A new MS Internet Explorer vulnerability is discovered.
Most digerati already know about the spammer and lamer trick to publish URLs that look like legitimate hostnames to fool people in to trusting a malicious site. This trick is frequently used by spammers to steal people's PayPal accounts, by tricking them in to "resetting" their password at a site owned by the spammer but disguised as PayPal.com.
Today's new IE vulnerability is significantly worse. By including an 0x01 character after the @ symbol in the fake URL, IE can be tricked in to not displaying the rest of the URL at all. Don't expect a patch right way, the guy who found the hole released it to BugTraq on the same day
he notified Microsoft. (via Simon Willison)
posted by dejah420
on Dec 9, 2003 -
While MS-bashing is often too easy, this statement about recent security holes
seemed especially astounding: "Outlook Express ships with every Windows system, or rather as part of IE, so it's on every system. But unless it is configured to receive mail, you are not at risk," said Scott Culp, manager for Microsoft security response. Interesting. Unless it is configured to receive mail
, like, you know, an email program.
posted by judith
on Oct 11, 2002 -
Using Internet Explorer, Outlook, or Outlook Express on a PC? There's a new hack in town
, ready to exploit cross site scripts like nobody's business. Do yourself a favor and disarm ActiveX on your settings.
posted by mathowie
on Jul 12, 2002 -