A new vulnerability has been discovered within Microsoft's legacy web browser, Internet Explorer, that can allow attackers and unwanted parties to record a user's browsing habits.
According to a recent blog post by Michael Caballero, a web security expert, the bug occurs when a page is loaded with the malicious HTML object tag in combination with the compatibility mode meta tag.
The malicious HTML object tags can be injected through hacked websites or ads that allow the addition of custom HTML or JavaScript code. As a result, when a piece of code is run, the malicious tag will inadvertently capture information initially only available in the main browser window. This will now allow attackers and other interested parties to hijack the host user's data, which can be used for other malicious activities or the harvesting of user data for advertising purposes.
Caballero has made it possible for anyone to test out the bug, which obviously will only work when ran through Internet Explorer.
While Internet Explorer has already been discontinued by Microsoft in favor of Edge, only available on Windows 10, the security expert points out that the issue is still of great concern. This is because the legacy browser still has a larger user base compared to the latter. "In my opinion, Microsoft is trying to get rid of IE without saying it. It would be easier, more honest to simply tell users that their older browser is not being serviced like Edge," Caballero wrote on his Broken Browser blog. "I firmly believe that IE should be treated like Edge in terms of security, otherwise get rid of it completely."
Almost a year ago, the security expert also revealed an exploit within Microsoft Edge, which could have allowed tech support scammers to take advantage of Microsoft's SmartScreen technology for their own gain.
Source: Broken Browser via BleepingComputer
17 Comments - Add comment