14 DAY TRIAL // Microsoft is planning to patch a recently disclosed IE vulnerability that facilitates session hijacking attacks and suggests using the browser's private mode feature until then.
The new type of attack, dubbed cookiejacking, was demonstrated at the recent Hack in the Box 2011 conference in Amsterdam by Italian security researcher Rosario Valotta.
It leverages a bug in all versions of Internet Explorer that allows the contents of session cookie files to be loaded in iframes if the attackers know their full paths.
Clickjacking and social engineering techniques are then used to trick users into dragging the contents of the rogue iframes to containers on the same page controlled by the attackers.
For the demo, Mr. Valotta used a basketball game where the user was asked to drag a ball through a hoop. The ball was hiding the contents of the targeted session cookie.
In a post on the Windows Security Blog, Microsoft's Brandon LeBlanc say that the company is working on a patch and suggests the browser's InPrivate Browsing feature can help mitigate the risks until then.
"The InPrivate Browsing feature in Internet Explorer will prevent cookies from earlier browsing sessions being stored on your PC, and mean they are not vulnerable to cookiejacking even in the circumstances described," he explains.
Indeed, the private browsing mode prevents access to cookie files already saved on the disk, but more importantly, it stores cookies for the active session in memory. This means that a page crafted for cookiejacking cannot access neither older cookies nor active ones, because there is no path to them.
The Microsoft spokesperson also points out that there are currently no attacks exploiting this vulnerability in the wild and that user interaction is required for successful attacks. Enabling InPrivate Browsing can be done by pressing CTRL+SHIFT+P in Internet Explorer.