Microsoft will not patch a security bypass vulnerability in Edge which could allow the disclosure of confidential information.
Cisco Talos researcher Nicolai Grødum disclosed details around the vulnerability in Edge which could allow an attacker to trigger an information disclosure leak in Edge if they tweaked the browser's Content-Security-Policy (CSP) header with the ‘unsafe-inline' CSP directive to allow for inline script code, according to a Sept. 6 blog post.
“An attacker may be able to exploit the vulnerabilities and bypass the Content Security Policy set by the server which may lead to disclosure of confidential information,” the post said. “Microsoft stated that this is by design and has declined to patch this issue.”
There are three main components necessary in order to exploit the bug. An attacker would first need to set the the Content-Security-Policy for the browser with "unsafe-inline" directive to allow for inline script code, then using window.open() to open a blank new window, and finally calling the document. write function to write code into the newly created blank window object in order to bypass CSP restrictions put on the document, the post said.
The bug also affects older versions of Webkit browsers including Google Chrome and Apple Safari. Cisco Talos researchers recommend the use or browsers with more complete support for the Content security policy mechanism as well as browsers that keep up to date with all newly discovered security vulnerabilities.
“Our engineers reviewed the information and determined this does not pose a security threat and we do not plan to address it with a security update,” Microsoft told SC Media. The firm added that the severity of the issue is low since it requires a modifier on the policy that relaxes it