Security alert for Windows XP

From the Ed Bott – Ed Bott – Windows (and Office) Expertise: Security alert for Windows XP blog:

Here’s a disturbing report of a Cross-Site Scripting Vulnerability in Internet Explorer, from Secunia. Note that installing SP2 alone will not protect you from this problem, although it does offer a useful tool to fix it temporarily.

Clicking the test link on their page opens an IE window that contains their own content, with “https://www.paypal.com/” displayed in the Address bar and an authentic-looking SSL padlock icon in the status bar. (Clicking the test link in Firefox does nothing.)

This test page, of course, does nothing. But if it were an actual phishing attack, it would be possible for a bad guy to convince you to give up personal information like a password or a credit card number in the mistaken belief you were actually at a Web site belonging to your bank, PayPal, Ebay, or another trusted site.

To protect yourself until a patch is released, do the following.

  1. From Internet Explorer, choose Tools, Manage Add-ons. (If you don’t see this menu choice, you don’t have SP2 installed, and you have bigger problems!)
  2. Scroll down the list and select DHTML Edit Control Safe for Scripting for IE5.
  3. Click Disable.
  4. Click OK to close the dialog box, and then restart IE.

Even if you normally use Firefox, I recommend that you take this precaution until a patch is available.

If you have an application that needs to use the DHTML Edit control, there’s a fix that allows this ActiveX control to be used safely, but it’s too complicated to list the instructions here. Leave a comment if you are in this situation.

If you use an earlier version of Windows, you should disable ActiveX.

Comments 2

  • Thanks for helping spread the word, Graham.

    Note that some words got clipped off in Step 1. It should read, “From Internet Explorer, choose Tools, Manage Add-ons…”

  • Thanks Ed. I have updated the posting with the correct information.
    By the way… we appreciate your great blog. It’s one of my favourites!

Leave a Reply