This alert below deserves a comment since it's potentially very serious and there's no way around it without losing functionality since you'd have to disable ActiveX. I don't think just by having IE Security settings to "High" disables ActiveX. If it does not, and you don't want to disable ActiveX due to websites not working correctly, you REALLY have to watch out for this.
As one can see in the test, the URL in the address bar is NOT the site where you think you are. This vulnerability could be used with disastrous results at popular sites like PayPal, Ebay, etc., that have very important personal and if*na*nc*ial info about you (and of course at the Citibank website in the test). In **this particular test example**, you ARE able to see that it's a bogus page by right clicking and "Open frame in new window", then you get to the real webpage that's at the URL. Also, you can copy and paste the URL in the IE address bar to the address bar toolbar at the bottom of your screen (if you opt for that address bar toolbar), and this would also show you a different page. You can also check the source code of the bogus page and see that there is a css file referenced on Secunia.com which could also give it away. Another way is when you hover the test link, in the status bar you don't see the URL, instead you see a JavaScript command which would also be a tell-tale sign since it's not a PopUp window. Checking/noticing these signs would at least be some red flags helpful in protecting yourself from this vulnerability, but keep in mind it probably WILL NOT work at many scamming sites if they: 1. Had the exact same content on the bogus page as on the scam page (therefore if you right clicked and "open frame in new window" it would look the same, or copied and pasted the URL in the IE address bar to your bottom address bar the resultant page would look the same); 2. Didn't reference in the source code a css file or other file in the <head> tag or body to their own scam site; or 3. Used a real JavaScript PopUp window that would indeed have to have the JavaScript status in the status bar upon hovering the link. At least in #3 you can right click inside that PU window and open in new window which would give you the real URL. -Clint Merry Christmas to all & God Bless Clint Hamilton, Owner http://OrpheusComputing.com ) http://ComputersCustomBuilt.com ----- Original Message ----- From: "Secunia Security Advisories" <[EMAIL PROTECTED]> TITLE: Internet Explorer DHTML Edit ActiveX Control Cross-Site Scripting SECUNIA ADVISORY ID: SA13482 VERIFY ADVISORY: http://secunia.com/advisories/13482/ CRITICAL: Moderately critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: Microsoft Internet Explorer 6 http://secunia.com/product/11/ DESCRIPTION: A vulnerability in Internet Explorer, which can be exploited by malicious people to conduct cross-site scripting attacks. The vulnerability is caused due to an error in the DHTML Edit ActiveX control when handling the "execScript()" function in certain situations. This can be exploited to execute arbitrary script code in a user's browser session in context of an arbitrary site. Secunia has constructed a test, which can be used to check if your browser is affected by this issue: http://secunia.com/internet_explorer_cross-site_scripting_vulnerability_test/ The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2. SOLUTION: Set security level to high for the "Internet" zone (disable ActiveX support). ---------------------------------------------------------------------- ============= PCWorks Mailing List ================= Don't see your post? Check our posting guidelines & make sure you've followed proper posting procedures, http://pcworkers.com/rules.htm Contact list owner <[EMAIL PROTECTED]> Unsubscribing and other changes: http://pcworkers.com =====================================================
