Microsoft loses security Edge

Edge_confirms_new_U2_album_is_on_the_way_Songs_Of_Experience_Brian_Eno_music_scen_irelandMicrosoft’s Edge browser comes with a feature which could be used by technical support scammers.

The Edge browser’s ability to warn users of dodgy sites, or other security alerts can be abused to display native and legitimate-looking warning messages. This is a gift for tech support scammers who could use it to get the great unwashed to call them thinking they have been hacked.

The flaws exist in Voles ms-appx and ms-appx-web protocols which the browser uses to present warning messages when phishing or malware delivery sites are located.

When Edge detects suspected Malicious sites it colours them red with a feature called “SmartScreen”.

However, Buenos Aires security tester Manuel Caballero said it was a doddle for scammers to create warnings that replace SmartScreen text and phone numbers indicating that a nominated site also displayed in the address bar is infected.

All they must do is altering URL characters and appending a hash and a URL of a legitimate-looking site.

Those errors could be avoided by changing a single character in URL, and the displayed address changed to a legitimate site by appending a hash. It is not clear if Microsoft is doing anything about the problem yet.