Stories
Slash Boxes
Comments

SoylentNews is people

What Website Are You Really on? Edge Zero-Day Leaves Windows Users With No Clue

posted by chromas on Thursday May 03 2018, @09:50PM   Printer-friendly
from the running-windows—I-mean-javascript—I-mean-malware dept.

fyngyrz writes:

From The Daily Swig:

A serious vulnerability in the latest version of Microsoft Edge [a Windows web browser ed] enables attackers to spoof URLs with just five lines of code. The flaw, discovered by Argentine researcher Manuel Caballero, can make a malicious website appear to be legitimate through the use of the Stop() command, which interrupts the page loading process. With the target URL still appearing in the address bar, the document.write() JavaScript command can then be used to overwrite the contents of the page.

[...] With this bug, probably the only truly safe way reach any website using Edge is to open a new tab and type the URL by hand, or access it through your bookmarks.

This vulnerability appeared in a recent "security" update from Microsoft; users of Edge might want to investigate what version they are using.

Original Submission

 
This discussion has been archived. No new comments can be posted.
What Website Are You Really on? Edge Zero-Day Leaves Windows Users With No Clue | Log In/Create an Account | Top | 41 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Friday May 04 2018, @08:22AM

    by Anonymous Coward on Friday May 04 2018, @08:22AM (#675542)

    That bit about not being able to trust the address bar was the first thing that sullied my acceptance of JavaScript.

    I took a class in JavaScript at the local Community College, and when I learned the mischief I could do with it, I failed to see why ANY "Reputable" business would have it on their site. I saw it as the language of tinkerers, pranksters, and thieves. In all my naivety I never thought that ANY reputable business would have anything to do with it. To me it was like a child care business hiring known sex molesters ( well, because they showed an "interest" in the kids and worked for cheap. )

    Yet, on the web, the "child care" businesses got Congress to approve "hold harmless" for them, and hired these molesters right and left, hence we have all this malware spreading via hostile "ads"- as sending your customer content by an "ad" is still seen as a businesslike and hold-harmless thing - and they know our Congress is too weak-willed to tell the business community things like "You straighten up your act, or all that legislation you has us pass about criminalizing reverse-engineering content is OUT THE DOOR! Those people are only trying to protect themselves from the crap you are sending them!". Even though Congressmen love to bandy the term "Elect ME and I will FIGHT for you!" before an election, I don't see too many putting up much of a fight for anything once they are in office. The Congressional hand extends, and if there is money in it when it retracts, it will sign a "law" into effect. And we are all expected to obey it, even though its a one sided law, deliberately crafted to give one side artificial enforced monopoly.

    One guy ( I believe on this site ) made an insightful observation... something down the line of " In its magnaminous equality, the LAW equally forbids both rich and poor from sleeping under bridges."