The malvertising vector is already widely used by attackers and involves tricking advertising networks into accepting malicious ads that then get displayed on legitimate websites. By combining malvertising with this IE flaw, attackers could steal authentication cookies en-masse from different websites.
Young couldn't confirm whether exploiting this vulnerability can happen without user interaction -- the proof-of-concept exploit requires victims to click on a link. However, even if user interaction is required, many social engineering techniques can be used to obtain it.
According to Young, the flaw might only affect IE 11 or a limited number of newer IE versions. For example, the researcher couldn't replicate the attack on IE 8 running on Windows 7.
The vulnerability might not be as critical as the Same-Origin bypass flaw discovered in the Android default browser a few months ago, but Microsoft should address it as soon as possible, Young said.
"We are not aware of this vulnerability being actively exploited and are working on a security update," a Microsoft representative said via email. "We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information."
The good news is that websites can protect themselves from being targeted through this vulnerability by using a security header called X-Frame-Options with the "deny" or "same-origin" values, which prevents other sites from loading them in iframes. This was noted by both Folwer and Daniel Cid, the CTO of Web security firm Sucuri.
Unfortunately, this is a recommended security header that very few sites make use of, Cid said via email.