Microsoft Edge and Internet Explorer Zero-Days Allow Access to Confidential Session Data


On March 30th, security researcher James Lee disclosed information on two zero-day vulnerabilities present in current versions of Microsoft Edge and Internet Explorer. These vulnerabilities make it possible for confidential information to be shared between websites.

A flaw in the same-origin policy for these web browsers, called an Origin Validation Error (CWE-346), allows JavaScript embedded in a malicious web page to gather information about other web pages the user has visited. If a user visits a malicious page via a Microsoft Edge or Internet Explorer web browser, these vulnerabilities may be used to relay sensitive information about the client’s browser session back to an attacker. Lee has shared a simple proof-of-concept (POC) for each vulnerability.

Read more…
Source: Trend Micro