From the Ed Bott - Ed Bott - Windows (and Office) Expertise: Security alert for Windows XP blog:
Here’s a disturbing report of a Cross-Site Scripting Vulnerability in Internet Explorer, from Secunia. Note that installing SP2 alone will not protect you from this problem, although it does offer a useful tool to fix it temporarily.
Clicking the test link on their page opens an IE window that contains their own content, with “https://www.paypal.com/” displayed in the Address bar and an authentic-looking SSL padlock icon in the status bar. (Clicking the test link in Firefox does nothing.)
This test page, of course, does nothing. But if it were an actual phishing attack, it would be possible for a bad guy to convince you to give up personal information like a password or a credit card number in the mistaken belief you were actually at a Web site belonging to your bank, PayPal, Ebay, or another trusted site.
To protect yourself until a patch is released, do the following.
- From Internet Explorer, choose Tools, Manage Add-ons. (If you don’t see this menu choice, you don’t have SP2 installed, and you have bigger problems!)
- Scroll down the list and select DHTML Edit Control Safe for Scripting for IE5.
- Click Disable.
- Click OK to close the dialog box, and then restart IE.
Even if you normally use Firefox, I recommend that you take this precaution until a patch is available.
If you have an application that needs to use the DHTML Edit control, there’s a fix that allows this ActiveX control to be used safely, but it’s too complicated to list the instructions here. Leave a comment if you are in this situation.
If you use an earlier version of Windows, you should disable ActiveX.
Related posts:
- Security Alert: When Bots Attack From Baseline Magazine: It happens in minutes. Hackers with bot...
- Windows Vista test drive I haven’t tried this myself, but Microsoft has a...
- Windows Marketplace I can’t remember how I got there, but the...
- A Free And Useful ActiveX Diagnostic Tool The latest LangaList newsletter links to an older LangaList newsletter...
- Windows and Office Shortcuts The July 29 issue of the TechRepublic Windows XP tips...
Related posts brought to you by Yet Another Related Posts Plugin.
Thanks for helping spread the word, Graham.
Note that some words got clipped off in Step 1. It should read, “From Internet Explorer, choose Tools, Manage Add-ons…”
Thanks Ed. I have updated the posting with the correct information.
By the way… we appreciate your great blog. It’s one of my favourites!