Universal XSS flaw in fully patched Microsoft Internet Explorer exposed

Microsoft engineers are working to fix a dangerous flaw found in Internet Explorer which allows attackers to steal user credentials.
Written by Charlie Osborne, Contributing Writer

A newly-discovered, severe security flaw in fully patched versions of Internet Explorer allows attackers to steal user credentials or to conduct phishing attacks through any website.

The vulnerability, which affects fully patched versions of IE 11 running on both Windows 7 and 8.1, was disclosed by security researcher David Leo from security firm Deusen. Detailed on Full Disclosure, the Internet Explorer vulnerability allows hackers to bypass the Same-Origin Policy -- a fundamental element of web applications including the IE system which is meant to prevent cross-site forgeries -- and run scripts or inject malicious content into websites.

The vulnerability is a universal cross-site scripting (XSS) flaw. In other words, an attacker is able to execute scripted content and inject code into a website. A full proof-of-concept example posted by Leo demonstrated the bug through a visit to the Daily Mail's online domain. Leo used the vulnerability to inject the words "Hacked by Deusen" into the website.

Through the XSS flaw, the security researcher was able to modify the site's content externally, and due to the severe nature of the vulnerability, it could also be used to steal website content such as authentication cookies or login details input by a user during a browser session.

David Leo

Not only could this result in user account theft, but HTML and cookies lifted by a hacker could then be used in legitimate-appearing phishing campaigns. For a victim to be tricked into visiting a malicious website, they do, however, need to click on a link -- but in today's world full of shortened URLs and social media, this is not necessarily difficult to achieve.

Senior security engineer at Tumblr Joey Fowler responded to the disclosure, saying that while "there are quirks, it most definitely works." In addition to circumventing the Same-Origin Policy, the bug also bypasses standard HTTP-to-HTTPS restrictions as long as the page being framed doesn't contain X-Frame-Options headers with 'deny' or 'same-origin' values.

According to Leo, Microsoft was notified on Oct 13, 2014.

Microsoft engineers are currently working on a solution to close the security hole. A Microsoft spokesperson told ZDNet:

"To successfully exploit this issue, an adversary would first need to lure a person, often through trickery such as phishing, to a malicious website that they've created. SmartScreen, which is on by default in newer versions of Internet Explorer, helps protect against nefarious phishing websites.
We're not aware of this vulnerability being actively exploited and are working to address it with an update. We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information."

Read on: In the world of security

Read on: Fixes and Flaws

Editorial standards