A bug has been uncovered in Internet Explorer which makes it possible for websites to view anything that is typed in to the address bar. This means that web addresses and search terms could be accessed by a hacker or malicious website.
The vulnerability was discovered in the very latest version of Internet Explorer, and Microsoft is yet to release a patch for it. Discovered by security researcher Manuel Caballero, the attack can be made completely invisible to a victim.
Writing on his website Broken Browser, Caballero explains that: "When a script is executed inside an object-html tag, the location object will get confused and return the main location instead of its own. To be precise, it will return the text written in the address bar so whatever the user types there will be accessible by the attacker."
He has produced a proof-of-concept video that shows precisely how the attack works:
In a statement given to Ars Technica, Microsoft said:
Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is to provide solutions via our current Update Tuesday schedule.