lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: etomcat at freemail.hu (Feher Tamas)
Subject: Re: Internet Explorer URL parsing vulnerability

>Proof-of-Concept here:
>http://www.zapthedingbat.com/security/ex01/vun1.htm
>
>Vendor Notified 09 December, 2003

Unless the bug has already been exploited by malicious people, it was 
a highly irresponsible act to disclose it to the public, without giving 
Microsoft a reasonable timeframe to produce a fix. It may even qualify 
as a crime!

Considering the simplicity of this URL faking trick, it will be certainly see 
active use by scammers during this Christmas shopping season and 
thousands of people will be robbed of their online banking accounts, 
etc. The money will boost organized crime and the whole society will 
suffer. A patch would give customers at least a theoretical chance to 
protect themselves and the community.

I certainly would not object to ZapDingbat getting sued for a few billion 
bucks by M$ or the US Gov't sending him to a long recreation at 
Guantanamo Bay. People like him discredit security research like 
nothing else and his acts contribute towards legislation that will curb 
people's right to investigate code.

Regards: Tamas Feher.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ