BaCde  2429天前


There's a bug in the latest version of Internet Explorer that leaks the addresses, search terms, or any other text typed into the address bar.

The bug allows any currently visited website to view any text entered into the address bar as soon as the user hits enter. The technique can expose sensitive information a user didn't intend to be viewed by remote websites, including the Web address the user is about to visit. The hack can also expose search queries, since IE allows them to be typed into the address bar and then retrieved from Bing or other search services.

The flaw was disclosed Tuesday by security researcher Manuel Caballero. This proof-of-concept site shows the exploit works as described on the latest version of IE.

The proof-of-concept makes it transparent that the attacking website is viewing the entered text. The hack, however can easily be modified to make the information theft completely stealthy. Either way, this weakness may allow malicious sites to view information the user presumed was private. People should strongly consider using Google Chrome, Microsoft Edge, or another non-IE browser. In an e-mailed statement, Microsoft officials wrote: "Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is to provide solutions via our current Update Tuesday schedule."

Post updated to add comment from Microsoft.