Dynamics of Google, Apple and Microsoft when the browser has a security error
While Apple and Google urgently sought to patch security holes in Safari (CVE-2017-2419) and Chrome (CVE-2017-5033) browsers, Microsoft did not notice. This security vulnerability was discovered by Cisco Talos researchers in Safari, Chrome, and Edge browsers, but Microsoft believes that this security is due to design.
According to researcher Nicolai Grødum at Cisco Talos, this vulnerability is classified as a exit from CSP (Content Security Policy) - a mechanism that allows web developers to configure HTTP headers and instruct users to access Source browser (JavaScript, CSS). Content security policy (CSP) is one of the tools that browsers use to implement SOP - Same-Origin Policy within the browser.
Grødum said he found out how an attacker who bypassed CSP, downloaded malicious JavaScript code on a remote site and performed intrusion operations such as collecting information from the user's cookie or recording the syntax press key in page structure, .
Exploiting vulnerabilities is quite simple
Exploiting this vulnerability in the browser is quite simple - at least for those with a background in web development. An attacker just needs to open a new website via the '_blank' method and use the document.write function to write malicious code inside this page before downloading the actual content. Malicious content (also known as initial XSS attack code) remains and helps attackers overcome CSP protection.
Grødum found the vulnerability in November last year. This issue is ranked seriousness CVSS is 4.3 / 10.
Users of the Edge browser are easily vulnerable to this vulnerability while Google Chrome users 57.0.2987.98, iOS 10.3, and Safari 10.1 or newer are all protected. And Firefox is lucky to be unaffected.
You should read it
- Chrome and Firefox have a serious security flaw, there is no way to fix it
- Summarizing the Pwn2Own 2019: Safari, VirtualBox was 'pierced' on the first day, Firefox, Edge on the second day and Tesla Model 3 'closed the window'
- Vulnerabilities discovered in many web browsers that allow users to be tracked through installed applications
- Find security holes on every site with Nikto
- Protect your Web browser
- The unsafe 'feature' on UC Browser allows hackers to take control of Android phones remotely
- IBM developed a new technology to patch security holes
- Microsoft introduced a tool to fix security holes in IE 9 and 10
- 5 common errors in managing security vulnerabilities
- HP publishes a series of critical vulnerabilities in the Teradici PCoIP protocol
- If you are using Firefox, update it immediately to fix security
- How to fix BlueKeep security error for Windows 2003, Windows XP, Windows 7, Windows Server 2008
Maybe you are interested
iPhone security tips you're missing out on
This list of common passwords shows how little we understand about online security
Download free Windows Server 2025 security guide
5 Misconceptions About Password Security
Should I buy a USB, Bluetooth or NFC security key?
4 Security Steps to Follow When Using Remote Access Applications