Re: New possible scam method : forged websites using XUL (Firefox)

["Marc" <md () nomensa com>]

'Tis true - the "Hide the status bar" is unchecked....and checking it DOES
allow the status bar to be hidden on the spoof site.

The "Hide the status bar" option is unchecked with a *default* installation
of Firefox 0.9.2.

Marc.


----- Original Message -----
From: "Nicholas Knight" <nknight () runawaynet com>
To: <bugtraq () securityfocus com>
Sent: Sunday, August 01, 2004 8:43 PM
Subject: Re: New possible scam method : forged websites using XUL (Firefox)


> Marc wrote:
>
> > The latest version of Firefox is 0.9.2.
> >
> >
> > > The developers of Mozilla are currently looking into various
> > > methods to make a fake user interface more obvious.  The most
> > > likely solution will be to force the status bar to always be
> > > visible, as Microsoft will do with IE6 SP2.
> >
> >
> > This appears to be the case with 0.9.2.
>
> Tools -> Options -> Web Features -> Advanced button by Java/Javascript
> check boxes. I'll bet you have "Hide the status bar" unchecked.
>
> This caught me for a moment, too, then I remembered I always disable
> everything in the Advanced JavaScript Options box, and that's one of
> them. So users actually have a defence right now, but they have to
> specifically set it themselves.