[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
- To: full-disclosure@lists.netsys.com
- Subject: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
- From: Feher Tamas <etomcat@freemail.hu>
- Date: Wed, 10 Dec 2003 09:23:40 +0100 (CET)
>Proof-of-Concept here:
>http://www.zapthedingbat.com/security/ex01/vun1.htm
>
>Vendor Notified 09 December, 2003
Unless the bug has already been exploited by malicious people, it was
a highly irresponsible act to disclose it to the public, without giving
Microsoft a reasonable timeframe to produce a fix. It may even qualify
as a crime!
Considering the simplicity of this URL faking trick, it will be certainly see
active use by scammers during this Christmas shopping season and
thousands of people will be robbed of their online banking accounts,
etc. The money will boost organized crime and the whole society will
suffer. A patch would give customers at least a theoretical chance to
protect themselves and the community.
I certainly would not object to ZapDingbat getting sued for a few billion
bucks by M$ or the US Gov't sending him to a long recreation at
Guantanamo Bay. People like him discredit security research like
nothing else and his acts contribute towards legislation that will curb
people's right to investigate code.
Regards: Tamas Feher.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html