Microsoft is working on a fix for a serious vulnerability in all the latest versions of Internet Explorer (IE) that could be exploited to reveal the login credentials of users.
When someone clicks on the link, the embedded programming is submitted as part of the client's web request and can execute on the victim’s computer, typically allowing the attacker to steal information.
The latest zero-day vulnerability reportedly works on IE11 for Windows 7 and 8.1, allowing attackers to steal login credentials and inject malicious content into users' browsing sessions.
The POC exploit shows that attackers could use malicious web pages to bypass the same origin policy that prevents one site from accessing or modifying browser cookies set by another site.
The flaw was disclosed on the Full Disclosure mailing list by David Leo, a researcher with security consultancy firm Deusen.
The POC exploit page contains a link that when clicked opens the dailymail.co.uk website in a new window, but after seven seconds the site's content is replaced with "Hacked by Deusen".
More on Internet Explorer security
- Why is Internet Explorer security such a challenge?
- Locking down Internet Explorer settings with Group Policy in IE11
- September 2014 Patch Tuesday includes critical IE security fix
- IE 11 security: Has Web browser security technology reached its peak?
- August 2014 Patch Tuesday targets IE security improvements
- Recent barrage of IE zero days highlights risk for enterprises
The rogue page is loaded from an external domain, but the browser's address bar keeps showing www.dailymail.co.uk.
The POC attack could also be used to steal HTML-based data the news site stores in cookies on visitors' computers.
That means attackers could use the exploit to steal authentication cookies many websites use to grant access to user accounts once a visitor has entered a username and password.
An attacker could use cookie information to access the same restricted areas normally available only to the victim, including credit card and other confidential data.
Phishers could also use the exploit, which appears to use iframes to tamper with IE’s support of the same origin policy, to trick people into divulging passwords for sensitive sites, according to Ars Technica.
Because the browser address bar would remain unchanged during an attack, the exploit offers an attractive means of phishing while the flaw remains unpatched.
The attack also works if the targeted site uses secure sockets layer encryption, according to Joey Fowler, a senior security engineer at Tumblr, who confirmed the vulnerability in a response to Leo's original post.
Microsoft not aware of vulnerability being exploited
Microsoft is working on a security update, but said the company is not aware of this vulnerability being actively exploited.
The company said that to exploit the vulnerability, an attacker would first need to lure the user to a malicious website, typically through phishing.
However, SmartScreen, which is on by default in newer versions of Internet Explorer, helps protect against phishing websites, Microsoft said in a statement.
“We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information,” the statement said.
But security pundits have pointed out that it would not be that difficult to lure victims to a malicious page using social networking and shortened links.
They also said SmartScreen would work only against spam-based attacks sent to a large number of people, but was unlikely to help in a targeted attack scenario.
Microsoft has not yet indicated when it expects an update to fix the flaw will be ready for release.