[LINK] A Case Study in 'Insecurity by Design'

Roger Clarke Roger.Clarke at xamax.com.au
Thu Sep 7 10:31:35 AEST 2017


[I've been using the term 'insecurity by design' for some time now, to convey that a great deal of what consumer devices suffer from isn't 'bugs', or bugs retrospectively re-named features, but actual 'features', intentionally put there in order to ensure that parties other than the user of the device and software have power over its behaviour.

[Here's a nice addition to the document collection.

[Note that Microsoft is merely more brazen than Google, Apple, Mozilla and all the other consumer-hostile providers.  Those suppliers pay lip-service, and 'fix' their designed-in insecurity 'features' when they become sufficiently widely known to become embarrassing.]


Microsoft won't patch Edge XSS vulnerability
Content security policy bypass is 'by design'.
Juha Saarinen
itNews
Sep 7 2017
https://www.itnews.com.au/news/microsoft-wont-patch-edge-xss-vulnerability-472746

Cisco Talos security researchers have found a way to bypass the content security policy defence mechanism that protects against cross site scripting attacks in multiple web browsers.

The flaw has been patched in recent versions of Google Chrome and WebKit-based browsers (such as Apple Safari for macOS and iOS), but not in Microsoft's Edge for Windows 10.

"Microsoft stated this is by design, and has declined to patch this issue," Talos said.
CSP prevents cross-site scripting attacks by whitelisting servers that can be used as sources for client-side web application code.

To exploit the vulnerability, a web page can be coded to set the browser CSP to unsafe-inline which allows for inline scripts to run.

The web page will then load a new document with the window.open Javascript method, adding code to it with document.write to enable cross-site communications. 

Talos researcher Nicholas Grødum said while browsers such as Firefox work as per the explicit W3C specifications and inherit CSP restrictions from the loading document, Microsoft Edge does not. 

Talos reported the vulnerability to Microsoft in November last year. Microsoft confirmed the issue in January 2017, but said in March this year that it did not consider it a vulnerability.

Cross-site scripting (XSS) is a widespread attack vector against web applications, and can be used to run malicious scripts that glean sensitive information from browsers, unbeknownst to users.

-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916                        http://about.me/roger.clarke
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Faculty of Law            University of N.S.W.
Visiting Professor in Computer Science    Australian National University



More information about the Link mailing list