Microsoft often touts the security capabilities of its Microsoft Edge web browser. At the moment, it seems the company has good reason to. A new phishing technique has been discovered that aims to trick users into handing over data. Microsoft has pre-empted this attack as Edge is already protected against the technique.
The phishing in question is a spoofing attack discovered by security researcher Rafay Balock. He produced the attack on Microsoft Edge and reported it to Microsoft. In its August security cumulative updates, the company was able to issue a mitigation.
Baloch says the spoofing attack targets the browser address bar. Bad actors can trick users by manipulating the address bar to let them think they are on a legitimate website.
The researcher published a paper title “Bypassing Browser Security Policies For Fun And Profit“.
https://www.youtube.com/watch?v=Ni2XzF5-ixY
In the paper, Baloch shows how he found address bar spoofing techniques. He details how one vulnerability is found in Microsoft Edge and Apple’s Safari.
“During my testing, it was observed that both Edge and Safari browser allowed javascript to update the address bar while the page was still loading. Upon requesting data from a non-existent port the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing.
“It causes browser to preserve the address bar and to load the content from the spoofed page. The browser will however eventually load the resource, however the delay induced with setInterval function would be enough to trigger the address bar spoofing.”
Fix
The good news for users of both browsers is that they are shored up against the vulnerability. Microsoft protected Edge with the release of a mitigation against CVE-2018-8383 last month.
Baloch says he informed Microsoft of the flaw on June 9 and was working on Google’s Project Zero principal. That means Microsoft had 90 days to respond to the vulnerability. This is actually a security method Redmond disagrees with, but the fix was issued on Patch Tuesday (Aug 14).
