[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability

To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
From: Michael Gale <michael@bluesuperman.com>
Date: Wed, 10 Dec 2003 21:30:09 -0700

Ok -- so what happens when we do not disclose this bug or any bug ...
and you.. get tricked into going to a page and giving out credit card
information. Or better yet your mom gets tricked and gives out her
banking information.

Now you or your family members could be out tens of thousands of
dollars. Now depending on your bank your accounts could be frozen until
the end of the investigation and you may have to prove that it was not
you taking out the money.

This shit happens to real people -- my friend at work had $3000 taken,
his account was frozen for several months because of the investigation
and he had to prove he did not take the money.

He was lucky and was about 2hrs away from where the money was taken out
at the time but still had a hard time convienencing the bank it was not
him or a friend.

But all this would of been OK right ... because the ONLY person who
knows about this bug is the one who discovered it and Microsoft, who 
is fixing this right away at the pressure of one person.

Maybe it is time you think out side the M$ window ... I guess when you
have to constantly update your software because of bugs and MAJOR
security flaws. A crashing system on a daily bases because normal one
more bug is just ok right ?

What I would to know is who the $*CK are you to dictate what security
bugs should be known. I guess freedom of speech and knowledge is ok as
long as what you are saying is ok with M$.

Michael.

On Wed, 10 Dec 2003 09:23:40 +0100 (CET)
Feher Tamas <etomcat@freemail.hu> wrote:

> >Proof-of-Concept here:
> >http://www.zapthedingbat.com/security/ex01/vun1.htm
> >
> >Vendor Notified 09 December, 2003
> 
> Unless the bug has already been exploited by malicious people, it was 
> a highly irresponsible act to disclose it to the public, without
> giving Microsoft a reasonable timeframe to produce a fix. It may even
> qualify as a crime!
> 
> Considering the simplicity of this URL faking trick, it will be
> certainly see active use by scammers during this Christmas shopping
> season and thousands of people will be robbed of their online banking
> accounts, etc. The money will boost organized crime and the whole
> society will suffer. A patch would give customers at least a
> theoretical chance to protect themselves and the community.
> 
> I certainly would not object to ZapDingbat getting sued for a few
> billion bucks by M$ or the US Gov't sending him to a long recreation
> at Guantanamo Bay. People like him discredit security research like 
> nothing else and his acts contribute towards legislation that will
> curb people's right to investigate code.
> 
> Regards: Tamas Feher.
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- RE: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
  - From: "Kristian Hermansen" <khermansen@ht-technology.com>

References:
- [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
  - From: Feher Tamas <etomcat@freemail.hu>

Prev by Date: [Full-Disclosure] [RHSA-2003:390-01] Updated gnupg packages disable ElGamal keys
Next by Date: Re: [Full-Disclosure] A new TCP/IP blind data injection technique?
Previous by thread: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
Next by thread: RE: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
Index(es):
- Date
- Thread