Microsoft has released a new version of the Edge browser with version number 120, which, in addition to bugs inherited from Chromium, also fixes several Edge-specific security vulnerabilities. The most serious of the vulnerabilities allowed attackers to smuggle in their own code.
Advertisement
The flaw with the CVE ID CVE-2023-35618 (CVSSv3.1: 9.6) – reported to Microsoft by an anonymous security researcher – can allow breakouts from the browser sandbox and code execution if attackers phish their victims to a specially prepared one Navigate website. However, that’s not all – the victim also has to open a file on this website. Which one, he remains silent about Microsoft security notice out of.
At first glance, the severity rating is confusing. While the CVSS scoring system describes the vulnerability as “critical“, Microsoft goes its own way and downgrades the gap to only medium risk. Like the Redmond company on theirs Edge bug bounty page explain, a security vulnerability must be exploitable with one or fewer clicks, key presses or other preconditions in order to be considered critical (“If a bug requires more than a click, a key press, or several preconditions, the severity will be downgraded.” ).
For the reporting Anonymous, this downgrade not least means a financial disadvantage. While Microsoft offers a reward of $30,000 for a well-prepared sandbox outbreak of critical severity, the amount is reduced to a sixth in the event of a downgrade.
The security vulnerabilities CVE-2023-36880 and CVE-2023-38174 are more likely to be classified as “also ran”. Both bugs involve information leaks low Severity and 4.8 or 4.3 CVSS points.
Telemetry quietly drilled out
To fix the three Edge vulnerabilities and five other security issues that the Microsoft browser acquired via code from the Chromium project, Microsoft has released version 120.0.2210.61 of the browser.
Somewhat hidden in the release notes is the slightly cryptic policy change “Edge 3P SERP Telemetry Enabled”. With this configuration setting, Microsoft gives permission to forward search histories to external parties. Users and system administrators must explicitly deactivate the setting again – otherwise it remains active by default.
Microsoft would soon like to marry its browser with its in-house AI product CoPilot, but has publicly announced this step, unlike the telemetry change mentioned above.
(cku)