A serious bug in Internet Explorer 11 for Windows 7 and 8.1 could let attackers steal people's login credentials and even modify Web pages.The flaw is a type of cross-site scripting (XSS) bug; carefully written JavaScript it lets attackers bypass what's called the "Same-Origin Policy," a rule of the Internet that prevents websites from being able to modify each other's content. It even works if the site uses the more secure HTTPS protocol instead of HTTP.
When opened in Internet Explorer 11 on an up to date installation of Windows 8.1, the exploit page provides the user with a link.
According to PcWorld, when the link is clicked, the dailymail.co.uk website opens in a new window, but after 7 seconds the site’s content is replaced with a page reading “Hacked by Deusen.”
The rogue page is loaded from an external domain, but the browser’s address bar keeps showing www.dailymail.co.uk, which means the technique can be used to build credible phishing attacks.
Instead of dailymail.co.uk, an attacker could use a bank’s website and then inject a rogue form asking the user for private financial information. Since the browser’s address bar would continue to display the bank’s legitimate domain name, there would be little indication to the user that something is amiss.
Attackers could also create extremely credible phishing pages that would appear to have a legitimate website's URL. The phishing pages could be crafted to look like a bank's homepage or other important site, and trick people into disclosing important information, or simply contain malware.
Microsoft says that as of now, there's been no evidence that attackers have been using this flaw in the wild. The company also points out that attackers would have to lure targets to their phishing websites in order to exploit it.
To avoid attacks using this exploit, simply avoid using Internet Explorer until Microsoft issues a patch. Earlier versions of IE may also be vulnerable, but the latest versions of Mozilla Firefox and Google Chrome are not.
