IE 11 contains dangerous vulnerability

IE 11 contains dangerous vulnerability

In the current version of Internet Explorer is present cross-site scripting vulnerability (XSS), which allows you to bypass the same-origin policy. With holes an attacker is able to replace the contents of the web page and also get personal information about the user.

For the first time about the vulnerability, said David Leo (David Leo) from the British company Deusen through e-mail newsletter Full Disclosure. He also published a PoC-code breaches, which demonstrates its effect on the example site publication Daily Mail. In the transition to the web site of the specially formed page using IE or IE 10 11, it is displayed on the “Hacked by Deusen”, although the link in the address bar does not change.

In the same way a hacker could, for example, to replace the page of the bank, it is embedded in the form to enter the username, password and even the security code received by the user by SMS. The client will be visible in the address bar URL of your bank and not suspect a trick.

In addition, the vulnerability allows the owner of a site that user visited IE, retrieve data from the cookie-files also contain sensitive information (username, password, phone number, etc.).

Microsoft has responded to the message David Leo mailing list, noting that he knows about the vulnerability, and that it has not received notification of its use to cause harm. “We urge customers not to open links received from unreliable sources, and not to visit sites that are not credible,” – said the corporation.

IE 11 contains dangerous vulnerability

A company representative Sucuri Daniel Forces (Daniel Cid) and several experts in information security have noted that website owners can protect themselves against the exploitation of this vulnerability by using special code elements, such as the title X-Frame-Options with a value of “deny” or “same-origin”. According to Sid, the title is now rarely used.

The patch for this vulnerability is likely to be released on February 10, when Microsoft will release security updates for their products.

IE 11 contains dangerous vulnerability updated: February 5, 2015 author: Jonathan Davis