A new flaw that affects fully patched up Windows XP computers running SP2 and Internet Explorer 6.0 has been discovered by researchers in Denmark. The vulnerability could allow phishers an even more sophisticated attack on unsuspecting users.
The vulnerability allows an attacker to display any website name in the address bar and even a padlock icon showing an SSL certificate while the attacker's fake web site tries to garner information from the victim.
The vulnerability is caused by an error in the DHTML Edit ActiveX control when handling the "execScript()" function in certain situations. The flaw can run arbitrary code in the browser.
The flaw was discovered by researchers at Greyhats Security Group. At the time of writing this article, Microsoft had not released a patch to counteract the problem but is investigating the problem.
Danish security company Secunia has advised users to set security levels in Internet Explorer to "high".
Microsoft in a statement said upon completion of its investigation it will take appropriate action to protect its customers, which "may include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs".