Around one in 20 desktop web browsers need to start worrying, as security researcher Yushi Liang is preparing to release a Zero-Day exploit for the Edge browser which allows Remote Code Execution, including escaping the Edge sandbox.
Announced in a tweet which demonstrates the classic feat of opening the Calculator from a web page, Liang wrote:
— Yushi Liang (@Yux1xi) November 2, 2018
“we just broke #Edge, teaming up with kochkov for a stable exploit, brace yourself SBX is coming :)”
Bleeping Computer reports that the exploit is still being developed, as the researchers are still looking to escalate their access to SYSTEM level, which would confer full control of your PC. Edge by design runs as the lowest access level possible on your PC to reduce the impact of exactly such a compromise. The exploit was found using the Wadi Fuzzer utility from SensePost and can be seen demonstrated in video below, where the researchers, in a fit of humour, use Edge to open Firefox to the Google Chrome download page.
Liang has previously pwned both the Firefox and Chromium browser, creating an exploit chain using 3 bugs which gave Remote Code Execution on Firefox and RCE without sandbox escape on Chromium.
Liang and colleague Alexander Kochkov have not revealed the bug to Microsoft, but plan instead o reveal a proof-of-concept and publish a general write up in the near future.
Read more detail at Bleeping Computer here.