| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 27 Oct 2006 19:33:20 +0200 From: Jerome Athias <jerome.athias@...e.fr> To: LIUDIEYU dot COM <liudieyu.com@...il.com> Cc: Full-Disclosure@...ts.grok.org.uk, NTBugtraq@...tserv.ntbugtraq.com, bugtraq@...urityfocus.com Subject: Re: IE7 is a Source of Problem - Secunia IE7 Release Incident of October 2006 Dear Mi/aster Liu Die Yu, I would like to let you know that i know you and i greatly respect your work. I'm not a security expert, but when i speak about IE vulnerabilities; i speak about Liu Die Yu just as when i speak about oracle vulnerabilities, i speak about *Litchfield when i speak about shatter attacks, i speak about Brett Moore when i speak about games vulnerabilities, i speak about Luigi Auriemma when i speak about web vulnerabilities, i speak about Rgod when i speak about office vulnerabilities, i speak about Class101 i speak also about HD Moore and more guys... it's just as speaking about reggae without speaking about Bob Marley or about how to make money without to speak about Bill Gates (or Dave Aitel) So, for you and these respectable legends: I SALUTE YOU! We all have only one life, and not any time, but legends never die... Thanks /JA * LIUDIEYU dot COM a écrit : > Upon IE7 release, Secunia published SA22477 titled `Internet Explorer > 7 "mhtml:" Redirection Information Disclosure`. > > Here I figured a straightforward demo - navigate IE7 to: > * mhtml:http://www.google.com/url?q=http://www.yahoo.com/ > Google redirects to Yahoo, Yahoo content is loaded, but browser > location is not updated. > > Microsoft blogs assure vulnerability brought up by Secunia is not in > IE7, technically, rather, it's Outlook Express; and as usual, words of > Microsoft were well honored by several public media sources. > > Microsoft do not even send the slightest comment that IE is a source > of problem - despite there involves cross-domain data compromise, HTTP > redirection, ActiveX(DOM also works) ... all in all, when this attack > happens, it got to be IE and no other. > > Let me sum up: in this case IE is vulnerable, only IE is vulnerable, > and Microsoft say "These reports are technically inaccurate: the issue > concerned in these reports is not in Internet Explorer 7 (or any other > version) at all". > > Upon seeing "mhtml:", it reminds of a magnificent historic incident > which also involved "mhtml:" -- an IE exploit so perfectly and widely > utilized that it made CERT suggest "Use a different web browser"(CERT > KB VU#323070), and firstly initiated the boom of Firefox. Of course > Microsoft is unlikely to say technically this is also not IE's > problem. > > At last allow me to put an off-topic yet sentimental complain ... > Quite a while ago, when I got IE exploits and Secunia broadcasted > about them, my name was in every news report; This month same > situation, codedreamer - original finder of the "mhtml:" thing > broadcasted by Secunia - was not properly given credit ... no > mentioning in news reports, no mentioning in the famous first ever IE7 > advisory SA22477, codedreamer made the whole thing yet Secunia gave > but one single line of credit in bottom of demo "The test is based on > Proof of Concept code by codedreamer". Let me say I'm a man who > believes in paying respect, thus I made this little complain, paying > my respect to codedreamer. > > > Best Wishes for All Firefox Surfers and Firefox 2.0 > > Liu Die Yu > 25 OCT 06 > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists