A vulnerability in Microsoft Edge allowed attackers to steal local files when the victims opened a specially crafted HTML file. The leak in the default browser of Windows 10 bypassed the Same Origin Policy (SOP) security measure.
Ziyahan Albeniz from security company Netsparker discovered the issue and explains that SOP should normally prevent access to local files. Normally, the browser only opens content from the same origin in another page. The protocol, host name and port of a URL need to be same. This means that e.g. an image loaded over HTTP (http://) can be loaded in a page that is loaded over HTTP and local files (file://) can only be accessed through a page that was loaded over that same file system. If the protocol, host name or port are not the same, a file will not load inside the page.
Unless, it's a file on the local file system. The file:// system per definition doesn't use a host name or port and thus browsers handle files on the file system differently, except for Edge. Before the issue was patched, it was possible to get access to local files if the victim opened a malicious HTML file. Through Javascript, the contents of other files could be obtained and transferred to a server under the control of the attacker.
Because the Windows 10 Mail and Calendar app also didn't block .HTML file attachments, the attack was fairly easy to perform if the user used the app as their mail client. Most mail clients would block, or at least mark, .HTML files as unsafe, but the Windows 10 Mail and Calendar app didn't.
Microsoft now fixed the issue in both Edge and the Mail and Calendar app. No other browsers were affected.
