Re: Secunia Advisory: URL Spoofing

[Thomas Kristensen <tk () secunia com>]

Hi,

Thank you for the praising words :-)

You are absolutely right.

Obviously, we do not want to take credit from anyone; we greatly
appreciate the work done by everyone in the security community.

We will change certain parts of our advisories no later than next week
to make it perfectly clear, who discovers the vulnerabilities. The
change will be effective immediately on our website (www.secunia.com)
and in all future email advisories.

However, I would also like to stress that whenever an advisory is
accessible from the researchers' private pages, we link to their
original research. We therefore encourage everyone to place copies of
their advisories on websites so that we and others can link directly to
their respective research.

BTW. We are looking to hire two new members to our security team in
Copenhagen, Denmark by then end of May - interested ? Drop me a few
lines.

Kind regards,

Thomas Kristensen
Secunia

On Fri, 2003-12-12 at 16:30, http-equiv () excite com wrote:
> While Secunia is doing a fantastic job [truly] of compiling 
> advisories as soon as issues are discovered by others, they do need 
> to make it absolutely clear to the media that they appear to have to 
> talk to and in the information that they release just who found 
> these flaws.
>
> This particular url spoofing issue is being diluted across the major 
> wires as follows [there are several others as well]:
>
> 'The Web browser flaw, discovered Tuesday by Danish tech security 
> firm Secunia, could trigger a surge in an e-mail scam, called 
> phishing, security experts say.' 
>
> http://www.usatoday.com/tech/news/2003-12-11-microsoft2_x.htm
>
> 'Secunia says it has found an "input validation" error in Internet 
> Explorer. By exploiting this vulnerability, known as a URL-spoofing 
> vulnerability, attackers can display any URL name they wish in the 
> address and status bars of IE.'
>
> http://www.internetwk.com/breakingNews/showArticle.jhtml?
> articleID=16700306
>
> 'Secunia, a company that provides security services worldwide, 
> claims to have found a vulnerability in Internet Explorer 6 that 
> would allow domain names to be spoofed. The result would make it 
> appear that a user were connecting to one domain when, in reality, 
> he or she was communicating with a completely different domain. If 
> done properly, an attacker could fool a user into inputting 
> sensitive or private information.'
>
> http://www.geek.com/news/geeknews/2003Dec/gee20031211023028.htm
>
> There is a tiny credit notation at the end of each of the so-called 
> Secunia 'advisories' on secunia.com but that is proving to be 
> insufficient.
>
> Initial reporting was accurate in crediting: Zap The Dingbat, who 
> found this. Let's not have the excitement of the moment get in the 
> way of the facts.:
>
> http://www.zapthedingbat.com/security/ex01/vun1.htm
>
>
> -- 
> http://www.malware.com
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-- 
Kind regards,

Thomas Kristensen
CTO

Secunia
Toldbodgade 37B
1253 Copenhagen K
Denmark

Tlf.: +45 7020 5144
Fax:  +45 7020 5145

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html