As if smears of past vulnerabilities and bugs weren’t enough to tarnish Internet Explorer’s reputation, a new security hole has been made public before Microsoft can plug it. This time, the discovery is quite clearly not a “gotcha” moment or the result of a rival holding a grudge.
David Leo from British security consultancy firm Deusen made the vexing disclosure, stressing there’s no universal fix available or patch downloadable. Tested on Windows 7 and 8.1 computers with IE’s version 11, the glitch allows cyber-aggressors to essentially hijack your browser.
Once a cross-site scripting (XSS) attack is remotely launched, the entire appearance of any given website can be manipulated at the hacker’s will in a matter of seconds. To illustrate the cataclysmic prospective effects of the malfunction, David Leo needs ten seconds and your approval here to plaster a “Hacked by Deusen” message on Daily Mail’s webpage.
Obviously, the publication’s actual site isn’t “hacked,” but if it’s so easy to make it look that way, think of what else a cyber-criminal could feed you. They could deceive you into handing them personal info, passwords, bank account numbers, you name it, simply by taking over trusted portals.
And the worst thing about it is you’re not even safe behind SSL encryptions. You know, addresses that start with “https.” Yup, those can be cracked too, due to the browser flaw allowing complete bypass of Same Origin Policy (SOP).
Don’t ask us to explain how the universal XSS bug came to be, we just know it’s bad. Really, really bad, and there’s no way to avoid it other than stop using Internet Explorer at once. In theory, invasions of privacy of this nature shouldn’t be possible in a pre-11 IE. But better safe than sorry, and better on Chrome or Firefox than IE.
For what it’s worth, Microsoft acknowledged the security snag without making a fuss, and confirmed work on an “update” while stating it’s not “aware of this vulnerability being actively exploited.” Whew, good thing Internet Explorer is going away.
- How Google’s ‘Project Zero’ task force races hackers to snuff out bugs
- Microsoft misses another Edge-related 90-day security disclosure deadline
- The best web browsers
- Microsoft will pay you up to $250,000 to find Spectre-like flaws
- Researchers defend the Ryzenfall disclosure, explain why exploits are dangerous