Serious bug in fully patched Internet Explorer puts user credentials at riskFebruary 4, 2015 – 5:46 AM
A vulnerability in fully patched versions of Internet Explorer allows attackers to steal login credentials and inject malicious content into users’ browsing sessions. Microsoft officials said they’re working on a fix for the bug, which works successfully on IE 11 running on both Windows 7 and 8.1.
The vulnerability is known as a universal cross-site scripting (XSS) bug. It allows attackers to bypass the same origin policy, a crucially important principle in Web application models that prevents one site from accessing or modifying browser cookies or other content set by any other site. A proof-of-concept exploit published in the past few days shows how websites can violate this rule when people use supported versions Internet Explorer running the latest patches to visit maliciously crafted pages.
To demonstrate the attack, the demo injects the words “Hacked by Deusen” into the website of the Daily Mail. But it also could have stolen HTML-based data the news site, or any other website, stores on visitors’ computers. That means it would be trivial for attackers to use it to steal authentication cookies many websites use to grant access to user accounts once a visitor has entered a user name and password. Once in possession of the cookie, an attacker could access the same restricted areas normally available only to the victim, including those with credit card data, browsing histories, and other confidential data. Phishers could also exploit the bug to trick people into divulging passwords for sensitive sites.