Let’s face it—application vulnerabilities have become inevitable in recent years. When Microsoft released Edge, its web browser created to replace Internet Explorer, it came with new features and enhancements, but it also brought along an unexpected vulnerability that allows hackers to steal local files from users’ computers.
The Microsoft Edge vulnerability
Browsers come with a security feature called Same Origin Policy (SOP), which only allows scripts in the first webpage a user views to access data in the next webpage if both webpages have the same protocol, host, and port. Long story short, Edge’s SOP fails when a user downloads a malicious HTML file.
When the user downloads this HTML file and runs it on their system, hackers can access any of that user’s OS-related files. This vulnerability was discovered by security researcher Ziyahan Albeniz, who shows his proof of concept for this attack in this video.
Scope of email-based attacks
Emails are a common source of phishing attacks, sent to specific audiences with attachments that carry malicious intent. Although DOC, PDF, XLS, and ZIP files were initially used for email-based attachment attacks, HTML files are the new means for hackers to breach computers. Using malicious code embedded into an HTML file—which is the newest method and therefore least suspicious—gives hackers an advantage.
How to avoid this Microsoft Edge breach
Applying the patches Microsoft already released for Edge, Mail, and Calendar will help users avoid this breach. According to Albeniz, the best way to avoid these kinds of threats is to never download attachments from unknown senders.
If deploying patches to remote machines seems daunting, Patch Manager Plus can help you automate the entire patch management process, from identifying missing patches to deploying them to remote machines.
Download the trial version of Patch Manager Plus to fix the Microsoft Edge vulnerability now. For smaller businesses with 25 or fewer computers, Patch Manager Plus is completely free to use.