Internet Explorer exploit could let phishers steal logins

A vulnerability in the latest patched version of Microsoft Internet Explorer that could allow hackers to launch "highly credible phishing attacks" has been uncovered, according to PC World. 

The exploit allows hackers to bypass the Same-Origin Policy - the security mechanism that prevents sites accessing or modifying browser cookies or other content from other websites. It was found to work on the latest patched version of Internet Explorer 11 both in Windows 7 and 8.1.

The Internet Explorer exploit was disclosed by security researcher David Leo, who included a proof-of-concept exploit that demonstrates how an attack could take place using the dailymail.co.uk website as an example. Internet Explorer users clocking the link found the site opening as expected, only to be replaced with a 'Hacked by Deusen" text after seven seconds. Although the hacking notification is served from an external domain, the address bar continues to show www.dailymail.co.uk, making phishing threats look more credible than usual. A fake banking site asking for login credentials could look worryingly close to the original when the browser bar seems to be serving the legitimate URL.

Worse, Joey Fowler - a senior security engineer at Tumblr - discovered that the attack will also work on sites using SSL encryption. Writing in response to the disclosure, he noted that "it even bypasses standard HTTP-to-HTTPS restrictions."

Microsoft, for its part is aware of the threat, and is working on a fix in the next security update. In a statement to Ars Technica, a spokesperson said: "We are not aware of this vulnerability being actively exploited and are working on a security update."

"To exploit this, an adversary would first need to lure the user to a malicious website, often through phishing. SmartScreen, which is on by default in newer versions of Internet Explorer, helps protect against phishing websites. We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information."

Until a fix is issued, PC World notes that webmasters can protect themselves by "using a security header called X-Frame-Options with the 'deny' or 'same-origin' values, which prevents other sites from loading them in iframes."

360b / Shutterstock.com