Internet Explorer flaw could allow hackers access to your Facebook, Gmail, Twitter accounts.

Regardless of the version of Windows you use, if you also use any versions of Microsoft's Internet Explorer, then you might not want to do any drag-and-dropping within your IE browser, or you might be done in by "cookiejacking." It's not the CookieMonster or Firesheep, but there is a zero-day hole in IE that allows an attacker to steal any session cookies from any website.
At the Hack In A Box conference in Amsterdam, Italian security researcher Rosario Valotta demonstrated a cookiejacking attack. A session cookie holds information like your username and your password. Once those cookies are stolen, it allows an attacker to access wherever the victim is logged in like Gmail, Facebook, Twitter or other online accounts. His code to exploit the flaw explicitly targets cookies issued by Facebook, Twitter and Gmail, but Valotta says his technique can be used on any website. The attacker is only as limited as his imagination.

The vulnerability was found in IE security zone mechanisms which are supposed to keep Internet zones from mixing; it's meant to prevent sites in the "untrusted" Internet zone from embedding content to the "trusted" local zone. Yet Valotta discovered that cookies were exempt from the security mechanism and could be loaded into iFrames. The cookies were marked with invisible text and moved by the HTML5 drag and drop feature to the main browser window. "This breaks the Cross zone interaction policy as a Internet page is accessing a local file," Valotta wrote on tentacoloViola where he explained the entire exploit.


Link:
http://www.networkworld.com/community/blog/ie-flaw-could-allow-hackers-access-your-faceb