Full Disclosure mailing list archives
Re: Secunia Advisory: URL Spoofing
From: Thomas Kristensen <tk () secunia com>
Date: 12 Dec 2003 18:55:38 +0100
Hi, Thank you for the praising words :-) You are absolutely right. Obviously, we do not want to take credit from anyone; we greatly appreciate the work done by everyone in the security community. We will change certain parts of our advisories no later than next week to make it perfectly clear, who discovers the vulnerabilities. The change will be effective immediately on our website (www.secunia.com) and in all future email advisories. However, I would also like to stress that whenever an advisory is accessible from the researchers' private pages, we link to their original research. We therefore encourage everyone to place copies of their advisories on websites so that we and others can link directly to their respective research. BTW. We are looking to hire two new members to our security team in Copenhagen, Denmark by then end of May - interested ? Drop me a few lines. Kind regards, Thomas Kristensen Secunia On Fri, 2003-12-12 at 16:30, http-equiv () excite com wrote:
While Secunia is doing a fantastic job [truly] of compiling advisories as soon as issues are discovered by others, they do need to make it absolutely clear to the media that they appear to have to talk to and in the information that they release just who found these flaws. This particular url spoofing issue is being diluted across the major wires as follows [there are several others as well]: 'The Web browser flaw, discovered Tuesday by Danish tech security firm Secunia, could trigger a surge in an e-mail scam, called phishing, security experts say.' http://www.usatoday.com/tech/news/2003-12-11-microsoft2_x.htm 'Secunia says it has found an "input validation" error in Internet Explorer. By exploiting this vulnerability, known as a URL-spoofing vulnerability, attackers can display any URL name they wish in the address and status bars of IE.' http://www.internetwk.com/breakingNews/showArticle.jhtml? articleID=16700306 'Secunia, a company that provides security services worldwide, claims to have found a vulnerability in Internet Explorer 6 that would allow domain names to be spoofed. The result would make it appear that a user were connecting to one domain when, in reality, he or she was communicating with a completely different domain. If done properly, an attacker could fool a user into inputting sensitive or private information.' http://www.geek.com/news/geeknews/2003Dec/gee20031211023028.htm There is a tiny credit notation at the end of each of the so-called Secunia 'advisories' on secunia.com but that is proving to be insufficient. Initial reporting was accurate in crediting: Zap The Dingbat, who found this. Let's not have the excitement of the moment get in the way of the facts.: http://www.zapthedingbat.com/security/ex01/vun1.htm -- http://www.malware.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
-- Kind regards, Thomas Kristensen CTO Secunia Toldbodgade 37B 1253 Copenhagen K Denmark Tlf.: +45 7020 5144 Fax: +45 7020 5145 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Secunia Advisory: URL Spoofing http-equiv () excite com (Dec 12)
- Re: Secunia Advisory: URL Spoofing Thomas Kristensen (Dec 12)