In order to introduce the true magnitude of the security flaw in Microsoft’s fully patched browser, Internet Explorer, one must first understand a small bit about cookies. No, not the delicious kind with chocolate chips, but the arguably annoying and sometimes convenient kind that store little pieces of information about your browsing habits and the websites you visit in the memory of your internet browser. No matter what browser you use, it will always store information about the sites you visit, in order to better target advertising, speed up log-in processes, and generally “improve” the user experience. However, these cookies are stored in a kind of electronic jar known as a cache, when someone opens the jar to insert a cookie, sometimes they can insert molds or other bacteria and in the case of the bug discussed briefly below, malicious code.
As of Feb. 3, 2015 a new vulnerability in Internet Explorer in the Windows 7 and 8.1 operating systems has been discovered. The security bug occurs in the XSS, or Universal Cross Site Scripting component, of the browser. The bug essentially allows an attacker to bypass the Same Origin Policy, a vital principle of the mechanics of internet browsers that is designed to prevent sites from accessing cookies, stored browsing data, and credentials saved in the browser by other sites. If this principle is violated, it means someone has put something malicious in the “cookie jar”, when such is the case, that someone can begin harvesting cookies that hold personal information from the victim’s “jar” and use the information for whatever they see fit.
Not only is this a form of theft, but also a federal offense by the standards set out for online communications by the Federal Communications Commission.
The exploit is performed by directing unsuspecting users to malicious sites through phishing, then injecting malicious html code that farms the cookies stored in the browser’s cache. Once injected, the html code can be used to harvest stored passwords, email addresses, and other important information.
Beware the cookie monster, he comes to steal your private information! But, on a more serious note, Microsoft has released a brief statement published by Ars Technica and other news sources on Feb. 3, 2015 saying that,
“We are not aware of this vulnerability being actively exploited and are working on a security update. To exploit this, an adversary would first need to lure the user to a malicious website, often through phishing. SmartScreen, which is on by default in newer versions of Internet Explorer, helps protect against phishing websites. We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information.”
If what Microsoft says is to be believed, then they will patch the bug in short order. However, SmartScreen seems a thin defense for such a severe and easily accessible bug in their programming.
Update: Microsoft released the fix prior to the posting of this article.