Microsoft Edge bug odyssey shows why we can't have nice things
Fixing security issues in the face of standards gaps and vendor silence isn't easy
Updated Earlier this year, Jake Archibald, developer advocate for Google Chrome, found a bug affecting Mozilla Firefox and Microsoft Edge – and had two very different experiences trying to get the problem fixed.
Mozilla, he said this week in a blog post recounting the saga, responded within three hours. And because the browser maker received word when Firefox 59 was in beta release, it was able to address the issue shortly thereafter, in time for the version 59 stable release.
Microsoft, on the other hand, wasn't very communicative, with Archibald or itself.
Archibald said he reported the issue though Edge's bug tracker on March 1, and also notified firstname.lastname@example.org, the email address Microsoft offers for vulnerability reporting.
"I got an email from Microsoft security later that day saying that they don't have access to Edge's bug tracker, and asked if I could paste the details into an email for them," he said. "So yeah, Microsoft's security team don't have visibility into Edge security issues."
He sent the vulnerability details he had submitted previously via email.
The following day, he was told Microsoft couldn't investigate without the source code for the proof-of-concept webpage that demonstrated the security bug – which would have been evident via the browser's "view source" command.
Wanna break Microsoft's Edge browser? Google's explained howREAD MORE
Nonetheless, Archibald sent a copy of the source code, and 20 days of silence followed.
After contacting people he knew on the Edge team, he finally got word from Microsoft that it intended to fix the problem. Since he was eligible for a bounty for finding the bug, he asked about whether it could nominate a charity to receive the award. Another two weeks of silence.
Microsoft finally informed him that it couldn't give the award to a charity despite the fact that its bug reporting documentation said that was possible.
On April 12, he took to Twitter to complain about the lack of responsiveness from the Edge team. The criticism managed to get the attention of some Microsoft engineers, and even acknowledgement that the company's response was suboptimal.
Finally, on June 12, Microsoft fixed the vulnerability in Edge, which could have been abused to force the browser to transmit private data.
Archibald contends the bug is significant. "It means you could visit my site in Edge, and I could read your emails, I could read your Facebook feed, all without you knowing," he said.
The bug itself arose from the fact that the
Range HTTP request header was never standardized for HTML.
"We know what the headers look like, and when they should appear, but there's nothing to say what a browser should actually do with them," explained Archibald.
In the context of media data like audio or video, specifying a range parameter allows the return of a specific range of bytes, which could be useful to listen to a specific portion of a song, for example. But lack of detail about how browsers should handle partial content meant that at least in Firefox and Edge, known data could be mixed with unknown data. Archibald described several attack scenarios in a GitHub issues post.
In an email to The Register, Archibald said he has added steps to the
fetch to block Attack 4, but either he or someone else needs to craft code to deal with the other scenarios. He has also filed bug reports for all four major browsers – Chrome, Edge, Firefox and Safari – to ensure the spec changes get accommodated.
"The fillings against all browsers also cover the case where range requests can pass through a service worker, which no browsers allow right now," he said. "The same fixes cover the non-service-worker cases in Edge and Firefox."
Asked how Microsoft might improve its bug reporting protocol, Archibald asked for better communication. "The important thing is to keep the reporter in the loop with browser engineers," he said. "This is what Chrome and Firefox do."
The Register asked Microsoft to comment. We haven't heard back. ®
Updated to add
Microsoft has sent us the following statement, confirming it fixed the hole in this month's Patch Tuesday:
Microsoft released security updates in June 2018, and customers who have Windows Update enabled or who applied the latest security updates are protected automatically.
Final update on June 21
Meanwhile, Jacob Rossi, a Microsoft Edge project manager, told us, via Twitter: "At times through the process we could have been more responsive in our communication with Jake, and we acknowledged this to him and are working to improve. But most of this communication gap was with regard to his desire to disclose the bug irresponsibly."
By irresponsibly, Rossi is referring to Archibald, at one point, suggesting, out of frustration, that he go public with details of the flaw before a patch was ready. "An empty threat to see if there was any way of actually getting a reply," Archibald explained, meaning he had hoped to force Microsoft to respond after 17 days of silence.
Rossi added: "We took this bug seriously, and patched within the industry standard 90-day window. At no point in time did our security team not have access to this bug."