A universal cross-site scripting (XSS) vulnerability (CVE-2015-0072) has been discovered in Microsoft Internet Explorer. This zero-day vulnerability could allow an attacker to bypass the same-origin policy (SOP) in order to steal from and inject information into other websites. The vulnerability affects Internet Explorer 11 on Windows 7 and Windows 8.1.
The same-origin policy was designed to prevent scripts from one website reading or modifying data on another website. However, with this vulnerability, a determined attacker can craft an email containing a link that leads to a malicious website. If the recipient were to click on that link, the malicious website could bypass the SOP and allow the attacker to obtain sensitive information.
Microsoft has not yet issued a patch or security advisory for this vulnerability. At this time, there are no indications that this vulnerability has been exploited in the wild. Concerned users can use an alternative browser, like Mozilla Firefox or Google Chrome, until Microsoft makes a patch available.
Symantec will continue to investigate this vulnerability and provide more details as they become available.
Symantec and Norton Protection
Intrusion Prevention System
Update – February 5, 2015:
Symantec has added the following protection: