"Companies think that only certain IP addresses may be able to access their sites. Bbut using these techniques the browser can go anywhere, which throws the defense of filtering IP addresses out the window," said Hansen, who operates the security consulting firm SecTheory. "Hackers can use the browser as a proxy to get access to intranet applications -- vulnerabilities in VPN systems for remote workers offer another attractive point-of-entry."
The experts said that to protect themselves, companies should begin defending their internal Web sites in the same manner they safeguard their external sites. Public-facing Web sites shouldn't be allowed to access the intranets on any level, which is another common means for hackers to find their way into the systems, they said.
"There will be tools made available that allow black hats to carry out this sort of threat easily within the next two years, which should inspire a lot more people to try them out," Grossman said.
"These types of browser vulnerabilities have always been there, and these attacks were always feasible. It's just that no one really knew about it; what the bad guys are doing with them today compared to several years from now is just the tip of the iceberg," he said.