Researchers have published a proof-of-concept exploit for a new IE vulnerability, and some experts think the attack...
method it uses may soon become popular among threat actors.
The vulnerability and corresponding proof-of-concept exploit were posted to the Full Disclosure mailing list this week by David Leo, researcher with UK-based security firm Deusen.
The flaw is described as a universal cross-site scripting (XSS) vulnerability affecting Internet Explorer 9, 10, and 11 on Windows 7 and 8.1. It allows an attacker to manipulate code from a trusted website with data from an untrusted website.
The exploit allows an attacker to bypass the same-origin policy within IE, described Leo, simply by visiting a malicious link. In the proof-of-concept, Leo showed how a user would only see the target URL in the address bar, in this case the Daily Mail UK's website address, but when the page loaded, it displays only the injected phrase "Hacked by Deusen."
According to Marc Rogers, principal security researcher at San Francisco-based CloudFlare Inc., the same-origin policy is a fundamental mechanic at the lowest level of the browser, and an exploit like this could allow an attacker to steal session authentication cookies, or even read data from a secure email website or banking website.
Microsoft said that it is working on a patch, but in the meantime, the only way to be protected from this vulnerability, according Leo and Rogers, is to stop using Internet Explorer until a patch is released.
The start of a trend?
Patrick Wardle, director of research at Redwood City, Calif.-based security vendor Synack Group Inc., noted that while enforcing the same-origin policy is essential to Web browser security, all major browsers have been vulnerable at some point, as has the Adobe Flash Player. Even worse, Wardle said that a universal XSS attack like this could make for a great worm.
"Patient-zero clicks on a phishing email," said Wardle, describing a worm scenario. "Now the attacker can post to all the accounts of that user ... Friends/families will unsuspectingly click on the attacker's maliciously posted links/content (trusting that since it came from the user, and is on a trusted website, its safe) -- this of course will further propagate the attack."
Rogers also noted that two similar vulnerabilities were found in the Android Browser in the fall of 2014; although Google patched the flaws in October, the vulnerabilities were exploited in December to take over victim's Facebook accounts.
Rogers said that the same-origin policy bypass is likely a flaw that has existed in browsers for a long time, but is just now starting to be exploited.
"These flaws have been around a long time," said Rogers.
Learn how to protect against XSS attacks and detect exploits.