A major security flaw has been discovered in the latest version of Internet Explorer. The flaw found by David Leo, a researcher with Internet security firm Deusen affects users running IE11 on Windows 7 and 8.1. The vulnerability is a pretty serious one as the browser security can be bypassed allowing attackers to steal login details and user data to any site and they can also launch phishing attacks. The attackers bypass the same origin policy, which is one of the key components of web browser security, so that it can insert a malicious piece of code into a link made to look like it is from a trusted or familiar source.
Worryingly since same origin policy can be bypassed, you won’t be safe behind SSL encryptions, which are websites that start with https. Also once a cross-site scripting (XSS) attack is remotely launched, the entire look and feel of a website can be manipulated at the hacker’s will in a matter of seconds. In layman’s terms this means user account theft could happen and any html and cookies stolen by an attacker could be used in phishing attacks which appear to look legitimate. Obviously you would have to click on a link to visit a malicious website but that can happen very easily these days as more and more websites are linked and promoted in social media with shortened URL’s.
David Leo said that Microsoft was notified on Oct 13, 2014. Microsoft is currently working on a patch and has issued the following statement
“To successfully exploit this issue, an adversary would first need to lure a person, often through trickery such as phishing, to a malicious website that they’ve created. SmartScreen, which is on by default in newer versions of Internet Explorer, helps protect against nefarious phishing websites. We’re not aware of this vulnerability being actively exploited and are working to address it with an update. We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information.”