CVE-2018-8235: Security Feature Bypass Bug in Edge, Patch Now!

An independent security researcher has uncovered by accident quite the unusual, high-severity browser vulnerability in Microsoft Edge, identified as CVE-2018-8235. Shortly put, the vulnerability would allow a malicious website to recapture content from other sites simply by playing audio files incorrectly which would produce unintended consequences.

According to Jake Archibald, the researcher who unearthed the flaw, the bug is huge and “it means you could visit my site in Edge, and I could read your emails, I could read your Facebook feed, all without you knowing”. The researcher dubbed the bug Wavethrough.

CVE-2018-8235 Official MITRE Description

A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins, aka “Microsoft Edge Security Feature Bypass Vulnerability.”

CVE-2018-8235: the Wavethrough Bug Explained

When does the bug get “irritated”? When a malicious website employs the so-called service workers to load multimedia content within an audio tag from a remote site, in the meantime using the “range” parameter to load a specific part of the same file.

The researcher also added that:

I pretended to be a hacker and wrote down all the attacks I could think of, and Anne van Kesteren pointed out that some of them were possible without a service worker, as you can do similar things with redirects.

In addition, due to discrepancies in the way browsers handle files loaded with the help of service workers within audio tags, it is possible to load any content inside the malicious site. Usually this wouldn’t happen as CORS (Cross-Origin Resource Sharing) gets in the picture to avert sites from loading resources from other sites.

However, under this bizarre circumstances, the malicious site can issue “no-cors” requests which would not be detected (Read more...)

*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum authored by Milena Dimitrova. Read the original post at: