Secunia says the problem occurs even on systems running SP2 and the latest Microsoft security patches. It results from an error in the "DHTML Edit" ActiveX control when invoked by the execScript() function.

The end user must first visit a malicious site, which invokes the bug and then waits for the user to visit a targeted commerce site, at which point the user is surepticiously redirected to a forged replica site. To the user, the URL in the navigation bar looks correct and the SSL lock icon may even appear. When the user logs into the forged site, the forger captures the victim's user ID and password.

Secunia's site includes an online demonstration of the flaw to let you test your browser.

Microsoft says it is looking into the problem and will publish a fix if warranted. In lieu of a fix, you should disable ActiveX controls in IE, or set the browser security level to "high" for the Internet zone. When visiting any commerce site, Dr. I. Doctor recommends that you always hand-type the URL in a fresh browser window, and ideally never using Internet Explorer!

Secunia's advisory bulletin, SA13482, is online at:

http://secunia.com/advisories/13482/

Secunia's demonstration of the flaw is at:

http://secunia.com/internet_explorer_cross-site_scripting_vulnerability_test/