Another day, another zero-day.
This time, Microsoft Internet Explorer is attracting the sort of publicity a browser doesn’t want, following the public disclosure of what’s known as a Cross-Site Scripting, or XSS, bug.
With Microsoft apparently now investigating and looking at a patch, the timing of the disclosure certainly looks to be irresponsible.
There’s no suggestion that Microsoft failed to meet any sort of deadline to get a patch out, or even that the company was contacted in advance.
So, what is XSS, and what does this mean for security?
A SOP for security
Browser security, as you will have read before on Naked Security, depends heavily on what’s called the Same Origin Policy, or SOP.
If your next web page is another.example, then my cookie should essentially vanish from view.
But if ever you browse back to a page on the example.com site, the ‘banana’ cookie will be visible again.
There are two obvious reasons for this:
- Safety. Two sites might set a cookie with the same name, e.g. UserHasLoggedIn. These are different cookies and must not be allowed to clash.
- Security. Whether a UserHasLoggedIn or not on my site is no business of yours. So my cookie should be kept private.
In theory, I could access your cookies, or read text displayed in your web page, and post the data to a third party site in order to collect it for my own nefarious purposes.
After all, the browser thinks my script has the same origin as your web page.
Indeed, if the user looks at the address bar, he’ll see your website name – and any script with your origin can access data private to your website, by design.
By now, the reason for the name XSS should be obvious: I have made my script “cross over” into your site.
As you can imagine, browsers are supposed to take special care not to allow XSS, to prevent data from one web page being illegally modified or stolen by another.
In this case, however, Internet Explorer (IE 11, at least, according to the company that disclosed the bug), fails to prevent XSS, leading to a security hole.
This vulnerability has been dubbed CVE-2015-0072.
What to do?
Generally speaking, XSS holes aren’t as serious as RCEs, or Remote Code Execution bugs, which can allow crooks to implant malware directly onto your computer without warning.
But XSS bugs may allow attackers to steal data such as session cookies, which could allow an imposter to clone your login session and access one of your online accounts.
And XSS bugs allow crooks to rewrite data sneakily inside a web page, for example to change legitimate download links into malware-tainted ones.
In other words, keep your eye on CVE-2015-0072 and grab Microsoft’s patch as soon as it comes out.
NB. Sophos detects and blocks this exploit as Exp/20150072-A. Additionally, SophosLabs is actively monitoring the web and and will block sites that are found to be making use of CVE-2015-0072.
FREE NETWORK PROTECTION AT HOME
Would you like to run Sophos’s network security product at home?
You can download the fully-functional Sophos UTM Home Edition 100% free.
(UTM Home is simply our regular UTM product, with all features enabled, including web filtering and intrusion prevention, under a home-use-only licence).