Apple and Google Fix Browser Bug. Microsoft Does Not. (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Apple and Google Fix Browser Bug. Microsoft Does Not. (bleepingcomputer.com)

Posted by msmash on Friday September 8, 2017 @10:40AM from the privacy-woes dept.

Catalin Cimpanu, reporting for BleepingComputer: Microsoft has declined to patch a security bug Cisco Talos researchers discovered in the Edge browser, claiming the reported issue is by design. Apple and Google patched a similar flaw in Safari (CVE-2017-2419) and Chrome (CVE-2017-5033), respectively. According to Cisco Talos researcher Nicolai Grodum, the vulnerability can be classified as a bypass of the Content Security Policy (CSP), a mechanism that allows website developers to configure HTTP headers and instruct the browsers of people visiting their site what resources (JavaScript, CSS) they can load and from where. The Content Security Policy (CSP) is one of the tools that browsers use to enforce Same-Origin Policy (SOP) inside browsers. Grodum says that he found a way to bypass CSP -- technical details available here -- that will allow an attacker to load malicious JavaScript code on a remote site and carry out intrusive operations such as collecting information from users' cookies, or logging keystrokes inside the page's forms, and others.

11 of 78 comments (clear)

Min score:

Reason:

Sort:

At least they're being honest now. by Duckeenie · 2017-09-08 10:46 · Score: 5, Insightful

Their products are insecure by design.
1. Re:At least they're being honest now. by zieroh · 2017-09-08 11:04 · Score: 2
  
  It's not like Microsoft has ever been mistaken about security, right?
  Right?
  
  --
  People who say "sheeple" have about as much sophistication as an AOL user, and in fact are probably actually AOL users.
2. Re:At least they're being honest now. by zieroh · 2017-09-08 11:17 · Score: 3, Funny
  
  You really need to stop smoking crack before posting on Slashdot.
  
  --
  People who say "sheeple" have about as much sophistication as an AOL user, and in fact are probably actually AOL users.
3. Re:At least they're being honest now. by lucm · 2017-09-08 11:31 · Score: 2
  
  top 10 products with highest number of CVE:
  1 Linux Kernel Linux OS 1930
  2 Mac Os X Apple OS 1890
  3 Chrome Google Application 1453
  4 Firefox Mozilla Application 1438
  5 Iphone Os Apple OS 1274
  6 Android Google OS 1255
  7 Flash Player Adobe Application 1035
  8 Debian Linux Debian OS 1022
  9 Windows Server 2008 Microsoft OS 956
  10 Safari Apple Application
  https://www.cvedetails.com/top...
  
  --
  lucm, indeed.
4. Re:At least they're being honest now. by gnunick · 2017-09-08 12:07 · Score: 4, Informative
  
  Okay, since we're talking about recent history ("at the moment", as you said), how about we have a look at recent CVE "scores", not the all-time list that you pasted in?
  Here's the top of the "winners" list for 2017:
  1 Android Google OS 564
  2 Linux Kernel Linux OS 366
  3 Imagemagick Imagemagick Application 303
  4 Iphone Os Apple OS 290
  5 Mac Os X Apple OS 210
  6 Windows 10 Microsoft OS 195
  7 Windows Server 2008 Microsoft OS 187
  8 Windows Server 2016 Microsoft OS 183
  9 Windows Server 2012 Microsoft OS 176
  10 Windows 7 Microsoft OS 174
  But just for fun let's see #11:
  11 Windows 8.1 Microsoft OS 167
  (on the "all-time" list you pasted in, #11 would have been Internet Explorer)
  source:
  https://www.cvedetails.com/top...
  Aha! You're right, "it's not 1999" any more (in 1999, Microsoft occupied only 4 of the top 10 spots).
  So let's see now... if you add up all the CVEs for all Microsoft products in the top 10 (everyone else seems to want to pretend Windows 8.1 never existed, so let's go with that), Microsoft scores a dazzling 915 CVEs so far 2017.
  
  --
  I have no special gift, I am only passionately curious. --Albert Einstein
5. Re:At least they're being honest now. by lucm · 2017-09-08 12:09 · Score: 2
  
  Those were "all time leaders". Here's the current year:
  1 Android Google OS 564
  2 Linux Kernel Linux OS 366
  3 Imagemagick Imagemagick Application 303
  4 Iphone Os Apple OS 290
  5 Mac Os X Apple OS 210
  
  --
  lucm, indeed.
6. Re:At least they're being honest now. by gnunick · 2017-09-08 13:01 · Score: 2
  
  Why would you add them up across Windows7, 8, etc.? Just to get a bigger number by counting the same vulnerability multiple times?
  With that logic, you'd be counting each Android vulnerability once for each Android build it occurs in.
  Um, gee... where do I start? I mean really, do you see Android (or any non-Microsoft product) broken down by version in that list? It seems to me that for a (lowercase) apples-to-apples comparison, adding up the counts for every version of Windows would be the only fair way to compare it to any OS (or Kernel) which isn't listed with a similar version-by-version breakdown.
  In any case, the total number of CVEs for Windows in the top 10 had little to do with the premise of my post, which was a rebuttal to an intentionally misleading post that tried to back up the ridiculous claim that "[a]t the moment, the security of Microsoft products is vastly superior to that of Google and Apple" by posting a part of an all-time list of vulnerabilities (which conveniently only includes one Microsoft product in the top 10). Well, the moment that I'm living in resides firmly in 2017. Once again, the 2017 list is here: https://www.cvedetails.com/top...
  I have no idea if cvedetails.com's numbers are in any way reliable. lucm cited them as "proof" of how fuckin'A-awesome Microsoft is these days, so it seemed fair to turn their source around to disprove the original, ridiculous, premise.
  But hey, since the OP's bon mot was obliquely attacking a specific vendor, not a product... let's assume cvedetails.com's numbers are somewhat accurate, and scroll to the bottom of https://www.cvedetails.com/top... that lucm originally linked to, where you'll see this juicy heading:
  Total Number Of Vulnerabilities Of Top 50 Products By Vendor
  There's a pretty bar chart there, but here is the sorted data list:
  #1 Microsoft 8528
  #2 Apple 5135
  #3 Adobe 4167
  #4 Mozilla 3279
  #5 Google 2708
  #6 2279 Oracle
  #7 1930 Linux
  #8 1373 SUN
  #9 1022 Debian
  #10 855 Canonical
  #11 784 Novell
  #12 560 PHP
  #13 466 Wireshark
  #14 452 Cisco
  #15 430 Fedoraproject
  #16 426 Redhat
  #17 364 Imagemagick
  
  --
  I have no special gift, I am only passionately curious. --Albert Einstein
7. Re:At least they're being honest now. by sysrammer · 2017-09-08 13:13 · Score: 3, Insightful
  
  Your calculation is also misleading. It's quite possible that a Windows CVE spans a number of Windows versions which would lead to counting the same CVE by up to 5 times. I'm willing to bet that the number of unique Windows CVEs is about a third the number that you arrived at.
  I'll bet you'd win. This indicates that MS doesn't fix their bugs over multiple releases.
  
  --
  His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
Really, Edge? XSS-vulnerable by design? by intellitech · 2017-09-08 11:05 · Score: 4, Interesting

An attacker only needs to open a new page via the “_blank” method and use the document.write function to write malicious code inside this page before loading the actual content. The malicious content — the code to execute a banal XSS attack — remains, and helps the attacker bypass CSP protections.
Just choked on my coffee after reading that. What possible use case could there be for allowing a blank page to even run javascript for document.write in the first place?

--
vos nescitis quicquam, nec cogitatis quia expedit nobis ut unus moriatur homo pro populo et non tota gens pereat.
1. Re: Really, Edge? XSS-vulnerable by design? by corychristison · 2017-09-08 11:16 · Score: 2
  
  I suspect Microsoft relies on this "feature" in one of their products somewhere...
Genuine problem by Anonymous Coward · 2017-09-08 11:05 · Score: 2, Informative

The attack is to open a blank page in JS, insert your malicious code, then load the victim website. Oh look, your malicious code can run.
MSRC needs a bigger bat to force the IE team to fix this. But they have little influence in the company, which is why logging out of Microsoft websites doesn't invalidate your cookie; you can still use that old cookie to stay logged in. By Design, of course.