Ok -- so what happens when we do not disclose this bug or any bug ... and you.. get tricked into going to a page and giving out credit card information. Or better yet your mom gets tricked and gives out her banking information.
Now you or your family members could be out tens of thousands of dollars. Now depending on your bank your accounts could be frozen until the end of the investigation and you may have to prove that it was not you taking out the money. This shit happens to real people -- my friend at work had $3000 taken, his account was frozen for several months because of the investigation and he had to prove he did not take the money. He was lucky and was about 2hrs away from where the money was taken out at the time but still had a hard time convienencing the bank it was not him or a friend. But all this would of been OK right ... because the ONLY person who knows about this bug is the one who discovered it and Microsoft, who is fixing this right away at the pressure of one person. Maybe it is time you think out side the M$ window ... I guess when you have to constantly update your software because of bugs and MAJOR security flaws. A crashing system on a daily bases because normal one more bug is just ok right ? What I would to know is who the $*CK are you to dictate what security bugs should be known. I guess freedom of speech and knowledge is ok as long as what you are saying is ok with M$. Michael. On Wed, 10 Dec 2003 09:23:40 +0100 (CET) Feher Tamas <[EMAIL PROTECTED]> wrote: > >Proof-of-Concept here: > >http://www.zapthedingbat.com/security/ex01/vun1.htm > > > >Vendor Notified 09 December, 2003 > > Unless the bug has already been exploited by malicious people, it was > a highly irresponsible act to disclose it to the public, without > giving Microsoft a reasonable timeframe to produce a fix. It may even > qualify as a crime! > > Considering the simplicity of this URL faking trick, it will be > certainly see active use by scammers during this Christmas shopping > season and thousands of people will be robbed of their online banking > accounts, etc. The money will boost organized crime and the whole > society will suffer. A patch would give customers at least a > theoretical chance to protect themselves and the community. > > I certainly would not object to ZapDingbat getting sued for a few > billion bucks by M$ or the US Gov't sending him to a long recreation > at Guantanamo Bay. People like him discredit security research like > nothing else and his acts contribute towards legislation that will > curb people's right to investigate code. > > Regards: Tamas Feher. > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
