A security researcher on 30th march 2019 has spilled out beans and proof-of-concept exploits for two ‘unpatched’ zero-day vulnerabilities in Microsoft’s web browsers after the company has failed to respond to his responsible private disclosure. Both the unpatched vulnerabilities detected that affects the latest version of Microsoft Internet Explorer and the latest Edge Browsers respectively permits a remote attacker to bypass the same origin policy on the web browser of the victim. The Same Origin Policy (SOP) is a security feature used in the modern browsers that is meant to restrict a webpage or a script loaded from one origin to interact with a resource from the other origin that prevents the unrelated websites from interfering with each other. Simplifying this means that if one is visiting a website on his or her web browser, only it can request data from the same domain the website was loaded from, stopping it from making any unauthorized request on his or her behalf in an intention to steal their data from the other websites.
The vulnerabilities that has been discovered by the 20 year old security researcher named James Lee shared the details that it could allow the malicious website to perform universal cross-site scripting (UXSS) attacks against any domain that is visited using the vulnerable Microsoft’s web browsers. To exploit these vulnerabilities, all the attackers need to convince a victim to open the malicious website created by the hacker finally allowing the attackers to steal the victim’s data such as the login session and cookies from the other sites visited on the same browser.
It has also been found out that the researcher contacted Microsoft and shared his findings with the company about 10 months ago. The tech giants have ignored the issues and did not even respond to the revelation till date leaving both the flaws unpatched.