lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20050411074311.8B85E84F@lists.grok.org.uk>
Date: Mon Apr 11 08:43:39 2005
From: randallm at fidmail.com (Randall M)
Subject: UPDATE was RE: [NT] Microsoft Multiple E-Mail
	Client AddressSpoofing Vulnerability



:-----Original Message-----
:From: full-disclosure-bounces@...ts.grok.org.uk 
:[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf 
:Of Randall M
:Sent: Sunday, April 10, 2005 7:43 PM
:To: 'SecuriTeam'; full-disclosure@...ts.grok.org.uk
:Subject: [Full-disclosure] RE: [NT] Microsoft Multiple E-Mail 
:Client AddressSpoofing Vulnerability
:
:
:Overall finding: No spoofing is of concern with POP3 account 
:or Exchange 2000 using Outlook 2003 since "reply" or "reply to 
:all" will only go to the spoof address (used for social 
:engineering) and not the default sender address (the one 
:attempting to use social engineering). Thus social engineering 
:attempts will not work.
:
<SNIP>
____________________________________


I would like to add though a concern. Even though a reply cannot
lead to gaining inside information because the "replying" will only
go to the spoofed address, a "Spoofing" of the sender
can be used to encourage clicking on a link intended to be
harmful. And as it was pointed out that care should be followed,
if the email is viewed with preview pane it is not apparent that
the sender spoofed his address. If my boss sends an email and says
"I want you to read this" I usually don't question the "sender" or
think it to be spoofed. This then brings in to question the rights
of "Send on behalf" that seems to be by passed on Exchange Server.


Thank You
RandallM


__________________________________________________________________-
:-----Original Message-----
:From: SecuriTeam [mailto:support@...uriteam.com] 
:Sent: Sunday, April 10, 2005 10:50 AM
:To: list@...uriteam.com
:Subject: [NT] Microsoft Multiple E-Mail Client Address 
:Spoofing Vulnerability
:
<SNIP>-----------------------
:---------
:
:
:SUMMARY
:
: <http://www.microsoft.com/outlook/> Microsoft Outlook 
:provides an integrated solution for managing and organizing 
:e-mail messages, schedules, tasks, notes, contacts, and other 
:information. Remote exploitation of an address spoofing 
:vulnerability in various Microsoft Corp. e-mail clients could 
:allow attackers to social engineer sensitive information from 
:end users.

<SNIP>
______________________________________

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ