Many sources are reporting (see here) a bug in Internet Explorer 11 that could support a very credible looking phishing attack. Interestingly, this attack does not work on older versions of Internet Explorer, which is the reverse of what usually happens. The problem was disclosed on Saturday with a proof of concept on the full disclosure mailing list, so the hackers even have example code to start from.
The exploit does require the user to click on a link to get it to work, but if the user does click, which is not hard to get a user to do, the web page for say ABC Bank does appear and the Bank’s URL appears in the address bar. In the demonstration code, a few seconds later, a web page from the hacker appears, but the original web site URL still appears in the address bar. What this means is that a victim would think he is still at the ABC Bank web site and so if the web page asks for some personal information, the user would think that he is giving that information to the bank but would really be giving it to the hacker.
Unfortunately, this attack even works with HTTPS based web pages (this is yet another way that SSL is broken; see yesterday’s post for other reasons it is broken).
In concept, this is similar to the bug discovered in the default Android browser a few months ago that allows this same kind of attack. Google has taken some heat over that one because they said that they are not using that code in the current version of Android (4.4), so they are not going to fix it. The only solution for Android users using version 4.3 or earlier is to use Chrome or Firefox instead.
For Windows users, a simple solution would be to use another browser, at least until Microsoft fixes this bug.
Microsoft said that they are not aware of hackers using this bug (which is not a surprise since it was only published on Saturday), that they are working on a fix (which may take a couple of months, depending on the priority and the difficulty of fixing it) and that you shouldn’t click on links from “untrusted sources”. By untrusted sources, they mean a link in a phishing email that appears to have come from your boss. Good luck in getting that to happen.
Interestingly, the researchers who disclosed this bug said that there was a simple solution to this for web sites (like ABC Bank) to protect themselves simply by inserting a particular option in the web page header (X-Frame-Options with deny specified), but the researchers say that very few web sites do this. Still, for web site owners, this might be a smart change to make to protect their visitors while Microsoft works on a fix.