Number: AV19-077
Date: 11 April 2019
Proof of Concept code has been released for a vulnerability that allows JavaScript embedded in a malicious web page to gather information about other web pages the user has visited. Microsoft has not released any patches to address the vulnerability.
This vulnerability can be exploited by a malicious website opened in Internet Explorer or Edge to collect potentially sensitive information from other sites visited by the targeted user. The malicious actor would have to convince the victim to visit a malicious website while an open session to other websites exists in the target user's browser. Examples of vulnerable information that might be stored in the URL includes cookies, session IDs, usernames, passwords, and OAUTH tokens, either in plaintext or hash form. Most properly configured websites would not store credentials in a session cookie or URLs and would not be susceptible to this type of information disclosure.
Microsoft has responded to industry requests with the following statement:
"The issue described does not meet our criteria for servicing and requires an attacker to convince a victim to visit a malicious website. We encourage our customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers.”
Microsoft has also pointed users who may be concerned about these vulnerabilities to its online safety resources.
https://www.microsoft.com/en-us/digital-skills/online-safety-resources
Note to Readers
The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada’s national authority on cyber security and we lead the government’s response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.