Full Report
A vulnerability in the latest patched version of Microsoft Internet Explorer that could allow hackers to launch "highly credible phishing attacks" has been uncovered, according to PC World.
Analysis Summary
# Vulnerability: Internet Explorer Same-Origin Policy Bypass Leading to Credible Phishing
## CVE Details
- CVE ID: Not explicitly listed in the provided text.
- CVSS Score: Not available.
- CWE: Not explicitly listed, related to Bypassing Same-Origin Policy (likely CWE-200 or similar access control failure in context).
## Affected Systems
- Products: Microsoft Internet Explorer
- Versions: Internet Explorer 11 (Latest patched versions at the time of the article, running on Windows 7 and 8.1).
- Configurations: Affects both standard HTTP and SSL/HTTPS protected sites.
## Vulnerability Description
A vulnerability exists in fully patched versions of Internet Explorer 11 residing on Windows 7 and 8.1 that allows attackers to bypass the Same-Origin Policy (SOP). This bypass enables malicious actors to load content from remote domains while keeping the address bar displaying the legitimate, trusted URL. This can be used to overlay malicious content (like a fake login prompt) onto a trusted site, making phishing attacks appear highly credible, even when the original site uses SSL encryption.
## Exploitation
- Status: PoC available (Demonstrated using dailymail.co.uk). Mentioned actively being worked on by Microsoft, but not explicitly stated as exploited in the wild at the time of reporting.
- Complexity: Not explicitly detailed, but effectiveness against SSL suggests moderate technical skill is required for a robust attack.
- Attack Vector: Network (Requires luring the user to a malicious website which initiates the cross-site content display).
## Impact
- Confidentiality: High (Can steal login credentials via overlayed fake forms).
- Integrity: Medium (Content displayed can be entirely manipulated).
- Availability: Low (The core browsing function is generally unaffected, though content rendering is hijacked).
## Remediation
### Patches
- A security update was being worked on by Microsoft at the time of the article (February 2015). *Specific patch version not detailed.*
### Workarounds
1. **Webmasters:** Implement the `X-Frame-Options` HTTP security header with values `'deny'` or `'same-origin'` to prevent other sites from framing the content in iframes.
2. **Users:**
* Avoid opening links from untrusted sources and visiting untrusted sites.
* Log out of websites when finished to help protect information.
* Microsoft noted that SmartScreen (default on newer IE versions) helps protect against phishing websites.
## Detection
- **Indicators of Compromise:** Unexpected content overlaying a legitimate website, or visual discrepancy where the displayed URL does not match the loaded content/service.
- **Detection Methods and Tools:** Standard endpoint protection may flag the malicious interaction, but detection relies heavily on adhering to the vendor's guidance regarding untrusted links.
## References
- Vendor Advisories: Microsoft was aware and working on a fix (Statement to Ars Technica).
- Relevant links:
* PC World article: hxxp://www.pcworld.com/article/2879372/dangerous-ie-vulnerability-opens-door-to-powerful-phishing-attacks.html
* Disclosure: hxxp://seclists.org/fulldisclosure/2015/Feb/0
* Response: hxxp://seclists.org/fulldisclosure/2015/Feb/10