Dangerous XSS bug discovered in fully patched IE

A new universal cross-scripting vulnerability discovered in fully-patched versions of Microsoft's Internet Explorer allows attackers to bypass browser security to steal user credentials and launch phishing attacks.

Details of the flaw and proof of concept code were published to the Full Disclosure mailing list by David Leo, a researcher with infosec firm Deusen.

His testing showed the vulnerability allows attackers to bypass the Same-Origin Policy (SOP) browser security setting.

SOP prevents websites from accessing or modifying browser cookies or other content set by separate sites, so as not to tamper with user authentication.

The proof-of-concept detailed alongside the bug disclosure shows that when a user opens a targeted page in IE 11 on Windows 7 or 8.1, a link appears on what looks to be a legitimate website.

When the link is clicked, the site opens in a new window. The new window continues to display the legitimate domain name, but the site reappears after a number of seconds with text chosen by the attackers, in this case "Hacked by Deusen". 

The appearance of the legitimate domain name - despite the page being loaded from a separate domain - means users can be duped by credible phishing attacks.

The vulnerability also means attackers can access authentication cookies used by websites to log in users, which could lead to IE users' personal data being stolen.

Joey Fowler, a security expert at social media company Tumblr, said his testing found the attack also bypasses normal HTTP to encrypted HTTPS protocol for secure communications.

Fowler said attackers would also be able to use the flaw to bypass IE Content Security Policies through injecting HTML mark-up instead of using Javascript.

The vulnerability works on Internet Explorer version 11 running on Windows 7 and Windows 8.1.

In a statement to iTnews, Microsoft said it was not aware of any situation in which the vulnerability had been actively exploited, and confirmed it was working on a security update.

"To exploit this, an adversary would first need to lure the user to a malicious website, often through phishing. SmartScreen, which is on by default in newer versions of Internet Explorer, helps protect against phishing websites," a spokesperson said.

"We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information.”