I am also on SP2...you are SP1 R
-----Original Message----- From: Exibar [mailto:[EMAIL PROTECTED] Sent: December 10, 2003 9:52 AM To: Rui Pereira Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability Works as advertised on IE6.0.2800.1106.xpsp1.... interesting, must be the httpS that's throwing it.. ----- Original Message ----- From: "Rui Pereira" <[EMAIL PROTECTED]> To: "'Exibar'" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, December 10, 2003 12:13 PM Subject: RE: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability > Er, on IE6.0.2800.1106.xpsp2....this shows up as > https://www.let_me_steal_your_money.com/ in the address line. Guess it > don't work as advertised. Maybe we should all upgrade? ;) > > R > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Exibar > Sent: December 10, 2003 7:55 AM > To: Feher Tamas; [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] Re: Internet Explorer URL parsing > vulnerability > > I can see many people getting duped with this: > > https://[EMAIL PROTECTED] > > so I completely know where you're coming from. > > exibar > > > ----- Original Message ----- > From: "Feher Tamas" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, December 10, 2003 3:23 AM > Subject: [Full-Disclosure] Re: Internet Explorer URL parsing > vulnerability > > > > >Proof-of-Concept here: > > >http://www.zapthedingbat.com/security/ex01/vun1.htm > > > > > >Vendor Notified 09 December, 2003 > > > > Unless the bug has already been exploited by malicious people, it was > > a highly irresponsible act to disclose it to the public, without > giving > > Microsoft a reasonable timeframe to produce a fix. It may even qualify > > as a crime! > > > > Considering the simplicity of this URL faking trick, it will be > certainly > see > > active use by scammers during this Christmas shopping season and > > thousands of people will be robbed of their online banking accounts, > > etc. The money will boost organized crime and the whole society will > > suffer. A patch would give customers at least a theoretical chance to > > protect themselves and the community. > > > > I certainly would not object to ZapDingbat getting sued for a few > billion > > bucks by M$ or the US Gov't sending him to a long recreation at > > Guantanamo Bay. People like him discredit security research like > > nothing else and his acts contribute towards legislation that will > curb > > people's right to investigate code. > > > > Regards: Tamas Feher. > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
