[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031210192114.GA71757@netpublishing.com>
From: ggilliss at netpublishing.com (Gregory A. Gilliss)
Subject: Re: Internet Explorer URL parsing vulnerability
Tamas,
I suggest that you unsubscribe. You don't belong here. You are on the side
of the vendors (who have had ample time to fix their crappy software).
Subscribe to bugtraq or somewhere else that the non-hackers and people
who subscribe to the security-by-responsible-obscurity crowd gathers.
This is full disclosure, the place for people with clue.
G
On or about 2003.12.10 09:23:40 +0000, Feher Tamas (etomcat@...email.hu) said:
> >Proof-of-Concept here:
> >http://www.zapthedingbat.com/security/ex01/vun1.htm
> >
> >Vendor Notified 09 December, 2003
>
> Unless the bug has already been exploited by malicious people, it was
> a highly irresponsible act to disclose it to the public, without giving
> Microsoft a reasonable timeframe to produce a fix. It may even qualify
> as a crime!
>
> Considering the simplicity of this URL faking trick, it will be certainly see
> active use by scammers during this Christmas shopping season and
> thousands of people will be robbed of their online banking accounts,
> etc. The money will boost organized crime and the whole society will
> suffer. A patch would give customers at least a theoretical chance to
> protect themselves and the community.
>
> I certainly would not object to ZapDingbat getting sued for a few billion
> bucks by M$ or the US Gov't sending him to a long recreation at
> Guantanamo Bay. People like him discredit security research like
> nothing else and his acts contribute towards legislation that will curb
> people's right to investigate code.
>
> Regards: Tamas Feher.
--
Gregory A. Gilliss, CISSP E-mail: greg@...liss.com
Computer Security WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3
Powered by blists - more mailing lists