Microsoft is working on a fix for a serious vulnerability in all the latest versions of Internet Explorer (IE) that could be exploited to reveal the login credentials of users.
A proof-of-concept attack (POC) uses a cross-site scripting (XSS) security exploit in which the attacker inserts malicious coding into a link that appears to be from a trustworthy source.
When someone clicks on the link, the embedded programming is submitted as part of the client’s web request and can execute on the victim’s computer, typically allowing the attacker to steal information.
The latest zero-day vulnerability reportedly works on IE11 for Windows 7 and 8.1, allowing attackers to steal login credentials and inject malicious content into users’ browsing sessions.
The POC exploit shows that attackers could use malicious web pages to bypass the same origin policy that prevents one site from accessing or modifying browser cookies set by another site.
The flaw was disclosed on the Full Disclosure mailing list by David Leo, a researcher with security consultancy firm Deusen.
The POC exploit page contains a link that when clicked opens the dailymail.co.uk website in a new window, but after seven seconds the site’s content is replaced with “Hacked by Deusen”.
The rogue page is loaded from an external domain, but the browser’s address bar keeps showing www.dailymail.co.uk.
The POC attack could also be used to steal HTML-based data the news site stores in cookies on visitors’ computers.
That means attackers could use the exploit to steal authentication cookies many websites use to grant access to user accounts once a visitor has entered a username and password.
An attacker could use cookie information to access the same restricted areas normally available only to the victim, including credit card and other confidential data.
Phishers could also use the exploit, which appears to use iframes to tamper with IE’s support of the same origin policy, to trick people into divulging passwords for sensitive sites, according to Ars Technica.
Because the browser address bar would remain unchanged during an attack, the exploit offers an attractive means of phishing while the flaw remains unpatched.
The attack also works if the targeted site uses secure sockets layer encryption, according to Joey Fowler, a senior security engineer at Tumblr, who confirmed the vulnerability in a response to Leo’s original post.
Microsoft not aware of vulnerability being exploited
Microsoft is working on a security update, but said the company is not aware of this vulnerability being actively exploited.
The company said that to exploit the vulnerability, an attacker would first need to lure the user to a malicious website, typically through phishing.
However, SmartScreen, which is on by default in newer versions of Internet Explorer, helps protect against phishing websites, Microsoft said in a statement.
“We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information,” the statement said.
But security pundits have pointed out that it would not be that difficult to lure victims to a malicious page using social networking and shortened links.
They also said SmartScreen would work only against spam-based attacks sent to a large number of people, but was unlikely to help in a targeted attack scenario.
Microsoft has not yet indicated when it expects an update to fix the flaw will be ready for release.
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Related content from ComputerWeekly.com
RELATED CONTENT FROM THE TECHTARGET NETWORK