Read this from slashdot, it would appear that this flaw will allow the phisers to spoof the address bar in IE:

Description:
Hai Nam Luke has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to conduct phishing attacks.

The vulnerability is caused due to a race condition in the loading of web content and Macromedia Flash Format files (".swf") in browser windows. This can be exploited to spoof the address bar in a browser window showing web content from a malicious web site.

Secunia has constructed a test, which can be used to check if your browser is affected by this issue:
http://secunia.com/Internet_Explorer_Address_Bar_Spoofing_Vulnerability_Test/

The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2. The vulnerability has also been confirmed in Internet Explorer 7 Beta 2 Preview (March edition). Other versions may also be affected.

Solution:
Disable Active Scripting support.

http://secunia.com/Internet_Explorer_Address_Bar_Spoofing_Vulnerability_Test/

I just tested it with my IE on WinXP with SP2 installed and it does what the description said. This doesn't affect Firefox. So be careful people!

That is neat!

function StartTest()
{
openWin('http://www.google.com/');

setTimeout("openWin('/19521_swf/?" + Math.random() + "');", 300);

setTimeout("openWin('/19521_swf_result/');", 2500);
}

last edited by scuzzy at 12:06:26 07/Apr/06

Why do people persist in using ie except in the situation of a corporate intranet?

Hmm:
Tools->Security
Internet - High
Local intranet - High
Trusted Sites - Medium
Restricted Sites - High

Probably only use ie for hmm the msdn website because they really want to have an ActiveX control for the leftmost menu and windows update.

Belive it or not, but not everyone who uses the internet understands these risks.

Belive it or not, but not everyone who uses the internet understands these risks.

Thats unbelievable!

looks like the same one that was on bugtraq on tuesday

looks like the same one that was on bugtraq on tuesday

Is that a round about way of saying it's old?!@

opec you look very different from when I knew you

people still use IE, what madmen!

those cainers

Yeah I guess the media has to try harder at desensitizing people to bad things on the internet and we need a few more of those "OH NOES YOUR COMPUTER COULD BE HACKED" emails, and the problem will sort itself out one way or another :)

It's best to deny any knowledge of computer hardware/the internet I've found and give it to some other poor sap to deal with.

Blah tech support what a terrible job :(

Yeah I guess the media has to try harder at desensitizing people to bad things on the internet and we need a few more of those "OH NOES YOUR COMPUTER COULD BE HACKED" emails, and the problem will sort itself out one way or another :)

I'm still pissed about the dissapointing results from the Y2K bug.

Wow, thats killer..

Alot of people need to use IE in some situations (myself included) because of applications that won't run through ff.. :(

opec you look very different from when I knew you

But deep down I'm still just same boy next door Jim. I reall am.

Alot of people need to use IE in some situations (myself included) because of applications that won't run through ff.. :(

.NET 1.1 No touch deployment :(
.NET 2.0 One Click Deployment :(

Blah to ActiveX hacks!

My previous place of employ had our CRM system running clientside vbscript, once microsoft sink their hooks into you it can be hard to get out.

It's also funny to note SharePoint doesn't always seem to behave itself in ff but works fine in ie, but I guess that is to be expected.

today's windows update patches included a fix for a 'Address Bar Spoofing Vulnerability' but I tried this test site in IE beta7 and it's still vulnerable

trog tested IE6 for me, same deal