[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Secunia Advisory: URL Spoofing

To: <bugtraq@securityfocus.com>
Subject: [Full-Disclosure] Secunia Advisory: URL Spoofing
From: "http-equiv@excite.com" <1@malware.com>
Date: Fri, 12 Dec 2003 15:30:26 -0000


While Secunia is doing a fantastic job [truly] of compiling 
advisories as soon as issues are discovered by others, they do need 
to make it absolutely clear to the media that they appear to have to 
talk to and in the information that they release just who found 
these flaws.

This particular url spoofing issue is being diluted across the major 
wires as follows [there are several others as well]:

'The Web browser flaw, discovered Tuesday by Danish tech security 
firm Secunia, could trigger a surge in an e-mail scam, called 
phishing, security experts say.' 

http://www.usatoday.com/tech/news/2003-12-11-microsoft2_x.htm

'Secunia says it has found an "input validation" error in Internet 
Explorer. By exploiting this vulnerability, known as a URL-spoofing 
vulnerability, attackers can display any URL name they wish in the 
address and status bars of IE.'

http://www.internetwk.com/breakingNews/showArticle.jhtml?
articleID=16700306

'Secunia, a company that provides security services worldwide, 
claims to have found a vulnerability in Internet Explorer 6 that 
would allow domain names to be spoofed. The result would make it 
appear that a user were connecting to one domain when, in reality, 
he or she was communicating with a completely different domain. If 
done properly, an attacker could fool a user into inputting 
sensitive or private information.'

http://www.geek.com/news/geeknews/2003Dec/gee20031211023028.htm

There is a tiny credit notation at the end of each of the so-called 
Secunia 'advisories' on secunia.com but that is proving to be 
insufficient.

Initial reporting was accurate in crediting: Zap The Dingbat, who 
found this. Let's not have the excitement of the moment get in the 
way of the facts.:

http://www.zapthedingbat.com/security/ex01/vun1.htm


-- 
http://www.malware.com





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Secunia Advisory: URL Spoofing
  - From: Thomas Kristensen <tk@secunia.com>

Prev by Date: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
Next by Date: [Full-Disclosure] Re: A new TCP/IP blind data injection technique?
Previous by thread: [Full-Disclosure] 2nd CfP DIMVA 2004
Next by thread: Re: [Full-Disclosure] Secunia Advisory: URL Spoofing
Index(es):
- Date
- Thread