Severe XSS flaw affects fully patched Internet Explorer

Security experts discovered a new severe XSS flaw affects fully patched Internet Explorer and exposes users to risks of attacks and identity theft.

A new critical cross-site scripting (XSS) vulnerability affects fully patched versions of Internet Explorer, the flaw could be exploited by hackers to steal user sensitive data (i.e. login credentials) and inject malicious content into browsing sessions.

Microsoft has declared that its experts are already developing a fix for the vulnerability that is effective on IE 11 running on both Windows 7 and 8.1.

“We are not aware of this vulnerability being actively exploited and are working on a security update. To exploit this, an adversary would first need to lure the user to a malicious website, often through phishing. SmartScreen, which is on by default in newer versions of Internet Explorer, helps protect against phishing websites. We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information.” reports the official statement from Microsoft, which confirms that it has no news about the exploitation of the vulnerability in the wild.

The exploitation of this critical cross-site scripting bug allows an attacker to bypass the same origin policy (SOP), which is a fundamental in the web application security model implemented to protect users’ browsing experience.

” The policy permits scripts running on pages originating from the same site – a combination of scheme, hostname, and port number – to access each other’s DOM with no specific restrictions, but prevents access to DOM on different sites.” reads Wikipedia.

The SOP prevents one site from accessing or modifying browser cookies or other data used by another website.

Last week Deusen published a proof-of-concept exploit to demonstrate how it is possible to bypass the SOP when users are visiting specifically crafted page by using fully patched Internet Explorer versions. The demo injects the words “Hacked by Deusen” into the website of the Daily Mail.

In the same way, the attackers can steal authentication cookies from other websites to impersonate victims once they are logged in. Once in possession of the cookie, an attacker could access the same restricted areas normally available only to the victim, including those with credit card data, browsing histories, and other confidential data. Phishers could also exploit the bug to trick people into divulging passwords for sensitive sites.

“Once in possession of the cookie, an attacker could access the same restricted areas normally available only to the victim, including those with credit card data, browsing histories, and other confidential data. Phishers could also exploit the bug to trick people into divulging passwords for sensitive sites.” reports ArsTechnica

Below the code used by the exploit to bypass SOP in IE.

function go()
{
 w=window.frames[0];
 w.setTimeout("alert(eval('x=top.frames[1];r=confirm(\\'Close this window after 3 seconds...\\');x.location=\\'javascript:%22%3Cscript%3Efunction%20a()%7Bw.document.body.innerHTML%3D%27%3Ca%20style%3Dfont-size%3A50px%3EHacked%20by%20Deusen%3C%2Fa%3E%27%3B%7D%20function%20o()%7Bw%3Dwindow.open(%27http%3A%2F%2Fwww.dailymail.co.uk%27%2C%27_blank%27%2C%27top%3D0%2C%20left%3D0%2C%20width%3D800%2C%20height%3D600%2C%20location%3Dyes%2C%20scrollbars%3Dyes%27)%3BsetTimeout(%27a()%27%2C7000)%3B%7D%3C%2Fscript%3E%3Ca%20href%3D%27javascript%3Ao()%3Bvoid(0)%3B%27%3EGo%3C%2Fa%3E%22\\';'))",1);
}
setTimeout("go()",1000);

As explained by Microsoft the attacker would have to lure the victim to a malicious website, but it is quite easy in several ways, for example by sharing a link through spam emails or via social network messages.

Let’s wait Microsoft will fix the flaw

Pierluigi Paganini

(Security Affairs – Explorer, SOP)