Major security flaw in Internet Explorer puts users at risk

2

A major security flaw has been found in the very latest versions of Internet Explorer.

The vulnerability allows attackers to bypass browser security in order to steal login credentials and user data to any website, as well as launch potentially dangerous phishing attacks.

The vulnerability, which is said to be affecting users running IE11 on Windows 7 and 8.1, allows attackers to bypass the same origin policy, which is an important part of web browser security, in order to insert a malicious piece of code into a link which ordinarily looks like it is from a trusted or familiar source.

The flaw was first highlighted by David Leo, a researcher with Internet security firm Deusen.

In order to demonstrate the vulnerability, Leo used the Daily Mail website as an example.

When the Daily Mail website was opened in IE11, the malicious code provided the user with what appeared to be a legitimate link.

Internet Explorer security flaw

security flaw found in Internet Explorer. Pic: arstechnica

When the link was clicked, a new window was opened with what looked to be the Daily Mail website, however, after a few seconds the newly opened window displayed the words “Hacked by Deusen”.

Rather than it being used on the Daily Mail website, as it was in the demo, an attacker could launch the same kind of attack on one of your social media accounts, your private email or even worse, the website of your bank

And due to the fact the link appears to be on legitimate site right until the very last moment, it means that even most security conscious of web users can be duped.

Joey Fowler, a security expert for Tumblr, carried out his own tests after reading the original claims and he also confirmed the security flaw.

In response to the highlighted vulnerability with Internet Explorer, ARS Technica reports that the following statement has been released by Microsoft:

We are not aware of this vulnerability being actively exploited and are working on a security update. To exploit this, an adversary would first need to lure the user to a malicious website, often through phishing. SmartScreen, which is on by default in newer versions of Internet Explorer, helps protect against phishing websites. We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information.

Microsoft engineers are said to be working on a security patch to fix the vulnerability.

Share.

2 Comments

  1. Microsoft delivers malware. How is this news? This is pretty much the normal state of Windows/IE.

  2. How is this news? IE is the world’s best malware delivery system. Working as designed.