Local files exposed to hackers
Enterprise network security experts from the International Institute of Cyber Security report that Microsoft has patched a critical vulnerability in its Edge browser that could be used against previous versions of software to steal files located in a user’s computer.
The good news is that the possible exploitation of the vulnerability depends on social engineering, which means that the attack cannot be automatically deployed; therefore its danger level is considered low for regular computer users.
The flaw is related to the Same Origin Policy (SOP)
Specialists in enterprise network security comment that the vulnerability involves the Same Origin Policy (SOP), which supports any browser. In Edge, and in any other search engine, SOP works by preventing an attacker from loading malicious code through a link that does not match the same domain, Port, and protocol.
SOP implementation in Edge works as planned, with just one exception — when users download a malicious HTML file on their PC and then run it. When the user executes this HTML file, its malicious code is loaded through the file:// protocol, and as it is a local file, it has no domain and port value. This means that this malicious HTML file may contain code to collect and steal data from local files that can be accessed via file:// URL. As you can access any operating system file through a file:// URL within a browser, this gives the hacker access to collect and extract any local file.
Useful vulnerability in targeted attacks
Experts in enterprise network security say that during the testing process they were able to steal data from local computers and send them to a remote server when running this file in Edge and in the Mail and Calendar app.
Completely exploiting the vulnerability requires the hacker to know where the files are stored, but in most cases some operating system configuration and storage files and apps are stored in the same location for almost all devices. In addition, the location of some files can be simply deduced or guessed. The flaw could be useful in more targeted attacks against victims working with valuable assets.
Although Microsoft has dealt with this issue in the latest versions of the Edge and Mail and Calendar apps, enterprise network security specialists warn users about the dangers of executing HTML files they receive from strangers or by email, valid warning as HTML files are generally not associated with common malware distribution campaigns.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.