Security Experts:

Connect with us

Hi, what are you looking for?



PoC Exploit Published for Unpatched Internet Explorer Flaw

A researcher has identified a serious universal cross-site scripting (UXSS) vulnerability in the latest version of Microsoft’s Internet Explorer web browser.

A researcher has identified a serious universal cross-site scripting (UXSS) vulnerability in the latest version of Microsoft’s Internet Explorer web browser.

The issue was discovered by David Leo, a researcher at the UK-based security firm Deusen. The vulnerability can be leveraged to completely bypass Same Origin Policy (SOP), the policy that prevents scripts loaded from one origin from interacting with a resource from another origin.

The bug allows an attacker to “steal anything from another domain, and inject anything into another domain,” the expert said in a post on Full Disclosure.

A proof-of-concept (PoC) exploit for the vulnerability, tested on Internet Explorer 11 running on Windows 7, was published by Leo over the weekend. The PoC shows how an external domain can alter the content of a website. In the demonstration, the text “Hacked by Deusen” is injected into the website of The Daily Mail.

The URL in the browser’s address bar remains the same — in this case — even after the arbitrary content is injected, which makes this vulnerabilty ideal for phishing attacks.

Joey Fowler, a senior security engineer at Tumblr, said the exploit has some “quirks,” but it works as long as the targeted website doesn’t have X-Frame-Options headers with “deny” or “same-origin” values.

“Pending the payload being injected, most Content Security Policies are also bypassed (by injecting HTML instead of JavaScript, that is),” Fowler said in a reply to Leo’s Full Disclosure post. “It looks like, through this method, all viable XSS tactics are open!”

Fowler has also highlighted the fact that the exploit can even bypass standard HTTP-to-HTTPS restrictions.

The issue was reported to Microsoft on October 13, 2014. The company says it’s working on fixing the vulnerability, but has pointed out that an attacker needs to trick potential victims into visiting a malicious website for the exploit to work.

“To successfully exploit this issue, an adversary would first need to lure a person, often through trickery such as phishing, to a malicious website that they’ve created. SmartScreen, which is on by default in newer versions of Internet Explorer, helps protect against nefarious phishing websites,” a Microsoft spokesperson told SecurityWeek. “We’re not aware of this vulnerability being actively exploited and are working to address it with an update. We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information.”

This isn’t the first time a vulnerability affecting Microsoft products is disclosed before the company manages to release a patch. Over the past weeks, Google’s Project Zero published the details of three Windows vulnerabilities after the expiration of a 90-day disclosure deadline.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet