• Oxford: +44 (0)1865 877830 
  • Manchester: +44 (0)161 713 0176 
  • Edinburgh: +44 (0)131 541 0118 
  • New York: +1 646-781-7580 
  • Bucharest: +40 316 301 707 
  • Tokyo: +81 (3) 4588 8181 

Microsoft’s Internet Explorer Universal Cross Site Scripting flaw

You are here



Microsoft’s Internet Explorer Universal Cross Site Scripting flaw

A serious flaw has been found in Microsoft’s Internet Explorer 10&11 browser that works on both Windows 7 and 8.1. The vulnerability is known as a ‘Universal Cross Site Scripting’ flaw as it renders the victim vulnerable to all forms of XSS attacks. David Leo from the security firm Deusen posted his discovery with proof of concept on the Full Disclosure mailing list. The flaw allows an attacker to bypass the Same-Origin-Policy (SOP) which prevents a site from accessing or modifying the browsers properties, such as cookies, location, response etc. This should ensure that no third-party can inject code without the authorization of the owner of the website. The victim will however need to click on a malicious link for the attack to work, however, this can easily be achieved with a simple Social Engineering attack.

Senior security engineer at Tumblr Joey Fowler responded to the disclosure, saying that "while there are quirks, it most definitely works." And that “It even bypasses standard HTTP-to-HTTPS restrictions”.
At the time of writing, Microsoft engineers are currently working on a solution to close the security hole “We're not aware of this vulnerability being actively exploited and are working to address it with an update. We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information".

The best defense against this kind of attack would be to not click on any hyperlinks from untrusted sources. If you are skeptical about a link i.e. if someone sends you what looks like a link to a trusted site: www.google.com but you don't trust the source. You can always right click on it to view/copy the link address/location. This will show you where the actual link will actually be taking you. Try clicking the link to Google. Where did you end up?
If you don't recognise the address as a trusted source, don't click on it.

Posted by will

Leave a comment