| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 40801 | 2003-12-18 22:48:00 | News: Open source firm releases patch for IE spoofing flaw | stu140103 (137) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 201590 | 2003-12-18 22:48:00 | Open source firm releases patch for IE spoofing flaw An open source and freeware software development web site has released a patch to fix the URL spoofing vulnerability ( . theage . com . au/articles/2003/12/12/1071125632006 . html" target="_blank">www . theage . com . au) in Internet Explorer, which can be exploited by scammers who try to trick people into revealing details of online banking accounts or other private information . Openwares . org ( . openwares . org/), a Vaunatian company, with branches in Israel, the US and France, released the patch (http://security . openwares . org/" target="_blank">www . openwares . org/), a Vaunatian company, with branches in Israel, the US and France, released the patch (http:) and the source code for the same a couple of days back . The company has also set up two pages where users can test to see if they are vulnerable to the exploit, one a fake Microsoft Update example and the other an example of a fake PayPal site . In its advisory, issued along with the patch, Openwares . org said: "Successful exploitation (of this flaw) allows a malicious person to display an arbitrary FQDN (Fully Qualified Domain Name) in the address and status bars, which is different from the actual location of the page . " It gave the vulnerability a rating of 5 on a five-point scale . While Microsoft has released ( . theage . com . au/articles/2003/12/16/1071336936381 . html" target="_blank">www . theage . com . au) an article providing details about the vulnerability, the company is yet to provide a patch . The flaw was disclosed on December 9 by graphic designer Sam Greenhalgh . (http://www . zapthedingbat . com/) |
stu140103 (137) | ||
| 201591 | 2003-12-18 23:41:00 | From the age article, no firebird is not vulnerable it correctly displays "windowsupdate.microsoft.com%01@security.openwares. org on the test pages. I imagine it will not take long to spammers, etc to star exploiting this bug. It is trivial to use and MS won't be releasing a patch until ~15 Jan at the earliest so it is part of their monthly patch set. |
bmason (508) | ||
| 201592 | 2003-12-18 23:45:00 | And after all, MS had declared December a patch-free month. :D | Graham L (2) | ||
| 201593 | 2003-12-19 00:21:00 | Interesting . Firebird displayed the entire URL for me so it is strange that they are claiming that it can be spoofed in Firebird . > And after all, MS had declared December a patch-free month . They said they are giving us a holiday from patches . :D |
Susan B (19) | ||
| 201594 | 2003-12-19 02:00:00 | > And after all, MS had declared December a patch-free month . What??? How do they expect to keep their os's running? |
ilikelinux (1418) | ||
| 201595 | 2003-12-19 02:07:00 | Windows 95 runs fine, and it hasn't had patches released for some time now... ;) | agent (30) | ||
| 201596 | 2003-12-19 02:44:00 | Yet another reason to ditch IE and move to a more safer and faster browser.. Gee when will people get the message! <grin> |
ugh1 (4204) | ||
| 201597 | 2003-12-19 02:48:00 | The classic patch for W95 was the one which fixed the "48.2 day" bug. If it ran that long without crashing, it was guaranteed to crash then. | Graham L (2) | ||
| 201598 | 2003-12-20 03:23:00 | Any IE users thinking about installing the patch might want to read this (www.theregister.co.uk). Sounds like it was poorly implemented, and may have included spyware. BTW, according to the link the problem is with both %01 and %00 (NULL). If it does work with NULL then the lack of security testing done on IE is shocking. Checking it handles the NULL character correctly would be one of the first things to check for a program written in C/C++ (C uses NULL to mark the end of strings). |
bmason (508) | ||
| 201599 | 2003-12-20 08:39:00 | > Any IE users thinking about installing the patch > might want to read > this (www.theregister.co.uk > ). Sounds like it was poorly implemented, > and may have included spyware. bugger!!!!( I have all ready install the patch :(:_|) System Restore time...... :| |
stu140103 (137) | ||
| 1 2 | |||||