IE Hole Allows Attackers to Phish

Thursday, February 5, 2015 @ 02:02 PM gHale

Microsoft is now investigating an Internet Explorer vulnerability that could lead to phishing attacks.

This vulnerability lets attackers bypass the Same-Origin Policy, a fundamental browser security mechanism, to launch the phishing attacks or even hijack users’ accounts, said David Leo, a researcher for security firm, Deusen. The flaw is a universal cross-site scripting vulnerability.

RELATED STORIES
Adobe Flash Zero Day in Exploit Kit
Zero Day Abused in Sony Hack: Report
Sony: Risk Management in Real Time
Talk to Me: Elevating Security Awareness

Leo disclosed the vulnerability Saturday and included a link to a proof-of-concept exploit that demonstrates the attack using the dailymail.co.uk website as the target.

When opened in Internet Explorer 11 on an up to date installation of Windows 8.1, the exploit page provides the user with a link. When the user clicks on the link, the dailymail.co.uk website opens in a new window, but after 7 seconds the site’s content ends up replaced with a page reading “Hacked by Deusen.”

The rogue page is from an external domain, but the browser’s address bar keeps showing www.dailymail.co.uk, which means the technique can build credible phishing attacks.

Instead of dailymail.co.uk, an attacker could use a bank’s website and then inject a rogue form asking the user for private financial information. Since the browser’s address bar would continue to display the bank’s legitimate domain name, the victim would have little idea there was an attack going on.

The attack also works if the targeted site uses HTTPS (HTTP with SSL encryption), according to Joey Fowler, a senior security engineer at Tumblr.

The Same-Origin Policy (SOP) ends up bypassed. This is a security mechanism that exists in all browsers to prevent code from one website loaded in an iframe in a different website to manipulate the content of that site, or vice versa.

Without this security boundary, site A could read the authentication cookies of a user logged into site B when that user visited site A. Authentication cookies are identifiers that websites set in browsers in order to remember authenticated users. If copied into another browser, these cookies can automatically grant access to the accounts they correspond to.

This issue flaw has the same effect as cross-site scripting (XSS) vulnerabilities, which allow attackers to steal cookies and display rogue content on vulnerable sites by injecting rogue content through their URLs. The Internet Explorer vulnerability renders all sites vulnerable to XSS, which is why Leo called it a universal XSS.

The malvertising vector is already widely used by attackers and involves tricking advertising networks into accepting malicious ads that then end up displayed on legitimate websites. By combining malvertising with this IE flaw, attackers could steal authentication cookies en-masse from different websites.

The flaw might only affect IE 11 or a limited number of newer IE versions. The researcher couldn’t replicate the attack on IE 8 running on Windows 7.

“We are not aware of this vulnerability being actively exploited and are working on a security update,” a Microsoft official said.

Websites can protect themselves by using a security header called X-Frame-Options with the “deny” or “same-origin” values, which prevents other sites from loading them in iframes.



Leave a Reply

You must be logged in to post a comment.