| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4aff5567.2502303@sandman.za.net> Date: Thu, 16 Feb 2006 05:41:03 +0200 From: Markus <full-disclosure@...dman.za.net> To: Thierry Zoller <Thierry@...ler.lu> Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com Subject: Re: Internet Explorer drag&drop 0day Hi Thierry, I think I understand now. You did it for the `shock` effect. I guess it is nothing more than a matter of opinion. ( I mean this to be nothing more than... a free bit of market research I suppose. ) My opinion being that; most users would find it an invasive and deceptive tactic. e.g. If a company was found to have released a successful virus campaign and their product was the only protection against it. I wouldn't purchase that product. Or the far more ridiculous: The door to door salesman who pours cranberry juice on the old lady's carpet doesn't get the chance to prove how well the vacuum cleaner works. This is hardly worth reading so I'm going to stop writing it. Good luck Thierry. Markus -- >Dear Markus, > >M> under the heading "Do you have a demonstration ?", both links to the >M> demo "exploit" are dead. >Yes they are, I was to lazy to remove them. I will replace them with >some working PoC heise.de links. > >M> I assume in an attempt to hide the target url you meant to use the >M> * onclick * javascript event, or even the * onmousedown * or * onmouse * up, >M> but surely not the * onmouseover * ! >No I used on mouse over. The "exploit" was a PoC nothing more, I think >to recall it launched calc.exe or similar (google for shreddersub7) > >M> You are aware that you current chosen method would have launched your >M> exploit on the machine of a prospective customer, >The links are supposed to do so. > >M> Please give your web designer a whack on the side of the head though. >That would be me.... ouch! that hurt. > >I know I need a redesign for sake of usability. > >-- >http://secdev.zoller.lu >Thierry Zoller >Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists