'Tis true - the "Hide the status bar" is unchecked....and checking it DOES allow the status bar to be hidden on the spoof site. The "Hide the status bar" option is unchecked with a *default* installation of Firefox 0.9.2. Marc. ----- Original Message ----- From: "Nicholas Knight" <nknight@xxxxxxxxxxxxxx> To: <bugtraq@xxxxxxxxxxxxxxxxx> Sent: Sunday, August 01, 2004 8:43 PM Subject: Re: New possible scam method : forged websites using XUL (Firefox) > Marc wrote: > > > The latest version of Firefox is 0.9.2. > > > > > >>The developers of Mozilla are currently looking into various > >>methods to make a fake user interface more obvious. The most > >>likely solution will be to force the status bar to always be > >>visible, as Microsoft will do with IE6 SP2. > > > > > > This appears to be the case with 0.9.2. > > Tools -> Options -> Web Features -> Advanced button by Java/Javascript > check boxes. I'll bet you have "Hide the status bar" unchecked. > > This caught me for a moment, too, then I remembered I always disable > everything in the Advanced JavaScript Options box, and that's one of > them. So users actually have a defence right now, but they have to > specifically set it themselves. >
