Zero-day vulnerability in Microsoft Internet Explorer

CVE-2015-0072 was apparently reported to Microsoft on Oct. 13, 2014, however David Leo disclosed the details of this vulnerability to the popular Full Disclosure security mailing list on Jan. 31, 2015.

Advisory: SB2015013101 - Cross-site scripting in Microsoft Internet Explorer

Vulnerable component: Microsoft Internet Explorer

CVE-ID: CVE-2015-0072

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description:

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-input passed via vectors involving an IFRAME element. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user’s browser in context of another website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Note: the vulnerability was being actively exploited.

External links:

https://technet.microsoft.com/library/security/ms15-018
http://www.pcworld.com/article/2879372/dangerous-ie-vulnerability-opens-door-to-powerful-phishing-at...
https://nakedsecurity.sophos.com/2015/02/04/internet-explorer-has-a-cross-site-scripting-zero-day-bu...
https://blogs.forcepoint.com/security-labs/another-day-another-zero-day-%E2%80%93-internet-explorers...
http://22by7.helpserve.com/News/NewsItem/View/5773/another-day-another-zero-day--internet-explorers-...