Microsoft is working on a fix for a serious vulnerability in all the latest versions of Internet Explorer (IE) that could be exploited to reveal the login credentials of users.
When someone clicks on the link, the embedded programming is submitted as part of the client’s web request and can execute on the victim’s computer, typically allowing the attacker to steal information.
The latest zero-day vulnerability reportedly works on IE11 for Windows 7 and 8.1, allowing attackers to steal login credentials and inject malicious content into users’ browsing sessions.
The POC exploit shows that attackers could use malicious web pages to bypass the same origin policy that prevents one site from accessing or modifying browser cookies set by another site.
The flaw was disclosed on the Full Disclosure mailing list by David Leo, a researcher with security consultancy firm Deusen.
The POC exploit page contains a link that when clicked opens the dailymail.co.uk website in a new window, but after seven seconds the site’s content is replaced with “Hacked by Deusen”.
The rogue page is loaded from an external domain, but the browser’s address bar keeps showing http://www.dailymail.co.uk.
The POC attack could also be used to steal HTML-based data the news site stores in cookies on visitors’ computers.
That means attackers could use the exploit to steal authentication cookies many websites use to grant access to user accounts once a visitor has entered a username and password.