Here’s a disturbing report of a Cross-Site Scripting Vulnerability in Internet Explorer, from Secunia. Note that installing SP2 alone will not protect you from this problem, although it does offer a useful tool to fix it temporarily.
Clicking the test link on their page opens an IE window that contains their own content, with “https://www.paypal.com/” displayed in the Address bar and an authentic-looking SSL padlock icon in the status bar. (Clicking the test link in Firefox does nothing.)
This test page, of course, does nothing. But if it were an actual phishing attack, it would be possible for a bad guy to convince you to give up personal information like a password or a credit card number in the mistaken belief you were actually at a Web site belonging to your bank, PayPal, Ebay, or another trusted site.
To protect yourself until a patch is released, do the following.
- From Internet Explorer, choose Tools, Manage Add-ons. (If you don’t see this menu choice, you don’t have SP2 installed, and you have bigger problems!)
- Scroll down the list and select DHTML Edit Control Safe for Scripting for IE5.
- Click Disable.
- Click OK to close the dialog box, and then restart IE.
Even if you normally use Firefox, I recommend that you take this precaution until a patch is available.
If you have an application that needs to use the DHTML Edit control, there’s a fix that allows this ActiveX control to be used safely, but it’s too complicated to list the instructions here. Leave a comment if you are in this situation.
If you use an earlier version of Windows, you should disable ActiveX.
Update: The DHTML Edit Control is in every version of Windows XP, but it won’t appear in your list of add-ons until it’s actually loaded by a page. Go to the Secunia test site and click the link to their test. After you do that, you can disable this control.