Update: As estimated, the community has responded to this public disclosure 4 days after it was announced. MS has been notified Oct-2014. CVE assigned is CVE-2015-0072.
Today a vulnerability was disclosed (no CVE) on seclists.org by the security company called Deusen. The mechanics and PoC were also disclosed, proving that the same origin policy of IE browser can be completely bypassed, allowing malicious domains to control the browser’s DOM for any web application visited by a user.
No info yet on why this was not under a responsible disclosure model, but it is of lesser importance right now.
Where is this based?
The “same origin policy” is the policy that prohibits client-side scripts (javascript) running on a given website, to affect the operation/security/user-experience of other Web Sites content visualized in the browser.
Bypassing the same origin policy, means that a malicious web site that a user visits, can execute Javascript that can (1) modify, (2) read information from other web sites, but also (3) extrude personal information back to the attacker.
For example, by visiting a malicious resource, while the browser suffers by the vulnerability, allows the resources to read your Outlook Web Access session or Ebanking session. If carefully exploited, it allows to even control the browser.
What is affected?
Up until now, we can identify successful exploitation on modern IE browsers both Windows 7 and XP.
What is to be done?
We suspect that the issue will get broad popularity by tomorrow.
It is advised to either:
- Use alternative browsers to access WWW until further notice from Microsoft
- Navigate only to web sites that are totally trusted.
- Disable Scripts on Internet Explorer (ref. http://www.technipages.com/internet-explorer-enabledisable-javascript)
Source of information
http://seclists.org/fulldisclosure/2015/Feb/0
