Your authentication cookies could be up for grabs in the latest Internet Explorer 11 vulnerability

Kareem Anderson

Your authentication cookies could be up for grab in the latest Internet Explorer 11 vulnerability

It would seem in an age of social networking and shortened URL links, driving traffic to malicious sites ladened with login stealing credentials may be on the rise and a vulnerability found in a fully patched version of Internet Explorer isn’t helping matters.

Microsoft officials said they are working on a fix for the bug, that targets IE 11 on both Windows 7 and 8.1.

We are not aware of this vulnerability being actively exploited and are working on a security update. To exploit this, an adversary would first need to lure the user to a malicious website, often through phishing. SmartScreen, which is on by default in newer versions of Internet Explorer, helps protect against phishing websites. We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information.

The bug, a universal cross-site scripting (or XSS) bug, allows attackers to steal login credentials while also injecting malicious content into the ‘users’ web browsing session. This attack bypasses the same-origin policy, which is a principle in Web applications models. This application is meant to prevent sites from accessing or modifying each others browser cookies. Using currently supported versions of Internet Explorer running the latest patch allows websites to in fact violate this rule.

On a lighter note, it would appear that for the exploit to work, a modal dialog must appear and then be dismissed. That means some human interaction has to take place; and that in of itself is a bit more complex than simply dropping into a site and instantly being bugged. The person at the keyboard has to wait the allotted time before dismissing the dialog box and allowing time for the bug to inject itself. It would seem Microsoft patched this a few patches back and somehow missed it again in this batch of patches.