back to article Wanna break Microsoft's Edge browser? Google's explained how

Back in February 2018, Google's Project Zero went public with a Microsoft Edge bug that Redmond couldn't fix in time for its next patch release. Now, the Google researcher - Ivan Fratric - has provided a detailed technical explanation of the problem and says Microsoft's fix might not be adequate. Fratric discovered that an …

  1. Anonymous Coward
    Windows

    Yep, we get it.

    MSFT baaad!

    1. Flocke Kroes Silver badge

      Re: Or ...

      Browsers are far too complicated for use with anything that requires security.

      1. jacksmith210060

        Re: Or ...

        That is an excuse. There is no reason that MS could not create a secure browser.

    2. Anonymous Coward
      Anonymous Coward

      Re: Yep, we get it.

      Funny thing is, just a couple days ago I came across a posting on the es-discuss@mozilla.org maillist where one of the regulars paid a compliment to Allen Wirfs-Brock at Microsoft, saying he might be the only one of those experts to have all of current ECMAScript in his head. (helps that he's been editor of last two/three/four spec editions)

      Very possibly the majority of people at Microsoft are better than "worth a damn", individually. It's a shame they are embedded so deep in the quicksand at the sewer outfall.

      1. JohnFen

        Re: Yep, we get it.

        Microsoft is full of very talented engineers. They aren't the cause of Microsoft's faults.

        1. Hans 1
          Coat

          Re: Yep, we get it.

          Microsoft is full of very talented engineers.

          Well, debatable, they are certainly not that talented at choosing an employer.

        2. jacksmith210060

          Re: Yep, we get it.

          What is the problem then? MS appears to just not care about security. They have more on the line yet Google finds all the major security vulnerabilities. Google found Shellshock, Meltdown, Cloudbleed, Spectre, Heartbleed and a bunch of other ones. Spectre and Meltdown found by multiple.

          It just does not seem like MS is doing their part. Google created Chromebooks which are far more secure than Windows. Then they add GNU/Linux using a super secure method using containers and a VM and MS put it right into the OS which is going to be far less secure.

          1. JohnFen

            Re: Yep, we get it.

            The problem is project management and big-picture product design, made worse by Microsoft getting on the rapid-release train.

    3. Anonymous Coward
      Anonymous Coward

      Re: Yep, we get it.

      Microsoft don't be Evil - that's Google's job.

    4. Anonymous Coward
      Anonymous Coward

      Re: Yep, we get it.

      And their products utter shite. Tried to use edge technology other day, lasted less than a day before tearing my hair out. Back to chrome.

      1. Anonymous Coward
        Anonymous Coward

        Re: Back to chrome.

        Tried something new. It was different. Gave up.

        Cool story Bro, your inability to work with a different browser makes you look awesome.

        1. Anonymous Coward
          Anonymous Coward

          Re: Back to chrome.

          No, wasn't the new, it was the broken bookmarks, and the feeling you had the featureset of IE3 again...

          Edge is simply unusable in its current incarnation

      2. Anonymous Coward
        Anonymous Coward

        Re: Yep, we get it.

        "And their products utter shite. Tried to use edge technology other day, lasted less than a day before tearing my hair out. Back to chrome."

        I use Edge here without issues. It's noticeably faster than Chrome and uses fewer resources. Since Ghostery and U-Block Origin are available it's quite a passable browser solution.

        1. Anonymous Coward
          Anonymous Coward

          Re: Yep, we get it.

          I use Edge here without issues. It's noticeably faster than Chrome and uses fewer resources.

          I have to admit, the only thing that's stopping me from switching to Edge is the lack of being able to place the tab bar down the left side of the window/screen.

        2. Hans 1
          Happy

          Re: Yep, we get it.

          I use Edge here without issues.

          Fine for you, but then your opinion does not count!™

    5. Anonymous Coward
      Anonymous Coward

      Re: Yep, we get it.

      "MSFT baaad!"

      But amusingly, Chrome has a rather higher CVE total over time than Edge since Edge was released!

  2. Mr Dogshit
    Joke

    So this will affect a dozen people then.

  3. Roland6 Silver badge

    Too much money?

    Whilst we should be pleased about this, it does seem that if you have a big cash flow which you need to reduce your tax bill on then getting a team to pick over the competitors products is a worthy undertaking...

    1. sabroni Silver badge

      Re: Too much money?

      Also notice how the evil MS aren't wasting their time picking holes in Chrome, they seem happy to let any vulnerabilities in Chrome persist.

      Is that because they've now risen above this petty point scoring? Or because they know there are some humdingers in there and they're waiting for the shit to hit the fan.....?

      1. Hans 1
        Coffee/keyboard

        Re: Too much money?

        Also notice how the evil MS aren't wasting their time picking holes in Chrome, they seem happy to let any vulnerabilities in Chrome persist.

        Nope, MS lack a QA team for their own products, I doubt they have a team doing Q/A on their competitor's products.

  4. Multivac

    I'd like to personally thank Microsoft for the close relationship I maintain with my parents, going round to fix broken Microsoft stuff is the primary reason for 90% of my visits.

    1. TVU

      "I'd like to personally thank Microsoft for the close relationship I maintain with my parents, going round to fix broken Microsoft stuff is the primary reason for 90% of my visits"

      The answer to that one is to install the new "Windows" that is immune to CryptoLocker, virii, trojans, etc - Linux Mint Mate. Just watch the requests for help exponentially diminish.

    2. cambsukguy

      And yet, with three/four Win10 machines I have to 'look after', apart from my own, I spend maybe 10 minutes/month 'helping' with issues, in total, max.

      Not that I could fix any 'real' issues anyway, finger trouble most of the time.

    3. supervan

      Just get them a Chromebook!

  5. Nimby
    Joke

    Wanna break Microsoft's Edge browser?

    Just opening it usually does the trick.

  6. JohnFen

    Disable javascript

    Javascript presents far too many security issues. Not just for Edge, but for all browsers.

    1. bazza Silver badge

      Re: Disable javascript

      Seconded.

      Trouble is that there's now too much Web stuff that relies on it. If we lose Javascript (and Meltdown came pretty close to causing that) the likes of Google are in deep trouble. I can't see them advocating a precautionary change of direction which is a pity, because they own Chrome...

      1. JohnFen

        Re: Disable javascript

        "Trouble is that there's now too much Web stuff that relies on it"

        Yes, this can be a problem, so my approach isn't quite as absolute as I indicated in my comment. What I do is use a plugin to let me manage what Javascript gets to execute. By default, none does. If I hit a website that breaks because of this, I typically just move on and ignore that website. If the site is actually important, then I take the time to figure out which specific scripts need to be allowed in order to accomplish what I need to accomplish there.

        In practice, there really aren't that many sites that simply break with Javascript, though. Usually, it just breaks some specific functionality, and usually that's not functionality I need in order to do what I need to do.

  7. beep54

    Name

    I kept reading the name Fratric as Frantic. It seemed reasonable.

  8. Stevie

    Bah!

    Read as far as "JavaScript".

    Another exploit from the boil on the backside of the Web.

  9. Hans 1
    WTF?

    One of my systems just got the 1803 update and as I logged in I was asked if I wanted to allow slurping or if I wanted to allow slurping... the interface was using a tactic I first encountered with the win32.hybris worm, though back then I could kill it in task manager, no luck with Redmond's beast, I had to give consent to slurping or I could not access my computer to perform the downgrade! Ok, yes, I have backups, I could create a bootable USB device with the desired version, format C:, install Windows again, and restore from backups without giving consent ... but if I logged into the computer, it was mainly because, well, hello, I wanted to use it ... guess I should have rebooted into Linux ...

    This is enough, I am seeking legal advice!

    Now the Edge angle ... when I got through the multiple choice questions, I was greeted with this abomination which is Edge* displaying a page for the intellectually defiscient full of click bait content, ala The Sun, Daily Mirror, Telegraph, CNN, Fox News etc - note that Firefox is my default browser.

    Almost every time I go to microsoft.com, I have to click away a nag for Edge, it was already weird to set my default browser because the only option looked like Edge, there is a clickable area to choose an alternative, but it "looks" disabled. Maybe I need to bring that to the attention of the ECJ as well ...

    * this might have been my fault, not sure, because I clicked a few things in the slurping dialog, you never know where Redmond would hide the opt-out ... but no opt-out there was this time ...

    1. Roland6 Silver badge

      > I had to give consent to slurping or I could not access my computer to perform the downgrade!

      Potential GDPR failure?

  10. jacksmith210060

    Who on earth would use Edge? It has been a security mess from day 1 and nothing changes.

    1. DrBed

      >Who on earth would use Edge? It has been a security mess from day 1 and nothing changes.

      "Resistance is futile"

      https://www.theregister.co.uk/2018/03/18/windows_10_tests_forcing_use_of_edge_browser_for_links_in_windows_mail/

  11. Anonymous Coward
    Flame

    Cease and Desist this java crap

    First it was Gifs, tiny images that substituted for bullets characters in fonts and the like, not the bigger pictures people actually viewed. The internet crawled with them. then the bandwidth was worse than it is today and people noticed much more then we do now, but the proliferation of.js (Java script) is in plague proportion and it's rigged to prevent normal function of the browser unless the server can dump a whole load of crap into your computer to do things you don't need and to duplicate stuff you browser could do years ago.

    Cease and Desist this java crap, I don't need it, I don't want it, I mostly browse without it. most websites work brilliantly without it. it does nothing for their operation or compatibility, that a well designed site can do without it. Server code runs a shopper site anyway design them like a mail order catalog.

    Cease and Desist this java crap,

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like