Security

Microsoft blunts hooks of nasty Internet Explorer phishing flaw

Hacker drops policy bypass disclosure

By Darren Pauli

6 SHARE

Microsoft is investigating an alleged vulnerability in its flagship Internet Explorer browser.

The cross-site scripting hole disclosed Saturday by hacker David Leo includes functional proof of concept code, according to confirmed reports.

Vulture South reported the flaw to Microsoft Friday and has been told it is working to develop a patch. We've not been offered a timeframe fo the fix.

The flaw reportedly works against updated instances of the browser operating on Windows 7.

We shall not link to the flaw because the demonstration page runs a heap of scripts, but if you want to see it at work point your browser to http://www.deusen.co.uk/items/insider3show.3362009741042107, where Leo explains the exploit.

Tumblr security bod Joey Fowler writing on the Full Disclosure mailing list said the vulnerability was a credible and dangerous threat.

"As long as the page(s) being framed don't contain X-Frame-Options headers (with `deny` or `same-origin` values), it executes successfully," Fowler said in a confirmed post.

"Pending the payload being injected, most Content Security Policies are also bypassed (by injecting HTML instead of JavaScript)."

Fowler said it made available all viable cross-site scripting vectors to attackers.

Leo used "news" site The Daily Mail to demonstrate the attack. Internet Explorer users clicking his crafted would be served a prompt and direct users to the mail page where an external page was loaded reading 'hacked by Deusen'.

The browser address bar would remain unchanged during the attack making it an attractive means of phishing users which could easily be used in live attacks prior to Redmond releasing a patch. ®

Sign up to our NewsletterGet IT in your inbox daily

6 Comments

More from The Register

Hot fuzz: Bug detectives whip up smarter version of classic AFL fuzzer to hunt code vulnerabilities

Flaw-spotting toolkit already has 42 zero-days to its name

Hey, you know what a popular medical record system doesn't need? 23 security vulnerabilities

Get patching after team gets under the skin of OpenEMR

It's November 2018, and Microsoft's super-secure Edge browser can be pwned eight different ways by a web page

Look, we're tired of doing these headlines too, but there's patching to do

It's October 2018, and Microsoft Exchange can be pwned by a plucky eight-year-old... bug

Redmond goes retro in latest Patch Tuesday bundle

Four phone hijack bugs revealed in Internet Explorer after Microsoft misses patch deadline

Updated Luckily, it just affects Windows Phone

Microsoft drops rush Internet Explorer fix for remote code exec hole

IE 7 through 11 needs a big band-aid, fast, especially workstations, terminal servers

Hackers' paradise: Outdated Internet Explorer, Flash installs in enterprises

Two in five Flash users DO update. Surprised?

Microsoft extends Internet Explorer 8 desktop lifeline to upgrade laggards

Exclusive It's just like the XP saga all over again

Microsoft polishes up Chromium as EdgeHTML peers into the abyss

When you gaze long into an abyss, the abyss gazes into you. Or is that just Windows Hello?

ANN-IE-LATION: Microsoft to axe support for older Internet Explorer next week

Don't say we didn't warn ya ... because we did