apple...

[Ecuador]

As a software engineer, it was a common pattern when I was working with iOS. The example was one that came quickly to my mind in a form that I could easily search and post. I even had issues as a user, e.g. for about 2 years Apple had broken support if you had a Mac Pro with upgraded graphics and a multi-monitor setup with a mix of landscape and portrait mode monitors. Their reply to the bug reports was something akin to "if you have that kind of setup, you're doing it wrong". Of course you could also say that Microsoft has entire OSes "bad by design" (Vista, Win 8 etc) ;) And, to answer your question, no, English is not my first language, but I usually get by...

Well, it's only Edge

[JohnFen]

It's only Edge, so hardly anyone will be affected.

windows 10 S you fail again just wait for EU smack

[Joe_Dragon]

windows 10 S you fail again just wait for EU smack down.

  iOS is locked to WebKit

Safari not patched

[DontBeAMoran]

If you don't use the latest macOS version, you can't upgrade to the latest version of Safari.

Option

Where did the browser option "load only from origin site" go?

MS stop keeping IE features.

[bongey]

Edge is suppose to be NEW browser but from the mozilla/firefox page it is one of those none standard IE "features". https://developer.mozilla.org/...

Re:At least they're being honest now. NIGGER FUCK!

[ddtmm]

TL:DR

I think Microsoft is right

If your site is already outputting the necessary CSP headers and sanitising it's HTML correctly, I find it hard that you'll get your malicious JS payload to even invoke let alone open up a new blank page. Just sayin'.

If the attacker is already able to run JS from your page then you have other issues.

Possible NSA hacking vector

If they want us to believe they aren't in cahoots with the NSA they should patch anything that vaguely smells of NSA.

Re:At least they're being honest now. NIGGER FUCK!

No kidding. "Brevity is the soul of wit."

Re: At least they're being honest now. NIGGER FUCK

Lol gn from outer space is a funny movie.

Re:At least they're being honest now. NIGGER FUCK!

At least update the irc servers you are putting in this. Those two servers, irc.secsup.org and irc.easynews.com haven't existed on EFnet in probably over a decade...

Not just Microsoft

sure, this time the people at NSA and CIA gave a court order to the sorry people at Microsoft, and they weren't allowed to fix the bug, but there are a dozen of these hiding in the other browsers, kept there by the same kind of court orders.

If it's American, then it's back-doored by design. That's what you need to start telling people.

Same-Origin Policy is definitely broken by design

Annoys the heck out of me. Came across this on Edge and I was floored that hobo.homeless.com got access to all of homeless.com's cookies. I had to put in a few lines in my cookie saver/getters that append "hobo" to the front automatically based on URL.

Those are of course made-up names.

of course not!

This is an integral part of windows telemetry

pinterest is that way --->

[lucm]

You use data like a drunk uses a lamp post: for support, rather than illumination.

I'm sure you've been waiting for an opportunity to shoehorn that little inspirational nugget in one of your comments. Unfortunately, it doesn't work as well as you would have hoped because

1) it sounds as corny as the text in a discount Hallmark Get Well Soon card
and
2) I didn't "use data", I merely copy-pasted stuff from the first result that comes up when one googles "top 10 cve", which even by your self-righteous, biased standards can hardly be construed as being dishonest

I don't want to prevent you from living in that tinfoil hat fantasy land where every piece of information you see that doesn't support your preconceived ideas must be planted by some "shill" (if such thing even existed for real on Slashdot). The world is a beautiful mosaic and irrational angry tools like you are part of it. Just try to avoid leaking your Pinterest material in your Slashdot comments and everything will be fine.

Re:pinterest is that way ---

[zieroh]

I'm sure you've been waiting for an opportunity to shoehorn that little inspirational nugget in one of your comments.

I rarely have to wait for very long before some hapless turd wanting to score snarkpoints on [_fill_in_discussion_forum_here_] ambles along and demonstrates a piss-poor understanding of what facts are and what they mean. I've used the term many times before.

Unfortunately, it doesn't work as well as you would have hoped because [meaningless argle-bargle]

Get over yourself. It was a direct hit. The only one here who maybe doesn't understand that is you.

2) I didn't "use data", I merely copy-pasted stuff from the first result that comes up when one googles "top 10 cve"

A meaningless distinction if ever there was one.

As others have noted, Windows is largely split across multiple versions, while virtually nothing else is. To willfully ignore that is to willfully misuse the facts in your pursuit of snarkpoints. And for that, you suck, oh-ohhhh!