Hello,

I was reading the "IE chromeless window vulnerabilities" thread and thought
maybe I could add some proof of concept to this discussion.

This very simple demo:

http://www.systemintegra.com/ie-fullscreen/

shows how system password could be captured thanks to Internet Explorer
working in full-screen mode.

Certainly it could be more advanced and designed to detect the platform to
show correct login window. It will work fine on the local network, however
it has to be optimised for the Internet use - everything has to appear
immediately and no download process can be visible.

Best Regards,

 Marek Bialoglowy (ultor@systemintegra.com) - IT Security Researcher
 PGPkey: http://www.systemintegra.com/pgp/ultor.asc | ID: 0x4B36656E
 JOB: (CTO) System Integra | JKT, Indonesia | Timezone: JAVT, GMT +7