Internet Explorer 11 vulnerability allows policy bypass

Internet Explorer logo
(Phys.org) —"Your authentication cookies could be up for grabs in the latest Internet Explorer 11 vulnerability," said Kareem Anderson in WinBeta on Wednesday. The targets are IE 11 on both Windows 7 and 8.1.

This , noted Anderson, arrives in "an age of social networking and shortened URL links, driving traffic to malicious sites ladened with login stealing credentials." He added, "a vulnerability found in a fully patched version of Internet Explorer isn't helping matters." Microsoft is working on a fix. This is a Universal Cross Site Scripting (XSS) vulnerability where the Same Origin Policy (SOP) is bypassed. Anderson said that the XSS bug allows attackers to steal login credentials while also injecting into the person's web-browsing session. A number of security sites pointed out this week that the attack in managing to bypass SOP amounted to bypassing a principle in Web applications models. Eduard Kovacs in SecurityWeek said that policy "prevents scripts loaded from one origin from interacting with a resource from another origin."

The Open Web Application Security Project discussed XSS in its overview: Cross-Site Scripting (XSS) attacks are a type of injection where malicious scripts are injected into otherwise trusted web sites. A malicious script is sent to an unsuspecting user, and the user's browser has no way of knowing the script should not be trusted and goes ahead to execute the script. The script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. The scripts can rewrite the content of the HTML page.

Threatpost further analyzed the bypass: "Using an iFrame, the bug appears to bypass same-origin policy, a key mechanism found in web application models that allows script running on pages from the same site to access each other's Document Object Model (DOM) but disallows access to other sites' DOM. Essentially it prevents code in a site's iFrame from being able to control content from that site. The vulnerability also bypasses standard HTTP-to-HTTPS restrictions, according to Joey Fowler, a senior security engineer at Tumblr."

Security Editor at Ars Technica, Dan Goodin, on Tuesday called the bug serious. A Microsoft representative issued an email to various tech sites saying, "We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information."

Chris Brook in Threatpost went to the source of the discovery. "David Leo, a researcher with the U.K.-based security consultancy firm Deusen publicized the bug on Full Disclosure over the weekend, linking to a demonstration which shows how it can be used to hack the content of a site, externally." In the proof-of-concept, after interaction from a user, closing a popup window and waiting seven seconds, the words "Hacked by Deusen" could be seen inserted into a site.


Explore further

Math student detects OAuth, OpenID security vulnerability

© 2015 Tech Xplore

Citation: Internet Explorer 11 vulnerability allows policy bypass (2015, February 5) retrieved 21 May 2019 from https://techxplore.com/news/2015-02-internet-explorer-vulnerability-policy-bypass.html
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.
386 shares

Feedback to editors

User comments

Feb 05, 2015
It's ironic people still even worry about using IE when there are 500% more secure alternatives such as FireFox and Chrome. Just having adblock/script blockers alone in FireFox is comparable to a home either having a security system and IE just leaving your doors unlocked. The article illustrates this; Microsoft even after all this time still believes in trying to self manage security in their browser while still incorporating ActiveX which is the problem to being with. They take no direction from the much more stable, secure, faster alternatives. So seeing articles like this just reinforces the let down that IE has and will seemingly continue to be.

When's the last time you heard about FireFox needing a critical bug fix because it allow hackers to bypass anything. Yeah, I can't remember the last time either.

Feb 05, 2015
Well, there are no end to adwares even with ad-block on chrome too.

I swear I wish they'd just come up with some way of preventing it once and for all.

Why every new microsoft product has the same vulnerabiilties and some new ones, who knows.

Feb 05, 2015
ev3rm0r3,
It's ironic people still even worry about using IE when there are 500% more secure alternatives such as FireFox and Chrome. Just having adblock/script blockers alone in FireFox is comparable to a home either having a security system and IE just leaving your doors unlocked.


Unfortunately, many government sites require access through IE only. These sites are often required to be used by health care facilities for reporting purposes, etc. There are fewer of these site requirements today than a few years ago, but they still exist.


PS3
Feb 06, 2015
Well, there are no end to adwares even with ad-block on chrome too.

I swear I wish they'd just come up with some way of preventing it once and for all.

Why every new microsoft product has the same vulnerabiilties and some new ones, who knows.

Maybe because you're on Chrome. Firefox with adblock and ghostery makes it ad free for me.

Feb 06, 2015
I am not fan of IE but
you can bypass the SOP on any browser
using services like anyorigin.com

Feb 06, 2015
David Leo, a researcher with the U.K.-based security consultancy firm Deusen publicized the bug

Did Deusen notify the product owner beforehand, to give them a reasonable opportunity to patch the vulnerability? As is often done when vulnerabilities are discovered?

Doesn't appear so. So, Deusen gets lots of publicity, which I suppose is good for the business. At the cost of rendering all these IE users, world-wide, more vulnerable to malware for which there is not yet a fix. Hardly how I'd expect a white hat to behave.

Feb 08, 2015
What's wrong with bypassing Internet Explorer 11? That would seem the best policy

Feb 09, 2015
This comment has been removed by a moderator.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more