Scammers can exploit Microsoft Edge security feature flaw
Mon 12 Dec 2016
New research has discovered that technical support scammers are able to subvert a Microsoft Edge security feature called SmartScreen to help execute attacks.
Microsoft Edge, the default browser for Windows 10, warns users of any dangerous websites with its SmartScreen alerts. In an official FAQ, the tech giant explains how the filter identifies reported phishing and malware software sites and helps users make informed decisions about content downloads.
Now, Argentinian researcher Manuel Caballero has found that these warning messages could be exploited for malicious purposes. In a blog post, he identifies that a bug exists in the Edge protocols ms-appx: and ms-appx-web: which the browser uses to display malware warnings.
By carefully modifying the URL characters, attaching a hash and a URL of a legitimate-looking site, the scammers can generate fake, malicious alerts almost identical to the SmartScreen warnings. These messages could con unsuspecting users into clicking on malicious links or calling a phone number to give out personal information.
For now, it is unclear whether Microsoft is working on a fix to resolve the issue but it is expected to feature in a security update in the near future.
SmartScreen is available in both Microsoft Edge and Internet Explorer but the vulnerability has only been detected in the Windows 10 browser.
While technical support scams are nothing new, it is clear that attackers are deploying an increasing number of methods to fool their victims – from red warnings and the Blue Screen of Death (BSOD), to even completely freezing browsers, and now abusing internal protections.
The news of the SmartScreen flaw comes after Microsoft released a pop-up in November to tell users that Edge was a ‘safer’ browser alternative to Google Chrome and Mozilla Firefox. The company notified users that the browser was able to block over 20% more socially engineered malware than its competitors.