kentoh - Fotolia
I read about a recent Internet Explorer vulnerability involving cross-site scripting (XSS) that may become popular among threat actors. How can these same-origin policy XSS vulnerabilities be exploited, and what is the best way to prevent them from putting our users at risk?
Threat actors, pen testers and other security researchers will always build upon prior working exploits or attack techniques. This is especially true for security research on Web browser security, as it has become increasingly difficult to exploit fully patched Web browsers. This new Internet Explorer attack in an attacker's toolbox will help him focus on the specific target or attack being performed so he doesn't need to create everything from scratch.
David Leo, a researcher with U.K.-based security firm Deusen, disclosed a universal XSS vulnerability affecting Internet Explorer 9, 10 and 11 that allows an attacker to use a malicious website to change the contents of one of the other tabs open in a browser. This directly violates the same-origin policy that stops one website open in a browser window or tab from modifying the contents of a different website.
Protecting against these sorts of same-origin policy XSS vulnerabilities is critical in modern Web browsers because a user might, for example, be browsing entertainment websites while performing online banking in a separate tab. Having an attack originate from the entertainment website and affect the online banking would be a serious vulnerability.
Enterprises and individuals can best protect themselves by keeping their Web browsers up to date and by using a network-based antimalware device that can detect when malicious webpages are accessed.
Ask the Expert:
Want to ask Nick Lewis a question about enterprise threats? Submit your question now via email. (All questions are anonymous.)
Learn more about preventing XSS attacks
Find out why major websites aren't catching XSS vulnerabilities
Dig Deeper on Application attacks (buffer overflows, cross-site scripting)
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading