bitlance winter has discovered a weakness in Internet Explorer, which can be exploited by malicious people to conduct phishing attacks.
Windows XP SP2 has a security feature, which forces the URL of a popup to the present in the title bar when a popup has been opened without the address bar.
The problem is that the title bar can be spoofed via an overly long hostname. This can e.g. be exploited by a malicious web site to trick a user into entering sensitive information in a popup placed over a trusted site.
The weakness has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2.
SOFTWARE:
Microsoft Internet Explorer 6
SOLUTION:
Do not enter sensitive information in popups after following links
from untrusted sources.
VERIFY ADVISORY:
http://secunia.com/advisories/14335/
Secunia Security Advisories
http://community.securityteam.us/article.php/20050224213227858