14 DAY TRIAL // Microsoft's next patch bundle, scheduled to land next Tuesday, will address a large number of vulnerabilities across many products, including an Internet Explorer one that facilitates cookie hijacking attacks.
The vulnerability was disclosed last month by Italian security researcher Rosario Valotta during a presentation at the Hack in the Box 2011 conference in Amsterdam.
The bug affects all versions of Internet Explorer and allows local cookie files to be loaded into IFrames, if their path is known.
An attacker can exploit this flaw by loading a visitor's session cookie inside a page, hiding it behind another element, and using clickjacking techniques to trick them into handing it over. Mr. Valotta dubbed this type of attack cookiejacking.
"One of the issues we start to address in this release is 'cookiejacking,' which allows an attacker to steal cookies from a user’s computer and access websites the user has logged into. The Internet Explorer bulletin will address one of the known vectors to the cookie folder," Microsoft spokesperson Angela Gunn said.
Even though the problem won't be completely solved, the company doesn't believe the vulnerability poses a serious issue to customers and so far no attacks exploiting it have been detected in the wild.
Microsoft's upcoming Patch Tuesday will see the release of 16 security bulletins covering a total of 34 vulnerabilities in Windows, Office, Internet Explorer, .NET, SQL, Silverlight, Visual Studio and ISA. Nine of the bulletins will be marked as critical and the rest as important.
It will be a busy week for systems administrators who, in addition to testing and deploying Microsoft's patches, will also have to prepare for security updates to Adobe Reader and Acrobat which are expected to land the same day.
Even if the cookiejacking vectors will be completely patched, users should also be wary of the clickjacking techniques used in this attack because they represent a serious security issue that doesn't have a simple technical solution.