Microsoft blunts hooks of nasty Internet Explorer phishing flaw

Hacker drops policy bypass disclosure

By Darren Pauli


Microsoft is investigating an alleged vulnerability in its flagship Internet Explorer browser.

The cross-site scripting hole disclosed Saturday by hacker David Leo includes functional proof of concept code, according to confirmed reports.

Vulture South reported the flaw to Microsoft Friday and has been told it is working to develop a patch. We've not been offered a timeframe fo the fix.

The flaw reportedly works against updated instances of the browser operating on Windows 7.

We shall not link to the flaw because the demonstration page runs a heap of scripts, but if you want to see it at work point your browser to, where Leo explains the exploit.

Tumblr security bod Joey Fowler writing on the Full Disclosure mailing list said the vulnerability was a credible and dangerous threat.

"As long as the page(s) being framed don't contain X-Frame-Options headers (with `deny` or `same-origin` values), it executes successfully," Fowler said in a confirmed post.

"Pending the payload being injected, most Content Security Policies are also bypassed (by injecting HTML instead of JavaScript)."

Fowler said it made available all viable cross-site scripting vectors to attackers.

Leo used "news" site The Daily Mail to demonstrate the attack. Internet Explorer users clicking his crafted would be served a prompt and direct users to the mail page where an external page was loaded reading 'hacked by Deusen'.

The browser address bar would remain unchanged during the attack making it an attractive means of phishing users which could easily be used in live attacks prior to Redmond releasing a patch. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Hey, you know what a popular medical record system doesn't need? 23 security vulnerabilities

Get patching after team gets under the skin of OpenEMR

VoIP bods Fuze defuse triple whammy of portal security vulnerabilities

Researchers using the service found a bunch of flaws

Beware the IDEs of Android: three biggies have vulnerabilities

Android Studio, Eclipse, and IntelliJ IDEA stabbed in the back by an XML parser

Most vulnerabilities first blabbed about online or on the dark web

Official bug notice? Sure, but not before I get cred and LOLs

White-box security webcam scatters vulnerabilities through multiple OEMs

Hands up anyone who tests what they stick their labels on. Anyone? We thought not

Microsoft to hackers: Finding Hyper-V bugs is hard. Change my mind. PS: Here's a head start...

Black Hat Prove us wrong, kids, and bag $250,000

Microsoft Visual Studio C++ Runtime installers were built to fail

Updated Redmond created executable installers with vulnerable tools

Xen Project wants permission to reveal fewer vulnerabilities

Poll Should bugs that don't expose user data be left alone, saving time and effort?

Cisco waves swatter at ten new vulnerabilities

It's 2017, and UPnP is still a critical attack vector

Oracle point-of-sale system vulnerabilities get Big Red cross

Patched, Oracle? Speedily