Jump to content

Universal XSS flaw in fully patched Microsoft Internet Explorer exposed

RV_

By RV_
in Computers and Software

Recommended Posts

RV_ Grand Master

RV_

Posted
Posted

Microsoft engineers are working to fix a dangerous flaw found in Internet Explorer which allows attackers to steal user credentials.

 

This is serious. I recommend folks switch to FF or Chrome or my new favorite Chromes based secure browser Aviator from WhiteHat Security. I won't show Flash without my consent. Makes it a bit tedious for some things with my having to think first, allow second. Anything but my favorite IE for now. I will go back to IE when they patch it for these.

 

How bad? Read on:

 

Excerpt:

 

"A newly-discovered, severe security flaw in fully patched versions of Internet Explorer allows attackers to steal user credentials or to conduct phishing attacks through any website.

 

The vulnerability, which affects fully patched versions of IE 11 running on both Windows 7 and 8.1, was disclosed by security researcher David Leo from security firm Deusen. Detailed on Full Disclosure, the Internet Explorer vulnerability allows hackers to bypass the Same-Origin Policy -- a fundamental element of web applications including the IE system which is meant to prevent cross-site forgeries -- and run scripts or inject malicious content into websites.

 

The vulnerability is a universal cross-site scripting (XSS) flaw. In other words, an attacker is able to execute scripted content and inject code into a website. A full proof-of-concept example posted by Leo demonstrated the bug through a visit to the Daily Mail's online domain. Leo used the vulnerability to inject the words "Hacked by Deusen" into the website.

Through the XSS flaw, the security researcher was able to modify the site's content externally, and due to the severe nature of the vulnerability, it could also be used to steal website content such as authentication cookies or login details input by a user during a browser session.

 

Not only could this result in user account theft, but HTML and cookies lifted by a hacker could then be used in legitimate-appearing phishing campaigns. For a victim to be tricked into visiting a malicious website, they do, however, need to click on a link -- but in today's world full of shortened URLs and social media, this is not necessarily difficult to achieve."

 

Full article which will have updates along the way and links is here: http://www.zdnet.com/article/severe-xss-flaw-in-fully-patched-microsoft-internet-explorer-discovered/?tag=nl.e539&s_cid=e539&ttag=e539&ftag=TRE17cfd61

 

 

RV/Derek
http://www.rvroadie.com Email on the bottom of my website page.
Retired AF 1971-1998


When you see a worthy man, endeavor to emulate him. When you see an unworthy man, look inside yourself. - Confucius

 

“Those who can make you believe absurdities, can make you commit atrocities.” ... Voltaire

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
RVers Online University

mywaggle.com

campgroundviews.com

RV Destinations

Find out more or sign up for Escapees RV'ers Bootcamp.

Advertise your product or service here.

The Rvers- Now Streaming

RVTravel.com Logo



×
×
  • Create New...