grandeduc - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Same-origin policy IE vulnerability may signal new attack trend

A new IE vulnerability has led to a proof-of-concept same-origin policy exploit, and some experts say it highlights a technique that may soon become popular among attackers.

Researchers have published a proof-of-concept exploit for a new IE vulnerability, and some experts think the attack method it uses may soon become popular among threat actors.

The vulnerability and corresponding proof-of-concept exploit were posted to the Full Disclosure mailing list this week by David Leo, researcher with UK-based security firm Deusen.

The flaw is described as a universal cross-site scripting (XSS) vulnerability affecting Internet Explorer 9, 10, and 11 on Windows 7 and 8.1. It allows an attacker to manipulate code from a trusted website with data from an untrusted website.

The exploit allows an attacker to bypass the same-origin policy within IE, described Leo, simply by visiting a malicious link. In the proof-of-concept, Leo showed how a user would only see the target URL in the address bar, in this case the Daily Mail UK's website address, but when the page loaded, it displays only the injected phrase "Hacked by Deusen."

According to Marc Rogers, principal security researcher at San Francisco-based CloudFlare Inc., the same-origin policy is a fundamental mechanic at the lowest level of the browser, and an exploit like this could allow an attacker to steal session authentication cookies, or even read data from a secure email website or banking website.

Microsoft said that it is working on a patch, but in the meantime, the only way to be protected from this vulnerability, according Leo and Rogers, is to stop using Internet Explorer until a patch is released.

The start of a trend?

Patrick Wardle, director of research at Redwood City, Calif.-based security vendor Synack Group Inc., noted that while enforcing the same-origin policy is essential to Web browser security, all major browsers have been vulnerable at some point, as has the Adobe Flash Player. Even worse, Wardle said that a universal XSS attack like this could make for a great worm.

"Patient-zero clicks on a phishing email," said Wardle, describing a worm scenario. "Now the attacker can post to all the accounts of that user ... Friends/families will unsuspectingly click on the attacker's maliciously posted links/content (trusting that since it came from the user, and is on a trusted website, its safe) -- this of course will further propagate the attack."

Rogers also noted that two similar vulnerabilities were found in the Android Browser in the fall of 2014; although Google patched the flaws in October, the vulnerabilities were exploited in December to take over victim's Facebook accounts.

Rogers said that the same-origin policy bypass is likely a flaw that has existed in browsers for a long time, but is just now starting to be exploited.

"These flaws have been around a long time," said Rogers.


Next Steps

Learn how to protect against XSS attacks and detect exploits.

Dig Deeper on Web browser security

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does your company use IE? If so, will you be switching browsers until a patch is released?
Most of our apps will work in all browsers. We only have a few that are IE only and they are old legacy apps for internal use only. Things like employee timesheet, HR forms and policices , corporate phone listings.. Nothing major or a security risk.
The only departments in my company that uses IE the the reception and HR departments. Their Internet use is limited as a rule of work, so if a patch is provided to IE, we will simply implement that patch and not switch to a different browser. The downtime for installing the patch does not preclude the need for a switch to a new or different browser for the departments that currently use IE.
Nobody is actually surprised by this, right? Internet Explorer has always been abysmal, in both security and features.