Number: IRCNE2015022420
Date: 2015/02/07
According to “zdnet”, a newly-discovered, severe security flaw in fully patched versions of Internet Explorer allows attackers to steal user credentials or to conduct phishing attacks through any website.
The vulnerability, which affects fully patched versions of IE 11 running on both Windows 7 and 8.1, was disclosed by security researcher David Leo from security firm Deusen. Detailed on Full Disclosure, the Internet Explorer vulnerability allows hackers to bypass the Same-Origin Policy and run scripts or inject malicious content into websites.
Not only could this result in user account theft, but HTML and cookies lifted by a hacker could then be used in legitimate-appearing phishing campaigns. For a victim to be tricked into visiting a malicious website, they do, however, need to click on a link.
Senior security engineer at Tumblr Joey Fowler responded to the disclosure, saying that while "there are quirks, it most definitely works." In addition to circumventing the Same-Origin Policy, the bug also bypasses standard HTTP-to-HTTPS restrictions as long as the page being framed doesn't contain X-Frame-Options headers with 'deny' or 'same-origin' values.
Microsoft engineers are currently working on a solution to close the security hole.
- 2