Researchers are encouraging Edge browser users to update their systems to protect themselves from CVE-2018-8235, an odd bug that uses abnormally-formed audio files to enable a remote attacker to pull content from other open tabs.
The problem, given the moniker Wavethrough, is described as “A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins, aka ‘Microsoft Edge Security Feature Bypass Vulnerability,’” according to the official Microsoft description.
The vulnerability, which primarily effects Edge and to a lesser extent Firefox, was fixed with Microsoft’s June Patch Tuesday rollout, but if left open would allow a malicious site to use service workers to load a specific type of malformed multimedia file inside audio tags that can bypass the Cross-Origin Resource Sharing browser security feature, ESET reported. This has only been accomplished as a proof of concept.
“Under normal circumstances, this wouldn’t be possible because of CORS —Cross-Origin Resource Sharing— a browser security feature that prevents sites from loading resources from other sites,” reported Bleeping Computer,” adding, “But in this weird configuration, the attacker’s site is able to issue ‘no-cors’ requests that the receiving site —such as Facebook, Gmail, or BBC— will honor without any problems.”
Google Developer Jake Archibald discovered the issue.