Microsoft is aware of a recently disclosed bug in its latest browser, Internet Explorer 11, and is developing a patch for the issue. The vulnerability, a universal cross-site scripting (XSS) bug, could be exploited to steal information or inject code into domains on the browser on Windows 7 and 8.1.
David Leo, a researcher with the U.K.-based security consultancy firm Deusen publicized the bug on Full Disclosure over the weekend, linking to a demonstration which shows how it can be used to hack the content of a site, externally. In the relatively harmless proof-of-concept, after interaction from a user–closing a popup window that appears–and waiting seven seconds, the words “Hacked by Deusen” can be seen inserted into a legitimate news site, The Daily Mail.
While the page is loaded from an external domain, the URL bar still clearly says “http:///www.dailymail.co.uk/home/index.html,” something that could easily dupe a user into thinking that the forged site was legitimate. Furthermore, if instead of a news site, it was a banking site that was compromised, the user could easily be phished if they unwittingly entered their sensitive credentials into a form on the site.
Using an iFrame, the bug appears to bypass same-origin policy, a key mechanism found in web application models that allows script running on pages from the same site to access each other’s Document Object Model (DOM) but disallows access to other sites’ DOM. Essentially it prevents code in a site’s iFrame from being able to control content from that site. The vulnerability also bypasses standard HTTP-to-HTTPS restrictions, according to Joey Fowler, a senior security engineer at Tumblr, who commented on Leo’s post Monday.
“As long as the page(s) being framed don’t contain X-Frame-Options headers (with ‘deny’ or ‘same-origin’ values), it executes successfully,” Fowler wrote.
> .@Microsoft working to fix XSS vuln in IE that could lead to phishing attacks > > Tweet
While Microsoft didn’t say when a patch would surface for the issue, Leo pointed out that the company has had more than three months to work on it, acknowledging on Wednesday that Deusen initially notified Microsoft about the bug on Oct. 13, 2014.
Microsoft insists that it isn’t aware of any exploits involving the bug but is encouraging users regardless to exercise caution when it comes to opening links, especially ones from untrusted sources and sites.
“To exploit this, an adversary would first need to lure the user to a malicious website, often through phishing. SmartScreen, which is on by default in newer versions of Internet Explorer, helps protect against phishing websites. We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information,” a Microsoft spokesman said.