Internet Explorer XSS Zero-Day Bug

Last week, a vulnerability in “fully patched” versions of Internet Explorer (IE 10 and 11) was found that allowed attackers to steal login credentials and inject malicious content into users’ browsing sessions. The vulnerability is a cross-site scripting (XSS) bug. A XSS bug is one that allows attackers to bypass the Same Origin Policy (SOP); a principle of Web application models that prevents one site from accessing or modifying browser cookies from another.

Browser security depends heavily on the SOP. Simply, any resource specific to site A that is stored in the browser, such as cookies or JavaScript objects, should only be visible when looking at site A. For example, if you visit and I set a cookie, “Last searched ‘funny cat videos’”, only should be able the read that data back. If you then visit, the cookie shouldn’t be able to be viewed.

Cross-site scripting refers to the injection of JavaScript from a site with malicious intent into another. In theory if I could inject a script into a web page, I could then access that page’s cookies, read text displayed on that page, and post the data to a third party site to collect for my own illegal purposes.

It should be clear why this is a serious vulnerability. By stealing session cookies, XSS bugs could allow an attacker to clone your login session and access one of your online accounts (a bank account perhaps). XSS bugs also allow attackers to rewrite data inside a web page; an attacker could change downloadable links into malware-tainted links.

There is no proof that Microsoft failed to meet a patch deadline or that they were contacted in advance of this find. Regardless, Microsoft is currently investigating and looking for a patch.

– David Durst