A newly discovered vulnerability in Internet Explorer 11 — even for those browsers that are up-to-date with all security patches — could lead to stolen login credentials. The good news: Microsoft says that it is “not aware of this vulnerability being actively exploited” and is working on a fix.
Ars Technica reports that the culprit is a universal cross-site scripting (XSS) bug that, if a visitor browses a malicious website, can grab cookies or other HTML-based information that other websites have stored on that visitor’s computer. That could include authentication cookies which lead to areas of websites for which logins are required and have “credit card data, browsing histories, and other confidential data.” The vulnerability has been successfully demonstrated in a proof-of-concept exploit on Internet Explorer 11 running on Windows 8.1 and Windows 7.
Microsoft’s statement points out that, “to exploit this, an adversary would first need to lure the user to a malicious website, often through phishing.” And, while the security update is being developed, to follow common-sense advice: “Avoid opening links from untrusted sources and visiting untrusted sites.”