Researchers from deusen.co.uk published sample exploit code to demonstrate how to hack dailymail.co.uk — Great Britain’s leading online daily newspaper. A specially formed link takes users to dailymail.co.uk, followed by the message “Hacked by Deusen”.
Both Internet Explorer 10.x and 11.x contain this flaw and are therefore exposed to this attack. You may find its detailed description at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0072.
The experts at Positive Technologies point out that there are several similar exploit examples on the Web that demonstrate the threats this new vulnerability poses to many sites, including those used for critical resources.
For example, check out this simulated attack video, posted on PHDays website.
You must prohibit third party IFrames using the X-Frame-Options header sent by a web server.
The Apache setting in .htaccess looks like this:
It is worth mentioning that as of late zero-day vulnerabilities within infrastructure components, like Shellshock and GHOST, have become more frequently publicized. Google has also added fuel to the fire with its recent disclosure regarding Windows security flaws, despite Microsoft’s requests to become more flexible on the matter. It seems like the mainstream approach “discover – help to fix – publish details” is not in play any more.