A new vulnerability in the Internet Explorer was revealed today. This vulnerability is applicable to all the latest versions of IE and it allows anyone to access login credentials of the user. This is a universal cross-site scripting (XSS) bug and a proof-of-concept exploit was recently published on the web.
To demonstrate the attack, content of dailymail.co.uk was changed by external domain.
Once in possession of the cookie, an attacker could access the same restricted areas normally available only to the victim, including those with credit card data, browsing histories, and other confidential data. Phishers could also exploit the bug to trick people into divulging passwords for sensitive sites.
Microsoft is aware of this bug and already working on a fix.
We are not aware of this vulnerability being actively exploited and are working on a security update. To exploit this, an adversary would first need to lure the user to a malicious website, often through phishing. SmartScreen, which is on by default in newer versions of Internet Explorer, helps protect against phishing websites. We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information.
via: Ars Technica