Stories
Slash Boxes
Comments

SoylentNews is people

What Website Are You Really on? Edge Zero-Day Leaves Windows Users With No Clue

posted by chromas on Thursday May 03 2018, @09:50PM   Printer-friendly
from the running-windows—I-mean-javascript—I-mean-malware dept.

fyngyrz writes:

From The Daily Swig:

A serious vulnerability in the latest version of Microsoft Edge [a Windows web browser ed] enables attackers to spoof URLs with just five lines of code. The flaw, discovered by Argentine researcher Manuel Caballero, can make a malicious website appear to be legitimate through the use of the Stop() command, which interrupts the page loading process. With the target URL still appearing in the address bar, the document.write() JavaScript command can then be used to overwrite the contents of the page.

[...] With this bug, probably the only truly safe way reach any website using Edge is to open a new tab and type the URL by hand, or access it through your bookmarks.

This vulnerability appeared in a recent "security" update from Microsoft; users of Edge might want to investigate what version they are using.

Original Submission

 
This discussion has been archived. No new comments can be posted.
What Website Are You Really on? Edge Zero-Day Leaves Windows Users With No Clue | Log In/Create an Account | Top | 41 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by JNCF on Friday May 04 2018, @12:45AM (2 children)

    by JNCF (4317) on Friday May 04 2018, @12:45AM (#675404) Journal

    I considered including something like your comment in my original post, but decided against it because while I gag at the thought of using Windows I recognise that some people have proprietary software needs that can only be met by Windows without building something from scratch. Edge doesn't offer this -- it preforms better than competitors at some tasks (or at least used to), but whatever differences there are in feature sets should be rectified before those features are used for anything other than demos. The only reasonable use case for Edge that I see is testing compatibility so that your site works even for broken users. I see horrifying-yet-reasonable use cases for Windows, like running some piece of hardware that requires drivers and software not designed for decent operating systems. Luckily I don't have to deal with these cases, so I only run Windows in Vagrant boxes for compatibility testing.

    Just to be clear, I didn't mod you flamebait.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by MichaelDavidCrawford on Friday May 04 2018, @05:35AM

    by MichaelDavidCrawford (2339) Subscriber Badge <mdcrawford@gmail.com> on Friday May 04 2018, @05:35AM (#675514) Homepage Journal

    I expect to get a USB 3 protocol analyzer sometime this year but to the best of my knowledge they only work with windows.

    You need Windows to use TI's Code Composer Studio to write firmware on top of TI RTOS Kernel. I really enjoyed coding for DSP/BIOS, a previous name before they called it SYSBIOS and now TI RTOS Kernel.

    --
    Yes I Have No Bananas. [gofundme.com]

  • (Score: 1, Interesting) by Anonymous Coward on Friday May 04 2018, @10:42AM

    by Anonymous Coward on Friday May 04 2018, @10:42AM (#675577)

    > Edge doesn't offer this

    Proprietary web interface to Oracle database that requires MS browser to view. The reason that it requires MS browser is because this is the only one that will accept the insecure "security certificate". I think it is an issue with protocol rather than signing authority - firefox doesn't give me a decent error message any more, but I don't think it can be worked around even by hacking firefox browser options. I know, it's a shitfest.