Security advice firm Secunia has released information concerning a new flaw with Microsofts web browser, Internet Explorer.
The exploit allows cross site scripting attacks to be performed on users. In the scenario that Secunia have published, users can follow a link to xyz.com, have xyz.com in the address bar yet have content being fed to the browser from another site. Clicking on the "Pad-lock" SSL icon in the bottom corner of internet explorer also reveals xyz.com.
The problem is caused by "DHTML Edit ActiveX control when handling the "execScript()" function in certain situations. This can be exploited to execute arbitrary script code in a users browser session in context of an arbitrary site". The issue affects the most recent releases of Internet Explorer 6.0, including Service Pack 2 patched systems. To avoid the exploit affecting you, its advised that you disable ActiveX. Microsoft have yet to comment or release a patch for the problem.
Other browsers are not affected.
View: Secunia Advisory