Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Internet Explorer URL parsing vulnerability

From: "Exibar" <exibar () thelair com>
Date: Wed, 10 Dec 2003 10:55:29 -0500
I can see many people getting duped with this:

https://www.paypal.com%01@www.let_me_steal_your_money.com

so I completely know where you're coming from.

  exibar


----- Original Message ----- 
From: "Feher Tamas" <etomcat () freemail hu>
To: <full-disclosure () lists netsys com>
Sent: Wednesday, December 10, 2003 3:23 AM
Subject: [Full-disclosure] Re: Internet Explorer URL parsing vulnerability



Proof-of-Concept here:
http://www.zapthedingbat.com/security/ex01/vun1.htm

Vendor Notified 09 December, 2003


Unless the bug has already been exploited by malicious people, it was
a highly irresponsible act to disclose it to the public, without giving
Microsoft a reasonable timeframe to produce a fix. It may even qualify
as a crime!

Considering the simplicity of this URL faking trick, it will be certainly

see

active use by scammers during this Christmas shopping season and
thousands of people will be robbed of their online banking accounts,
etc. The money will boost organized crime and the whole society will
suffer. A patch would give customers at least a theoretical chance to
protect themselves and the community.

I certainly would not object to ZapDingbat getting sued for a few billion
bucks by M$ or the US Gov't sending him to a long recreation at
Guantanamo Bay. People like him discredit security research like
nothing else and his acts contribute towards legislation that will curb
people's right to investigate code.

Regards: Tamas Feher.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: