Internet Explorer Cross site Scripting bug disclosed.
I recommend using chrome or another browser besides IE if you can until this is patched.
Analysis on Internet Explorer’s UXSS
Recently a Universal Cross-Site Scripting(UXSS) vulnerability (CVE-2015-0072) was disclosed on Full Disclosure mailing list. The unpatched 0day vulnerability discovered by David Leo can lead to a full bypass of the Same-Origin Policy(SOP) on the latest version of Internet Explorer. This article will briefly explain the technical details behind the vulnerability.
The Attack
The original Proof-of-Concept(PoC) can be boiled down into the following simplified one:
top[0].eval(‘_=top[1];alert();_.location=”javascript:alert(document.domain)”’);
The simplified PoC requires an iframe with a HTTP redirect to a resource on the target domain, and another iframe which also loads a resource on the target domain. What is worth noting is that the two resources do not necessarily need to be the same, nor their Content-Type matter. In summary:
Browser renders the first iframe and issues a request to redirect.php.
Browser renders the second iframe and issues a request to target resource.
Browser executes the script which invokes eval on the WindowProxy object of the first frame and perform the following steps:
Assign the WindowProxy object of the second frame to a variable.
Popup an alert dialog box.
The dialog box is closed by the user.
Change the location via the variable assigned of the second frame and inject our payload.
More: Analysis on Internet Explorer’s UXSS