kentoh - Fotolia
I read about a recent Internet Explorer vulnerability involving cross-site scripting (XSS) that may become popular among threat actors. How can these same-origin policy XSS vulnerabilities be exploited, and what is the best way to prevent them from putting our users at risk?
Threat actors, pen testers and other security researchers will always build upon prior working exploits or attack techniques. This is especially true for security research on Web browser security, as it has become increasingly difficult to exploit fully patched Web browsers. This new Internet Explorer attack in an attacker's toolbox will help him focus on the specific target or attack being performed so he doesn't need to create everything from scratch.
David Leo, a researcher with U.K.-based security firm Deusen, disclosed a universal XSS vulnerability affecting Internet Explorer 9, 10 and 11 that allows an attacker to use a malicious website to change the contents of one of the other tabs open in a browser. This directly violates the same-origin policy that stops one website open in a browser window or tab from modifying the contents of a different website.
Protecting against these sorts of same-origin policy XSS vulnerabilities is critical in modern Web browsers because a user might, for example, be browsing entertainment websites while performing online banking in a separate tab. Having an attack originate from the entertainment website and affect the online banking would be a serious vulnerability.
Enterprises and individuals can best protect themselves by keeping their Web browsers up to date and by using a network-based antimalware device that can detect when malicious webpages are accessed.
Ask the Expert:
Want to ask Nick Lewis a question about enterprise threats? Submit your question now via email. (All questions are anonymous.)
Learn more about preventing XSS attacks
Dig Deeper on Application attacks (buffer overflows, cross-site scripting)
Related Q&A from Nick Lewis
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading
Cloud security providers need to play catch-up with the evolving advancements in cloud technology. Find out what the top CSPs offer today and which ... Continue Reading
Cloud security certifications serve to bolster security professionals' resumes and boost value to employers. Learn about the top certifications ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.