PoC Exploit Published for Unpatched Internet Explorer Flaw

A researcher has identified a serious universal cross-site scripting (UXSS) vulnerability in the latest version of Microsoft’s Internet Explorer web browser.

The issue was discovered by David Leo, a researcher at the UK-based security firm Deusen. The vulnerability can be leveraged to completely bypass Same Origin Policy (SOP), the policy that prevents scripts loaded from one origin from interacting with a resource from another origin.

The bug allows an attacker to “steal anything from another domain, and inject anything into another domain,” the expert said in a post on Full Disclosure.

A proof-of-concept (PoC) exploit for the vulnerability, tested on Internet Explorer 11 running on Windows 7, was published by Leo over the weekend. The PoC shows how an external domain can alter the content of a website. In the demonstration, the text “Hacked by Deusen” is injected into the website of The Daily Mail.

The URL in the browser’s address bar remains the same — in this case dailymail.co.uk — even after the arbitrary content is injected, which makes this vulnerabilty ideal for phishing attacks.

Joey Fowler, a senior security engineer at Tumblr, said the exploit has some “quirks,” but it works as long as the targeted website doesn’t have X-Frame-Options headers with “deny” or “same-origin” values.

“Pending the payload being injected, most Content Security Policies are also bypassed (by injecting HTML instead of JavaScript, that is),” Fowler said in a reply to Leo’s Full Disclosure post. “It looks like, through this method, all viable XSS tactics are open!”

Fowler has also highlighted the fact that the exploit can even bypass standard HTTP-to-HTTPS restrictions.

The issue was reported to Microsoft on October 13, 2014. The company says it’s working on fixing the vulnerability, but has pointed out that an attacker needs to trick potential victims into visiting a malicious website for the exploit to work.

“To successfully exploit this issue, an adversary would first need to lure a person, often through trickery such as phishing, to a malicious website that they’ve created. SmartScreen, which is on by default in newer versions of Internet Explorer, helps protect against nefarious phishing websites,” a Microsoft spokesperson told SecurityWeek. “We’re not aware of this vulnerability being actively exploited and are working to address it with an update. We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information.”

This isn’t the first time a vulnerability affecting Microsoft products is disclosed before the company manages to release a patch. Over the past weeks, Google’s Project Zero published the details of three Windows vulnerabilities after the expiration of a 90-day disclosure deadline.