14 DAY TRIAL // Microsoft will plug a zero-day security hole in Internet Explorer that can allow potential attackers to steal session cookies from users even though it has made it clear that it doesn’t consider the vulnerability as posing a high risk to customers, and without having detected active attacks in the wild. The only attack created around a working exploit targeting the IE-zero day was demoed at the recent Hack in the Box security conference in Amsterdam by Italian security researcher Rosario Valotta.
Stealing session cookies, also referred to as cookiejacking, is similar in nature to another type of attack dubbed clickjacking, but with a different target.
As far as I’m concerned, the complexity of this type of attacks, in combination with the efforts attackers need to invest when it comes down to successfully tricking victims into handing over their data, means that the Redmond company’s assessment that the particular IE 0-day uncovered by Valotta is not a high risk to customers is not without merit.
At the same time, given the publicity that the new IE security vulnerability has achieved in the past week, it’s best for the hole to be plugged, especially since working attacks can be built.
And although, no attacks have so far been detected in the wild, Microsoft’s Brandon LeBlanc stressed that the Redmond company is already hard at work building a patch for the IE cookiejacking 0-day.
The lack of attacks, combined with the low risk assessment that the software giant has given this flaw means that it’s very unlikely that Microsoft will provide an out of band patch.
Most likely, the security update designed to patch the IE cookiejacking 0-day will be included among the next batch of IE updates, after the company will be done cooking it.
LeBlanc provided additional insight into why the company is not exactly rushing to patch this new IE 0-day:
“In order to be exposed to risk a number of things would need to happen. You’d need to be tricked into interacting with malicious content on a website. Only after this could a third party steal cookies from a website that you were previously logged into. While this threat has been demonstrated by a security researcher, to date we are not aware of any actual attacks online.”
Essentially, even in scenarios in which an attacker exploits the vulnerability successfully, no session cookies are stolen.
In addition to the working exploit, users also need to be tricked via social engineering to copy their session data and hand it over, with the attack only working if the username and Windows version ran by the victims are known to the attacker.
“This is a form of social engineering attack and these kinds of threats will remain a concern for Internet users on all browsers. Software vulnerabilities are not needed for these kinds of threats to be successful so it is always a good idea to follow best practices – regardless of the browser you are using - in order to stay safe,” LeBlanc added.