Microsoft is working to patch a vulnerability in Internet Explorer that allows attackers to bypass the same origin policy, inject malicious code into websites, and steal cookies, session and login details.
A group, known as Deusen, has published a proof-of-concept demonstrating the exploit violating the same origin policy on the Daily Mail's website, the demo injects the words "Hacked by Deusen" on the website, which means other HTML and Javascript code can be injected as well.
Microsoft has said it is "not aware of this vulnerability being actively exploited and are working on a security update." It also encouraged customers "to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information."
The exploit appears to use iframes to tamper with the same origin policy in IE. Once the attacker's code bypasses the policy and is injected, the code has access to sensitive information normally restricted to the target website, such as session details, cookies, and login, among other things.
Unlike other universal cross-site scripting (XSS) exploits, this malicious code doesn't have to be uploaded or hosted on the target website instead it can be hosted any where, however, as Microsoft pointed out, users would have to be lured to a malicious website containing the exploit.
Source: Ars Technica
12 Comments - Add comment