Last week, a vulnerability in “fully patched” versions of Internet Explorer (IE 10 and 11) was found that allowed attackers to steal login credentials and inject malicious content into users’ browsing sessions. The vulnerability is a cross-site scripting (XSS) bug. A XSS bug is one that allows attackers to bypass the Same Origin Policy (SOP); a principle of Web application models that prevents one site from accessing or modifying browser cookies from another.
It should be clear why this is a serious vulnerability. By stealing session cookies, XSS bugs could allow an attacker to clone your login session and access one of your online accounts (a bank account perhaps). XSS bugs also allow attackers to rewrite data inside a web page; an attacker could change downloadable links into malware-tainted links.
There is no proof that Microsoft failed to meet a patch deadline or that they were contacted in advance of this find. Regardless, Microsoft is currently investigating and looking for a patch.
– David Durst