Microsoft Internet Explorer Universal Cross-Site Scripting Flaw

 

A serious vulnerability has been discovered in all the latest versions of Microsoft's Internet Explorer that allows malicious hackers to inject malicious code into users' websites and steal cookies, session and login credentials.

UNIVERSAL XSS BUG WITH SAME ORIGIN POLICY BYPASS

The vulnerability is known as a Universal Cross Site Scripting (XSS) flaw. It allows attackers to bypass the Same-Origin Policy, a fundamental browser security mechanism, in order to launch highly credible phishing attacks or hijack users’ accounts on any website.

The Same Origin Policy is one of the guiding principles that seek to protect users’ browsing experience. SOP actually prevents one site from accessing or modifying the browser properties, such as cookies, location, response etc, by any other site, ensuring that no third-party can inject code without the authorization of the owner of the website.

DEMONSTRATION

Recently, a proof-of-concept exploit published by a group, known as Deusen, shows how websites can violate SOP rule when someone uses supported versions of Internet Explorer running the latest patches to visit maliciously crafted pages.

In order to demonstrate the attack, the group exploits the vulnerability violating the same origin policy on the Daily Mail's website, and injects the words "Hacked by Deusen" on the website of the Daily Mail, which means other HTML and Javascript code can also be injected.

The exploit code appears to use iframes to tamper with IE's support of the SOP.

EVEN MORE WORSE SCENARIO

Instead of dailymail.co.uk, a cyber criminal could use a bank’s website and then inject a rogue form asking the user for private financial information.

Once the attacker's code bypasses the SOP and is injected, the code has access to session cookies, and once in possession of the cookie, an attacker could access sensitive information normally restricted to the target website, including those with credit card data, browsing histories, and other confidential data.

ATTACK WORKS ON HTTPS

According to Joey Fowler, a senior security engineer at Tumblr, the attack also works if the targeted site uses encrypted HTTPS protocol for secure communication.

However, the websites can protect themselves from being targeted through this bug by using a security header called X-Frame-Options with the "deny" or "same-origin" values, which prevents other sites from loading them in iframes, Folwer noted in a mailing list thread.

MICROSOFT WORKING ON PATCH

Microsoft is working on a fix for the vulnerability, which works successfully on its Internet Explorer 11 running on both Windows 7 and Windows 8.1 operating systems.

In a statement, Microsoft said it is "not aware of this vulnerability being actively exploited and are working on a security update." The company also encourages customers "to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information."