Internet Explorer XSS flaw opens door to thieves and phishers

News by Doug Drinkwater

A critical new cross-site scripting (XSS) flaw affecting fully-patched versions of Internet Explorer 11 on Windows 7 and 8 could make users vulnerable to phishing and malvertising attacks, as well as data and log-in credential theft.

The flaw was disclosed on the Full Disclosure mailings list on Saturday by Deusen security researcher David Leo, who also detailed in his post how a proof-of-concept exploit could be used against a variety of websites.

Using the website of UK newspaper The Daily Mail ( as an example, Leo said that an attacker could execute malicious code onto the site so that when the website was opened in IE 11 on a fully-patched Windows 7 or 8.1 machine, the exploit page would offer up a link to the user.

When clicked, this link would open up a new browsing window on the Daily Mail website and within just seven seconds, the Mail's online content would be replaced by a page bearing the simple message ‘hacked by Deusen'.

Despite the page loading this external domain, the URL bar would still show the address – an indication that this flaw could be used by hackers to launch spear-phishing attacks to steal credentials, or to alternatively direct victims to malvertising websites.

Arguably the most worrying method of attack could see hackers steal authentication cookies, and impersonate victims while logged-in, all the while gaining access to normally restricted areas, such as those holding credit card data or browsing histories.

The vulnerability is serious because not only is the user unaware of the intrusion, but because it bypasses the Same-Origin Policy (SOP),which essentially prevents the manipulation of a website's browser cookies or content.

In response to Leo's post, Tumblr senior security engineer Joey Fowler confirmed that the proof-of-concept also worked on websites encrypting their sessions with HTTPS.

Leo has described the flaw as a ‘universal' cross-scripting (XSS) vulnerability, because – as it affects the web browser – it makes all websites vulnerable. XSS vulnerabilities allow attackers to steal a cookie and display fake content on compromised sites by injecting malicious code via the URL.

Microsoft engineers are now working on a patch for the issue, and the firm – which was alerted to the flaw on 13th October 2014 - said in a statement: “We are not aware of this vulnerability being actively exploited and are working on a security update. To exploit this, an adversary would first need to lure the user to a malicious website, often through phishing,” read the statement.

“SmartScreen, which is on by default in newer versions of Internet Explorer, helps protect against phishing websites. We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information.”

Jason Steer, director of security strategy at FireEye EMEA, said that the flaw is not surprising, given XSS is listed in the top 10 of OWASP's web vulnerabilities list, but said that it was concerning because of the sheer number of Internet Explorer users as well as the ability for it to be used to enable phishing attack – which is the starting point for most Advanced Persistent Threat  (APT) attacks.

“Unfortunately XSS is one of the top web apps vulnerabilities and the reality is people just don't give code enough time before it goes out the door. You end up with some quite basic errors, because of time pressures. This is just another example that we'll see forever and a day.”

On Microsoft's consideration that it wasn't overly serious, Steer said that it was a difficult decision to make especially as the Redmond giant would likely have its own threat intelligence to rely on.

“It's a balancing act. You'd think that they would know better than anybody else,” he said. “However, some [attackers] may see it as a way to target a user in some form.”

TechUK recently ranked XSS flaws as third on a list of common web vulnerabilities, along with the likes of weak passwords, poorly configured SSL, no protection to brute force attacks and compromised cookies.

Gordon Morrison, director of tech for government at techUK, said in a statement at the time:“These threats may not be new, but all still pose a real risk to UK web users. The good news for businesses and citizens is that there are well established fixes available to protect against these vulnerabilities and avoid falling victim to cyber-crime.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews