Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

8/3/2018
09:35 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Researcher Finds Way to Bypass SOP Within Microsoft Edge Browser

For years, SOP has made sure that browsing stays safe by isolating different websites. Now, a researcher found a way around the protocol within Microsoft's Edge browser.

The Same Origin Policy (SOP) has been an implicit operational condition for browsers since 1995. It stops scripts contained in one web page from accessing data in a second web page unless the two sites have the same origin. An origin is defined as a combination of URI scheme (domain or subdomain), host name and port number.

Now, however, Netsparker security researcher Ziyahan Albeniz has found that older versions of Microsoft's Edge browser could be fooled into allowing this type of access from one web page to another.

Albeniz discovered that in the case of an HTML file sent via email and then run by Edge, the end result that SOP was supposed to forbid would happen. A local file could be read and exfiltrated from a target machine.

Of course, there is some social engineering involved in all of this. The user needs to download the HTML file in that poisoned email to start things off. HTML is not a usual file format transferred in this way, so the email will call attention to itself when it is encountered.

What actually happens if the email is opened is fairly simple. The HTML file is loaded by the file:// protocol when read from the email. Since it becomes a local file, there is no domain or port value associated with it.

The local file on the target machine will also not have a domain or port. So, in this case the ports on the two items match since both will have no port.

The hostname will also match. There is none in the file:// protocol. Finally, the protocol scheme between the two match. It’s file://.

So, SOP will present no objections to this intermingling.

The researcher felt that the Mail and Calendar app would sound the alarm if it was forced into executing a malicious HTML file. That didn't happen.

As Albeniz put it:

When I sent the email as an attachment and waited until a user opened it, it would immediately send local files of my choosing [from the target machine —ed.] to my server, where I could store and read them. There is probably no antivirus program that would recognize my file as malicious, and, I could extract the files over a secure HTTPS connection. This is what makes this attack so stealthy!

This approach requires the attacker to know where the file desired is located, but there are routine locations used in many OS configurations.

So, while the approach may not serve well as a vehicle for the wide distribution of malware, a more specific approach designed for a high value target -- especially if it is used after some directory transversal recon malware has been first run on the target machine -- seems possible.

Albeniz writes that this vulnerability has already been fixed by Microsoft in both Edge and Mail and Calendars.

So, mitigation is straightforward. Use the latest versions of the programs, and don't open unknown HTML files in email. But be aware that this sort of attack is possible -- and deadly.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4560
PUBLISHED: 2020-08-03
IBM Financial Transaction Manager 3.2.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2019-4589
PUBLISHED: 2020-08-03
IBM Cognos Analytics 11.0 and 11.1 is vulnerable to privlege escalation where the "My schedules and subscriptions" page is visible and accessible to a less privileged user. IBM X-Force ID: 167449.
CVE-2020-4328
PUBLISHED: 2020-08-03
IBM Financial Transaction Manager 3.2.4 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 177839.
CVE-2020-4377
PUBLISHED: 2020-08-03
IBM Cognos Anaytics 11.0 and 11.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 179156.
CVE-2020-4534
PUBLISHED: 2020-08-03
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper handling of UNC paths. By scheduling a task with a specially-crafted UNC path, an attacker could exploit this vulnerability to execute arbi...