Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Thursday May 03 2018, @09:50PM   Printer-friendly
from the running-windows—I-mean-javascript—I-mean-malware dept.

From The Daily Swig:

A serious vulnerability in the latest version of Microsoft Edge [a Windows web browser ed] enables attackers to spoof URLs with just five lines of code. The flaw, discovered by Argentine researcher Manuel Caballero, can make a malicious website appear to be legitimate through the use of the Stop() command, which interrupts the page loading process. With the target URL still appearing in the address bar, the document.write() JavaScript command can then be used to overwrite the contents of the page.

[...] With this bug, probably the only truly safe way reach any website using Edge is to open a new tab and type the URL by hand, or access it through your bookmarks.

This vulnerability appeared in a recent "security" update from Microsoft; users of Edge might want to investigate what version they are using.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by stormwyrm on Friday May 04 2018, @01:24AM (1 child)

    by stormwyrm (717) on Friday May 04 2018, @01:24AM (#675411) Journal
    You clearly don't use Microsoft Edge, given your reference to Noscript, for which no remotely equivalent extension seems to exist on Edge, so you aren't affected by this idiocy and have at least some assurance that you are on the website shown in the address bar, a bit stronger assurance if you are on HTTPS and the site you're connected to has a valid cert, depending on what CA signed the cert. But with this new Edge bug, you wouldn't even have that kind of flimsy assurance. Edge's address bar might seem to say that you that you're on your bank's website, when in reality, Edge has you connected to some random joker phishing for your passwords, and you'd be none the wiser. Those fools at Microsoft can never seem to get anything right.
    --
    Numquam ponenda est pluralitas sine necessitate.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Friday May 04 2018, @08:22AM

    by Anonymous Coward on Friday May 04 2018, @08:22AM (#675542)

    That bit about not being able to trust the address bar was the first thing that sullied my acceptance of JavaScript.

    I took a class in JavaScript at the local Community College, and when I learned the mischief I could do with it, I failed to see why ANY "Reputable" business would have it on their site. I saw it as the language of tinkerers, pranksters, and thieves. In all my naivety I never thought that ANY reputable business would have anything to do with it. To me it was like a child care business hiring known sex molesters ( well, because they showed an "interest" in the kids and worked for cheap. )

    Yet, on the web, the "child care" businesses got Congress to approve "hold harmless" for them, and hired these molesters right and left, hence we have all this malware spreading via hostile "ads"- as sending your customer content by an "ad" is still seen as a businesslike and hold-harmless thing - and they know our Congress is too weak-willed to tell the business community things like "You straighten up your act, or all that legislation you has us pass about criminalizing reverse-engineering content is OUT THE DOOR! Those people are only trying to protect themselves from the crap you are sending them!". Even though Congressmen love to bandy the term "Elect ME and I will FIGHT for you!" before an election, I don't see too many putting up much of a fight for anything once they are in office. The Congressional hand extends, and if there is money in it when it retracts, it will sign a "law" into effect. And we are all expected to obey it, even though its a one sided law, deliberately crafted to give one side artificial enforced monopoly.

    One guy ( I believe on this site ) made an insightful observation... something down the line of " In its magnaminous equality, the LAW equally forbids both rich and poor from sleeping under bridges."