CVE-2023-38173 - Inside the Microsoft Edge for Android Spoofing Vulnerability

In August 2023, a new security bug was published in Microsoft's monthly Patch Tuesday updates. This one, tracked as CVE-2023-38173, affects Microsoft Edge on Android and deals with a spoofing vulnerability. While sometimes less flashy than code execution bugs, these kinds of problems can lead to major risks like phishing and credential theft. Let’s break down what CVE-2023-38173 really is, how it works, and what you can do about it — with code examples and direct references.

What is CVE-2023-38173?

CVE-2023-38173 is classified as a "Spoofing Vulnerability" in the Android version of Microsoft Edge. Spoofing bugs let attackers trick users into believing they are interacting with a legitimate website, app, or system, even though they are not.

For this case, the bug specifically allows a malicious website to display a different URL than the one the user is actually visiting. This can be used by attackers to create convincing phishing sites, making it hard for even careful users to spot the difference.

Official Description

> Microsoft’s Advisory says:
> “A spoofing vulnerability exists when Microsoft Edge for Android improperly validates certain web content, allowing an attacker to trick a user by displaying misleading URLs.”

How Could Attackers Exploit CVE-2023-38173?

Here’s a step-by-step breakdown of a probable exploit scenario, based on details from Microsoft and the security community:

1. Attacker creates a malicious webpage that uses specific JavaScript or HTML techniques to spoof the visible URL/address bar.

User is tricked into visiting this link using social engineering (like a phishing email or SMS).

3. Edge for Android fails to update the address bar correctly, so it may show the "safe" URL even after being redirected to the malicious one.
4. User enters sensitive information (like passwords) thinking the site is legit, but the data is captured by attackers.

Sample Exploit Code

While Microsoft did not disclose technical details publicly, similar spoofing flaws often use well-known HTML/JavaScript tricks. Here's a generic example (for educational use only!) of how such a spoof might happen:

<!-- index.html -->
<html>
  <head>
    <title>Redirect Example</title>
    <script>
      function spoof() {
        // Open a legitimate-looking page in a new window, keep the old URL showing
        // This is a basic illustration; mobile browsers may handle this differently
        location.replace('https://attacker-site.com/fake-login.html';);
      }
      setTimeout(spoof, 100);
    </script>
  </head>
  <body>
    <h1>Welcome to <b>microsoft.com</b></h1>
    <p>Please log in to continue.</p>
  </body>
</html>

In a vulnerable version of Edge, the address bar may not update instantly, still showing the original page's URL while the content is already from the attacker. They can add their own branding and steal credentials.

Why Is This Serious?

- Phishing: Attackers can make a phishing page look identical to a trusted site, and the browser address bar—a key way users detect phishing—won’t help.

Brand Trust Loss: Companies like Microsoft may lose user trust if their browser helps attackers.

- Mobile Users More Vulnerable: On phones, address bars are smaller, and users have less space to check for clues.

Official References

- Microsoft Security Guide: CVE-2023-38173
- NVD - CVE-2023-38173
- BleepingComputer coverage

Is There a Patch?

YES. Microsoft patched this bug in August 2023. If you use Microsoft Edge on Android, check your version and make sure you have version 115..1901.188 or later.

Keep an eye on URLs, even when they appear legitimate—if anything feels off, close the tab.

- Be suspicious of links sent via SMS, social media, or email, especially if you didn’t ask for them.

Final Thoughts

Spoofing vulnerabilities are sneaky. While they don't always lead to malware, they make phishing far more effective—and on mobile, that’s a big deal. CVE-2023-38173 may be fixed, but it’s a good reminder to stay alert and keep your software updated.

If you want to dive deeper, see the original Microsoft advisory and follow reputable security blogs for updates. Remember, safe browsing is about habits as much as patches!

Timeline

Published on: 07/21/2023 18:15:00 UTC
Last modified on: 08/01/2023 15:41:00 UTC