[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability

To: Feher Tamas <etomcat@freemail.hu>
Subject: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
From: William Warren <hescominsoon@trifles.com>
Date: Wed, 10 Dec 2003 09:18:12 -0500

if it were not for folks willing to disclose this stuff MS would never have patched anyways...MS does not care about security(much to the contrary of all the FUD MS puts out about it) so frankly the acct that lists like this exist help to keep all computer users up 2 date...also you think MS would have told us about hits on its own? NO way..has anyone tried older versions of IE..i have a feeling this is a long-time error..:)

Feher Tamas wrote:

Proof-of-Concept here:
http://www.zapthedingbat.com/security/ex01/vun1.htm
Vendor Notified 09 December, 2003
Unless the bug has already been exploited by malicious people, it was a highly irresponsible act to disclose it to the public, without giving Microsoft a reasonable timeframe to produce a fix. It may even qualify as a crime!

Considering the simplicity of this URL faking trick, it will be certainly see active use by scammers during this Christmas shopping season and thousands of people will be robbed of their online banking accounts, etc. The money will boost organized crime and the whole society will suffer. A patch would give customers at least a theoretical chance to protect themselves and the community.

I certainly would not object to ZapDingbat getting sued for a few billion bucks by M$ or the US Gov't sending him to a long recreation at Guantanamo Bay. People like him discredit security research like nothing else and his acts contribute towards legislation that will curb people's right to investigate code.

Regards: Tamas Feher.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


--
May God Bless you and everything you touch.

My "foundation" verse: Isaiah 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
  - From: Feher Tamas <etomcat@freemail.hu>

Prev by Date: RE: [Full-Disclosure] RE: FWD: Internet Explorer URL parsing vulnerability
Next by Date: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
Previous by thread: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
Next by thread: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
Index(es):
- Date
- Thread