Major Internet Explorer Vulnerability Publicly Disclosed Today
Update: As estimated, the community has responded to this public disclosure 4 days after it was announced. MS has been notified Oct-2014. CVE assigned is CVE-2015-0072.
Today a vulnerability was disclosed (no CVE) on seclists.org by the security company called Deusen. The mechanics and PoC were also disclosed, proving that the same origin policy of IE browser can be completely bypassed, allowing malicious domains to control the browser’s DOM for any web application visited by a user.
No info yet on why this was not under a responsible disclosure model, but it is of lesser importance right now.
Where is this based?
For example, by visiting a malicious resource, while the browser suffers by the vulnerability, allows the resources to read your Outlook Web Access session or Ebanking session. If carefully exploited, it allows to even control the browser.
What is affected?
Up until now, we can identify successful exploitation on modern IE browsers both Windows 7 and XP.
What is to be done?
We suspect that the issue will get broad popularity by tomorrow.
It is advised to either:
- Use alternative browsers to access WWW until further notice from Microsoft
- Navigate only to web sites that are totally trusted.
Source of information