Internet Explorer afflicted by universal XSS flaw


— 9:33 AM on February 4, 2015

Internet Explorer 11 on Windows 8.1 and Windows 7 is presently affected by a universal XSS flaw. This bug allows an attacker to craft a malicious website that can then inject or steal information, such as authentication cookies, from websites the victim interacts with.

Words sometimes only go so far to explain the nature of such an attack. This proof of concept harmlessly demonstrates the power at hand.

Microsoft has acknowledged the exploit and is working toward a fix. In the meantime, your options to protect yourself are limited. Since this is a flaw with the way the rendering engine enforces the same-origin policy, tricks like Enhanced Protected Mode and even the Enhanced Mitigation Experience Toolkit are going to be ineffective.

Using another browser in the short term is probably the easiest solution. A more difficult option is not clicking on links to sites you don't recognize or frequent. That's much harder in this day and age, with the sharing of links amongst family and friends in social media, to speak nothing of the trouble of evaluating a shortened link. You could also disable JavaScript in IE if you're willing or able to deal with all the websites that will break. Here's how to do it:

  • Go to Internet Options (either through the control panel or the cog wheel in IE11)
  • Security tab
  • Make sure Internet Zone is highlighted
  • Click Custom Level
  • Scroll down to Scripting category
  • Set Active scripting to Disable

This is one of those areas where extensions like NoScript would be handy. Perhaps a Spartan will appear and save us.

Like what we're doing? Pay what you want to support TR and get nifty extra features.
Top contributors
1. BIF - $340 2. Ryu Connor - $250 3. mbutrovich - $250
4. YetAnotherGeek2 - $200 5. End User - $150 6. Captain Ned - $100
7. Anonymous Gerbil - $100 8. Bill Door - $100 9. ericfulmer - $100
10. dkanter - $100
   
Register
Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.