CSRF CORS attack via phishing using IE8 - by Asif Palimar

Status : 

  Won't Fix<br /><br />
		Due to several factors the product team decided to focus its efforts on other items.<br /><br />
		A more detailed explanation for the resolution of this particular item may have been provided in the comments section.


ID 802465 Comments
Status Closed Workarounds
Type Bug Repros 0
Opened 9/26/2013 11:59:32 PM
Access Restriction Public

Description

1. Attacker sends user (victim) a file; 
2. Victim accepts local file, via email, message, save (successful phish)
3. In our scenario the DELETE method is contained in local file, sending DELETE method cross domain to another server (CORS CSRF)
4. The browser <IE8/9> is configured to NOT allow active content in Files or CDs

5. If user (Victim) has administrator privledges on local machine the file executes and victim is given no chance to reject running or respond to a challenge

Our customers believe this is a bug as the cross domain request, CSRF attack is successful. Is there a fix for this issue?
This issue only happens on Internet Explorer 8
Sign in to post a comment.
Posted by Microsoft on 2/22/2016 at 12:44 PM
Thank you for the feedback. This issue does not reproduce in Microsoft Edge. We're not presently working on feature bugs in Internet Explorer outside of security-related issues. At this point we are resolving this issue as Won’t Fix.
Best Regards,
The Microsoft Edge Team
Posted by Microsoft on 11/11/2013 at 4:08 PM
Thank you for your feedback. We will be investigating this issue further.

Best regards,
The Internet Explorer Team