Universal XSS flaw in fully patched Microsoft Internet Explorer expose
A newly-discovered, severe security flaw in fully patched versions of Internet Explorer allows attackers to steal user credentials or to conduct phishing attacks through any website.
The vulnerability, which affects fully patched versions of IE 11 running on both Windows 7 and 8.1, was disclosed by security researcher David Leo from security firm Deusen. Detailed on Full Disclosure, the Internet Explorer vulnerability allows hackers to bypass the Same-Origin Policy -- a fundamental element of web applications including the IE system which is meant to prevent cross-site forgeries -- and run scripts or inject malicious content into websites.
The vulnerability is a universal cross-site scripting (XSS) flaw. In other words, an attacker is able to execute scripted content and inject code into a website. A full proof-of-concept example posted by Leo demonstrated the bug through a visit to the Daily Mail's online domain. Leo used the vulnerability to inject the words "Hacked by Deusen" into the website.
Microsoft Edge - Open Website with Internet Explorer How to Open Website in Microsoft Edge with Internet Explorer
Microsoft Edge is a new web browser added in Windows 10, and will be available across the Windows 10 device family. It is fast, compatible, and built for the modern Web.
Windows 10 Forums is an independent web site and has not been authorized,
sponsored, or otherwise approved by Microsoft Corporation.
"Windows 10" and related materials are trademarks of Microsoft Corp.