14 DAY TRIAL // Microsoft does not consider an Internet Explorer bug that facilitates session hijacking attacks a high risk, but security researchers think otherwise and past examples support their opinion.
Last week at the Hack in the Box security conference in Amsterdam, Italian security researcher Rosario Valotta demoed an attack that leverages a zero-day vulnerability in all Internet Explorer versions to steal session cookies.
Session cookies are small text files used by websites to keep track of authenticated users. With access to them attackers can control people's accounts.
Mr. Valotta named his attack cookiejacking because it combines the IE bug with so-called clickjacking techniques.
In essence it is a social engineering attack that involves tricking victims to interact with elements on a specially crafted page.
In this case, victims need to click and drag an element and there are a variety of ways to trick users into doing that. Presenting them with a slider or an Angry Birds-like game are two examples.
"Given the level of required user interaction, this issue is not one we consider high risk," Microsoft spokesman Jerry Bryant told Reuters. "In order to possibly be impacted a user must visit a malicious website, be convinced to click and drag items around the page and the attacker would need to target a cookie from the website that the user was already logged into," he added.
But, according to Robert McArdle, senior threat researcher at Trend Micro, it should actually be pretty easy to convince users to do that. Let's take, for example, the recent attacks on Facebook where users were asked to manually copy a piece of JavaScript code into their browser's address bar.
These attacks were pretty successful and the fact that so many users were willing to do that even surprised the company's security team, according to Mr. Joe Sullivan, Facebook's chief security officer.
The bottom line is that if you can get someone to copy and paste rogue code, you can clearly get them to pull on a slider, and if you target Facebook session cookies, you have all the ingredients for a self-propagating worm - one that particularly affects Internet Explorer users.