This bug allows hackers and phishers to easily steal authentication cookies which could be used to access several accounts linked to the victim. Most email service providers, banks and social networking websites use such cookies to grant users access to their data.
Once in the hands of a cybercriminal, this information could be used to gain access to the victim’s credit card information and more, possibly resulting in identity theft.
When the internet explores you…
An experiment that demonstrates the vulnerability that could be used to exploit IE can be found here. Normally, same origin policy (an important concept in Web application security model) prevents one site from accessing/modifying browser cookies or other content set by any other site. However, this vulnerability allows attackers to bypass the policy by injecting client side script into web pages viewed by users. This is known as universal cross-site scripting (XSS).
Microsoft, in defence, pointed out that in order to do any harm a hacker would first have to lure the victim to a malicious website which may be blocked by smart screen filter. This was the statement issued:
“We are not aware of this vulnerability being actively exploited and are working on a security update. To exploit this, an adversary would first need to lure the user to a malicious website, often through phishing. SmartScreen, which is on by default in newer versions of Internet Explorer, helps protect against phishing websites. We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information.”
At the moment it is best to stay away from Internet Explorer (until a patch is released in the form of a security update). After all, there are tons of malicious websites that smart screen filter does not protect you against. Emsisoft Anti-malware though, comes with web protection which can protect you against all kinds of malicious and phishing websites regardless of what browser you use.
Emsisoft Enterprise Security + EDR
Robust and proven endpoint security solution for organizations of all sizes. Start free trialHave a nice (exploit-free) day!