Full Disclosure mailing list archives
RE: Internet Explorer URL parsing vulnerability - fix available
From: "Robert Ahnemann" <rahnemann () affinity-mortgage com>
Date: Tue, 16 Dec 2003 15:14:27 -0600
That's the beauty of the net...you don't have to if you don't want to. <snip> At least Microsoft is a trusted source </snip> That's one of the more debatable things I've heard all day... Rob Ahnemann Intranet Application Developer 1401 S. Lamar St. Dallas, TX 800.270.8565 x 780
-----Original Message----- From: Exibar [mailto:exibar () thelair com] Sent: Tuesday, December 16, 2003 2:47 PM To: Gregory A. Gilliss; full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Internet Explorer URL parsing
vulnerability
- fix available Agreed. I also feel that why should a company pay this 3rd party for
a
patch for a vulnerability that isn't really *huge* like a slammer or code-red deal. I'm sure that Microsoft will patch it, for free. If the source isn't available for the 3rd party's patch, how do we
know
what it's really doing? How do we know it isn't a security hazard?
At
least Microsoft is a trusted source, and did I mention free already? If a home user is THAT worried about this vulnerability, they're
already
aware of what it does and therefore should know better. Just wait for Microsoft to release the patch is what I say, FWIW. Exibar ----- Original Message ----- From: "Gregory A. Gilliss" <ggilliss () netpublishing com> To: <full-disclosure () lists netsys com> Sent: Tuesday, December 16, 2003 2:29 PM Subject: Re: [Full-disclosure] Internet Explorer URL parsing
vulnerability
- fix availableWell his post gives me some pause...since this is a "shareware"
product
(the poster is out to make some $$$ for themselves) I wonder that itdoesn'tcount as a commercial solicitation. Besides that, AFAIK the URL
filter
is not available in source code format (for peer review). IN short,
I'd
say that this is about as far from "full disclosure" as you can get, albeit that it does appear to address the vulnerability... G On or about 2003.12.16 16:31:54 +0000, Frank Hagenson(fulldisclosure () hagenson com) said:A fix for this vulnerability is available at my website: http://www.abracadabrasolutions.com/UrlFilter.htm Regards, Frank Hagenson.-- Gregory A. Gilliss, CISSP E-mail:greg () gilliss comComputer Security WWW:http://www.gilliss.com/greg/PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4
14
0E 8C A3_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Internet Explorer URL parsing vulnerability - fix available Frank Hagenson (Dec 16)
- Re: Internet Explorer URL parsing vulnerability - fix available Gregory A. Gilliss (Dec 16)
- Re: Internet Explorer URL parsing vulnerability - fix available Exibar (Dec 16)
- Re: Internet Explorer URL parsing vulnerability - fix available Ron DuFresne (Dec 16)
- <Possible follow-ups>
- RE: Internet Explorer URL parsing vulnerability - fix available Robert Ahnemann (Dec 16)
- Re: Internet Explorer URL parsing vulnerability - fix available Gregory A. Gilliss (Dec 16)