Full Disclosure mailing list archives
Re: Re: Internet Explorer URL parsing vulnerability
From: Michael Gale <michael () bluesuperman com>
Date: Wed, 10 Dec 2003 21:30:09 -0700
Ok -- so what happens when we do not disclose this bug or any bug ... and you.. get tricked into going to a page and giving out credit card information. Or better yet your mom gets tricked and gives out her banking information. Now you or your family members could be out tens of thousands of dollars. Now depending on your bank your accounts could be frozen until the end of the investigation and you may have to prove that it was not you taking out the money. This shit happens to real people -- my friend at work had $3000 taken, his account was frozen for several months because of the investigation and he had to prove he did not take the money. He was lucky and was about 2hrs away from where the money was taken out at the time but still had a hard time convienencing the bank it was not him or a friend. But all this would of been OK right ... because the ONLY person who knows about this bug is the one who discovered it and Microsoft, who is fixing this right away at the pressure of one person. Maybe it is time you think out side the M$ window ... I guess when you have to constantly update your software because of bugs and MAJOR security flaws. A crashing system on a daily bases because normal one more bug is just ok right ? What I would to know is who the $*CK are you to dictate what security bugs should be known. I guess freedom of speech and knowledge is ok as long as what you are saying is ok with M$. Michael. On Wed, 10 Dec 2003 09:23:40 +0100 (CET) Feher Tamas <etomcat () freemail hu> wrote:
Proof-of-Concept here: http://www.zapthedingbat.com/security/ex01/vun1.htm Vendor Notified 09 December, 2003Unless the bug has already been exploited by malicious people, it was a highly irresponsible act to disclose it to the public, without giving Microsoft a reasonable timeframe to produce a fix. It may even qualify as a crime! Considering the simplicity of this URL faking trick, it will be certainly see active use by scammers during this Christmas shopping season and thousands of people will be robbed of their online banking accounts, etc. The money will boost organized crime and the whole society will suffer. A patch would give customers at least a theoretical chance to protect themselves and the community. I certainly would not object to ZapDingbat getting sued for a few billion bucks by M$ or the US Gov't sending him to a long recreation at Guantanamo Bay. People like him discredit security research like nothing else and his acts contribute towards legislation that will curb people's right to investigate code. Regards: Tamas Feher. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: Internet Explorer URL parsing vulnerability, (continued)
- Re: Re: Internet Explorer URL parsing vulnerability Clint Bodungen (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability S G Masood (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Clint Bodungen (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Clint Bodungen (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability William Warren (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Exibar (Dec 10)
- RE: Re: Internet Explorer URL parsing vulnerability Rui Pereira (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Exibar (Dec 10)
- RE: Re: Internet Explorer URL parsing vulnerability Rui Pereira (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Exibar (Dec 10)
- RE: Re: Internet Explorer URL parsing vulnerability Kristian Hermansen (Dec 11)
- RE: Re: Internet Explorer URL parsing vulnerability Karlis Zigurs (Dec 11)
- Re: Re: Internet Explorer URL parsing vulnerability Valdis . Kletnieks (Dec 11)
- RE: RE: FWD: Internet Explorer URL parsing vulnerability Rainer Gerhards (Dec 10)
- Re: RE: FWD: Internet Explorer URL parsing vulnerability Georgi Guninski (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability S G Masood (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability John Sage (Dec 10)
- Re: Re: Internet Explorer URL parsing vulnerability Daniel H. Renner (Dec 10)