Internet Explorer cross-domain security breach

June 17, 2004

Yet another flaw has been discovered in Microsoft Internet Explorer. Cross-domain security model that is employed by this Web browser to keep frame content from different sources separate is confirmed to have a bug that lets attackers run programs and view files using the privileges of the user running Internet Explorer.

Graham Cluley, senior technology consultant at antivirus maker Sophos, said that there are no reports so far of viruses or hackers exploiting this vulnerability. However, home users and businesses should be careful while Microsoft develops and releases patch that will fix the issue.

"The flaw is not banking-specific," Cluley said, however, phishers could exploit the flaw to run a key logger, capturing Internet-banking passwords typed on the computer's keyboard. Key loggers can also be installed on the computer by worms or Trojans, Cluley warned.

It also should be noted that this is more difficult to avoid than the standard phishing attack that involves users entering their details into a fraudulent Web site, having been directed there by a spoofed email. Therefore, users should take measures and protect themselves from this possible threat. An exellent choice would be a personal firewall that will block any unauthorized network access thus preventing any rogue application from sending out user's personal information.

US-CERT also advises that users disable Active scripting and ActiveX controls, maintain antivirus software and do not click on unsolicited links.

A spokesperson for Microsoft that the company is currently investigating this bug and will put out a patch as soon as possible. Meanwhile they have updated their advice on how users can "Help ward off hackers and attackers" with information that will help users not to fall victims of this newly discovered exploit.