A discovered vulnerability in updated versions of Internet Explorer enables attackers to steal login credentials and inject malicious software into navigation sessions. Microsoft employees have said that they’re working to solve it, and that it affects versions of Internet Explorer 11 for Windows 7 and 8.1
The vulnerability is a XSS bug, and it enables attackers to bypass the same origin policy, which results of vital importance in web application models to prevent the access or modification of browser cookies and other content of any website. A proof of concept on how to exploit this bug has been published a few days ago, showing how websites can violate this rule when people use updated and patched versions of Internet Explorer.
By having access to browser cookies, hackers can enter any site the user has accessed with username and password, having a clear path to do every sort of misdeed, including the theft of data as sensitive as that of a credit card.
However, to be exploited, the bug needs a lure to take users to a malicious site, for example: through phishing. Once the user has made a click, the page exploits the bug through iframes that intrude the same origin policy of Internet Explorer.
Meanwhile, Microsoft insists that SmartScreen can help to protect oneself against phishing and advises not to click on any suspicious link.