Exploit developers claim 'we just broke Edge'
Security researchers claim to have unearthed a zero-day vulnerability in Microsoft Edge. The remote code execution is due to be revealed with a proof-of concept.
Microsoft has not yet been informed about the details of the security issue, but exploit developers had been looking for a way to break Edge out of its sandbox -- and it would appear that this objective has now been achieved.
- Security: Tor 0-day revealed on Twitter by vulnerability vendor
- Malware writers exploit recent Windows Task Scheduler 0-day vulnerability
- 0patch beats Microsoft to patching Windows 10 task scheduler 0-day vulnerability
On Twitter, self-proclaimed "RE Enthusiast, Exploit Developer" Yushi Liang who is "interested in sandboxing & mitigations" claimed to have "broken" Edge. No details are given in the tweet, but Liang says he has joined forces with Alexander Kochkov to break out of Edge's sandbox:
— Yushi Liang (@Yux1xi) November 2, 2018
Liang claims to have exploited Edge more than once but his efforts to release the exploit have been held up by a "crash bug in the text editor" he was using. He spoke with BleepingComputer about his work, and shared a video that appears to show a vulnerability in Edge being exploited to launch Firefox. This is in keeping with the image shared on Twitter which appears to show the Windows Calculator being launched from within the Edge browser.
As reported by BleepingComputer, Liang said that he and Kochkov "were focusing on developing a stable exploit and attaining full sandbox escaping of the code. The duo was also looking for a method to escalate execution privileges to SYSTEM, which would be the equivalent of taking complete control of the machine".