Two zero-day vulnerabilities in the updated versions of Microsoft Edge and Internet Explorer could enable outsiders to access confidential information shared between websites, according to new security research highlighted by Trend Micro Tuesday.
The browser vulnerabilities were first made public March 29 by James Lee, a 20-year-old security researcher who says he first notified Microsoft about the issues 10 months ago. A Trend Micro analysis of the attacks found that if a web user visits a malicious page using either browser, attackers can exploit a process known as Origin Validation Error to gather information about other pages the user visited. Thieves could use this technique to bypass security measures and steal financial or other personal information, researchers said.
“The browser is not restricting information about the website redirection properly, and instead allows [hackers] to access information about the client’s activities on other websites,” Trend Micro said in a blog post. “In a malicious attack scenario, the attacker could also receive the information directly. There would be no pop-up and the user would be unaware of any compromise.”
Microsoft has not released a security update for these vulnerabilities, but Trend Micro said one solution is to not use the Edge or Internet Explorer browsers until a patch is available. Microsoft did not respond early Tuesday to a request for comment from CyberScoop.
This research was made public roughly a week after computer experts at the Pwn2Own competition executed successful attacks against Edge as well as Mozilla’s Firefox and Apple’s Safari browsers. In all three cases, researchers who had spent months working on their techniques redirected the browsers to malicious websites laced with malware.