Recently, David Leo, a researcher with a security consultancy firm called Deusen, in his Full Disclosure mailing list disclosed a flaw in Internet Explorer browser, best described as universal cross-site scripting vulnerability.
The Internet Explorer vulnerability allows attackers to go around the Same – Origin Policy (SOP). Same-Origin policy (SOP) is the fundamental policy that is responsible for browser security mechanism. SOP makes sure that the code from one website is not allowed to be loaded in the iframe in the different website so that it can change the data of that website. Because of the IE flaw, attackers get the freedom to launch the highly believable phishing attacks or to take control of the user account on any website.
David Leo has given a link in this post that clearly demonstrate the serious security issue. He has taken dailymail.co.uk as a target website. When you try to open it from Internet Explorer 11, the exploit page will give you one link. As soon as you clicked the link, a new window will appear showing dailymail.co.ukwebsite but in a matter of 7 seconds the content of the website will be replaced with a page showing “Hacked by Deusen.”
This false page is actually loaded from an external domain, but the most shocking thing to note here is that the browser’s address is still showing the same “www.dailymail.co.uk”. So by using this way a powerful technique can be developed to execute the phishing attacks. Attackers can use any of the website like Bank, Insurance, etc. and gain access to the customer’s data as the URL of the website is not going to change in the browser.
Joey Fowler, a senior security engineer at Tumblr, in his response to the David Leo’s post said that the attack is still going to work even though the target website uses HTTPS as it bypasses standard HTTP-to-HTTPS restrictions.
Internet Explorer flaw seems to be having the same effect as like cross-site scripting (XSS) vulnerabilities. In cross-site scripting (XSS) vulnerabilities awful content is displayed on the website through the URL. Leo called it as a “Universal XSS” as an IE vulnerability cause makes all sites vulnerable to XSS.
With respect to this, Microsoft addresses the issue of security saying via email-
“We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information.”
At last the effective measure which can be taken to protect the website is by using a security header called X-Frame-Options with the “deny” or “same-origin” values. This will avoid other sites from loading them in iframes.