The flaw, described as a universal cross-site scripting vulnerability, was disclosed Saturday on the Full Disclosure mailing list by David Leo, a researcher with a security consultancy firm called Deusen. Leo's post included a link to a proof-of-concept exploit that demonstrates the attack using the dailymail.co.uk website as the target.
When opened in Internet Explorer 11 on an up to date installation of Windows 8.1, the exploit page provides the user with a link. When the link is clicked, the dailymail.co.uk website opens in a new window, but after 7 seconds the site's content is replaced with a page reading "Hacked by Deusen."
The rogue page is loaded from an external domain, but the browser's address bar keeps showing www.dailymail.co.uk, which means the technique can be used to build credible phishing attacks.
Instead of dailymail.co.uk, an attacker could use a bank's website and then inject a rogue form asking the user for private financial information. Since the browser's address bar would continue to display the bank's legitimate domain name, there would be little indication to the user that something is amiss.
The attack also works if the targeted site uses HTTPS (HTTP with SSL encryption), according to Joey Fowler, a senior security engineer at Tumblr, who confirmed the vulnerability in a response to Leo's original post.
Fowler found "quirks" testing the vulnerability, but concluded that the attack "most definitely works."
"It even bypasses standard HTTP-to-HTTPS restrictions," he wrote.
What's worse is that the Same-Origin Policy (SOP) is bypassed. This is a security mechanism that exists in all browsers to prevent code from one website that is loaded in an iframe in a different website to manipulate the content of that site, or vice versa.
For example, without this security boundary, site A could read the authentication cookies of a user logged into site B when that user visited site A. Authentication cookies are identifiers that websites set in browsers in order to remember authenticated users. If copied into another browser, these cookies can automatically grant access to the accounts they correspond to.
This IE flaw has the same effect as cross-site scripting (XSS) vulnerabilities, which typically allow attackers to steal cookies and display rogue content on vulnerable sites by injecting rogue content through their URLs. The Internet Explorer vulnerability renders all sites vulnerable to XSS, which is why Leo called it an universal XSS.
"Universal XSS is a browser flaw which would allow an attacker to execute script content in the context of any site regardless of a pre-existing flaw on the website," said Craig Young, a security researcher at Tripwire, who also analyzed the published exploit. "Successful exploitation of a universal XSS bug requires only that an attacker can entice a victim to load a malicious site. This could be in the form of malvertising, phishing, or even comment spam."
The malvertising vector is already widely used by attackers and involves tricking advertising networks into accepting malicious ads that then get displayed on legitimate websites. By combining malvertising with this IE flaw, attackers could steal authentication cookies en-masse from different websites.
Young couldn't confirm whether exploiting this vulnerability can happen without user interaction -- the proof-of-concept exploit requires victims to click on a link. However, even if user interaction is required, many social engineering techniques can be used to obtain it.
According to Young, the flaw might only affect IE 11 or a limited number of newer IE versions. For example, the researcher couldn't replicate the attack on IE 8 running on Windows 7.
The vulnerability might not be as critical as the Same-Origin bypass flaw discovered in the Android default browser a few months ago, but Microsoft should address it as soon as possible, Young said.
"We are not aware of this vulnerability being actively exploited and are working on a security update," a Microsoft representative said via email. "We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information."
The good news is that websites can protect themselves from being targeted through this vulnerability by using a security header called X-Frame-Options with the "deny" or "same-origin" values, which prevents other sites from loading them in iframes. This was noted by both Folwer and Daniel Cid, the CTO of Web security firm Sucuri.
Unfortunately, this is a recommended security header that very few sites make use of, Cid said via email.