Microsoft Edge Browser Permission Backdoor Can Allow Remote Attacks to Steal Data

It has been nearly a week since security researcher John Page reported that he had found an Internet Explorer XML eXternal Entity (XXE) vulnerability. A new layer of this vulnerability has been recently discovered and the implications are far more serious. A Microsoft Edge feature may threaten Internet Explorer’s security.

The vulnerability is a XML eXternal Entity or XXE attack. The attack occurs when an XML parser processes an XML input that includes a reference to an external entity. This type of attack could lead to the unwanted disclosure of sensitive information and a slew of other issues. In Page’s demonstration, he opened a malicious MHL file with a file manager. Internet Explorer automatically uploaded several files to a remote server.

Page also noticed a peculiarity. When he downloaded and opened the file through Internet Explorer, information was not sent to the remote server. However, when Page downloaded the file through Microsoft Edge and opened it through Internet Explorer, the exploit worked as it was intended. This vulnerability was also tested by Mitja Kolsek the CEO of ACROS Security, and they reached the same conclusion.

Read more at Hot Hardware

Homeland Security Today

The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

See Full Bio