[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability

To: <full-disclosure@lists.netsys.com>
Subject: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
From: "Clint Bodungen" <clint@secureconsulting.com>
Date: Wed, 10 Dec 2003 09:05:28 -0600

Please see my original post... oh wait... I'll paste it.

I don't really think it will make that much of a difference their profits
considering anyone dumb enough to fall for those scams isn't going to know
the difference between an IP address in the URL box and a "spoofed" domain.
I had a client fall for an eBay scam and the end resulting domain in the URL
box was damn near www.robbingyoublinddamngringo.com.  I can see where a more
effective scam would be, like you hinted at, the infamous microsoft security
update emails.

----- Original Message ----- 
From: "Feher Tamas" <etomcat@freemail.hu>
To: <full-disclosure@lists.netsys.com>
Sent: Wednesday, December 10, 2003 2:23 AM
Subject: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability


>
> Unless the bug has already been exploited by malicious people, it was
> a highly irresponsible act to disclose it to the public, without giving
> Microsoft a reasonable timeframe to produce a fix. It may even qualify
> as a crime!
>
> Considering the simplicity of this URL faking trick, it will be certainly
see
> active use by scammers during this Christmas shopping season and
> thousands of people will be robbed of their online banking accounts,
> etc. The money will boost organized crime and the whole society will
> suffer. A patch would give customers at least a theoretical chance to
> protect themselves and the community.
>
> I certainly would not object to ZapDingbat getting sued for a few billion
> bucks by M$ or the US Gov't sending him to a long recreation at
> Guantanamo Bay. People like him discredit security research like
> nothing else and his acts contribute towards legislation that will curb
> people's right to investigate code.
>
> Regards: Tamas Feher.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
  - From: S G Masood <sgmasood@yahoo.com>

References:
- [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
  - From: Feher Tamas <etomcat@freemail.hu>

Prev by Date: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
Next by Date: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
Previous by thread: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
Next by thread: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
Index(es):
- Date
- Thread