SECURITY RESEARCHERS HAVE WARNED of a new zero-day vulnerability in Microsoft's Internet Explorer 11 affecting Windows 7 and Windows 8.1 users.
The flaw was found by researcher David Leo at Deusenand is described as a "universal cross-site scripting" attack allowing content on domains to be changed remotely using modified browser cookies.
The flaw could also allow hackers to insert malicious content into browsers, scrape personal data or track movements online using unsavoury web pages as a mask.
Leo used the example of the Daily Mail website and how the content can be changed by external domain.
The attack is demonstrated on the Deusen website, and shows that 'Hacked by Deusen' is actively injected into dailymail.co.uk seven seconds after opening the web page.
Microsoft claims that the flaw has yet to be exploited. "To successfully exploit this issue, an adversary would first need to lure a person, often through trickery such as phishing, to a malicious website that they've created," read a statement sent to The INQUIRER.
"SmartScreen, which is on by default in newer versions of Internet Explorer, helps protect against nefarious phishing websites.
"We're not aware of this vulnerability being actively exploited and are working to address it with an update."
The flaw has caused concerns in the security community, despite Microsoft's assurances.
Symantec's security response team warned that it could be used by hackers to steal information.
"This zero-day vulnerability could allow an attacker to bypass the same-origin policy in order to steal from, and inject information into, other websites," explained the team in an advisory.
"Microsoft has not yet issued a patch or security advisory for this vulnerability. At this time, there are no indications that this vulnerability has been exploited in the wild." ยต
No comments:
Post a Comment