Just read about this on the Secunia.com website. This one is a real scary one.
A new cross site scripting Vulnerability was discovered in the DHTML Edit ActiveX control in Internet Explorer when handling the ‘execScript()’ function. This allows the attacker to inject arbitrary script code in a user’s browser session in context of an arbitrary site. The best part is that even the SSL certificates etc are passed so there’s absolutely no way to find out if the site is spoofed or not. The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP1/SP2.
Check out a demo of the attack at: http://secunia.com/internet_explorer_cross-site_scripting_vulnerability_test/. The link above is hosted by the group which published the vulnerability. You can read the original advisory here
The code to create your own spoofed sites can be gotten by viewing the source code for the above page. I copied it to my site and tested it and it actually works. Don’t try anything stupid with this code ’cause if you do you will be caught and then you can pass my regards to Bubba your new cell-mate.
Mozilla Firefox is not affected by this so stop using IE and enjoy the holiday shopping without worying about phishing attacks.
Enjoy.