| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 12 Dec 2003 18:55:38 +0100 From: Thomas Kristensen <tk@...unia.com> To: 1@...ware.com Cc: bugtraq@...urityfocus.com, NTBugtraq@...tserv.ntbugtraq.com, full-disclosure@...ts.netsys.com Subject: Re: Secunia Advisory: URL Spoofing Hi, Thank you for the praising words :-) You are absolutely right. Obviously, we do not want to take credit from anyone; we greatly appreciate the work done by everyone in the security community. We will change certain parts of our advisories no later than next week to make it perfectly clear, who discovers the vulnerabilities. The change will be effective immediately on our website (www.secunia.com) and in all future email advisories. However, I would also like to stress that whenever an advisory is accessible from the researchers' private pages, we link to their original research. We therefore encourage everyone to place copies of their advisories on websites so that we and others can link directly to their respective research. BTW. We are looking to hire two new members to our security team in Copenhagen, Denmark by then end of May - interested ? Drop me a few lines. Kind regards, Thomas Kristensen Secunia On Fri, 2003-12-12 at 16:30, http-equiv@...ite.com wrote: > > > While Secunia is doing a fantastic job [truly] of compiling > advisories as soon as issues are discovered by others, they do need > to make it absolutely clear to the media that they appear to have to > talk to and in the information that they release just who found > these flaws. > > This particular url spoofing issue is being diluted across the major > wires as follows [there are several others as well]: > > 'The Web browser flaw, discovered Tuesday by Danish tech security > firm Secunia, could trigger a surge in an e-mail scam, called > phishing, security experts say.' > > http://www.usatoday.com/tech/news/2003-12-11-microsoft2_x.htm > > 'Secunia says it has found an "input validation" error in Internet > Explorer. By exploiting this vulnerability, known as a URL-spoofing > vulnerability, attackers can display any URL name they wish in the > address and status bars of IE.' > > http://www.internetwk.com/breakingNews/showArticle.jhtml? > articleID=16700306 > > 'Secunia, a company that provides security services worldwide, > claims to have found a vulnerability in Internet Explorer 6 that > would allow domain names to be spoofed. The result would make it > appear that a user were connecting to one domain when, in reality, > he or she was communicating with a completely different domain. If > done properly, an attacker could fool a user into inputting > sensitive or private information.' > > http://www.geek.com/news/geeknews/2003Dec/gee20031211023028.htm > > There is a tiny credit notation at the end of each of the so-called > Secunia 'advisories' on secunia.com but that is proving to be > insufficient. > > Initial reporting was accurate in crediting: Zap The Dingbat, who > found this. Let's not have the excitement of the moment get in the > way of the facts.: > > http://www.zapthedingbat.com/security/ex01/vun1.htm > > > -- > http://www.malware.com > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > -- Kind regards, Thomas Kristensen CTO Secunia Toldbodgade 37B 1253 Copenhagen K Denmark Tlf.: +45 7020 5144 Fax: +45 7020 5145 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists