A hacker has discovered a universal Cross Site Scripting (XSS) flaw that affects Internet Explorer 11 on Windows 7 and 8.1, and which could allow attackers to execute extremely convincing phishing attacks against Internet users.
Discovered by David Leo, and apparently reported to Microsoft on October 13, 2014, the flaw can be misused to bypass the same-origin policy (SOP), which is meant to prevent scripts on a site to load content outside of it.
In his revelation on the Full Disclosure mailing list, Leo also included a link to an exploit page he set up, which demonstrates how outside content can be pushed onto visitors of a legitimate site (in this case, Daily Mail’s).
While the new, potentially malicious content is displayed to the user, the URL shown in the browser’s address bar remains the same, so it’s easy to see how this fact can be successfully misused for increasing the effectiveness of phishing attacks.
A spokesman for the company has pointed out that they are not aware of the flaw being actively exploited in the wild.
“To exploit this, an adversary would first need to lure the user to a malicious website, often through phishing. SmartScreen, which is on by default in newer versions of Internet Explorer, helps protect against phishing websites,” he said. “We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information.”