Secunia Advisory: URL Spoofing
While Secunia is doing a fantastic job [truly] of compiling
advisories as soon as issues are discovered by others, they do need
to make it absolutely clear to the media that they appear to have to
talk to and in the information that they release just who found
these flaws.
This particular url spoofing issue is being diluted across the major
wires as follows [there are several others as well]:
'The Web browser flaw, discovered Tuesday by Danish tech security
firm Secunia, could trigger a surge in an e-mail scam, called
phishing, security experts say.'
http://www.usatoday.com/tech/news/2003-12-11-microsoft2_x.htm
'Secunia says it has found an "input validation" error in Internet
Explorer. By exploiting this vulnerability, known as a URL-spoofing
vulnerability, attackers can display any URL name they wish in the
address and status bars of IE.'
http://www.internetwk.com/breakingNews/showArticle.jhtml?
articleID=16700306
'Secunia, a company that provides security services worldwide,
claims to have found a vulnerability in Internet Explorer 6 that
would allow domain names to be spoofed. The result would make it
appear that a user were connecting to one domain when, in reality,
he or she was communicating with a completely different domain. If
done properly, an attacker could fool a user into inputting
sensitive or private information.'
http://www.geek.com/news/geeknews/2003Dec/gee20031211023028.htm
There is a tiny credit notation at the end of each of the so-called
Secunia 'advisories' on secunia.com but that is proving to be
insufficient.
Initial reporting was accurate in crediting: Zap The Dingbat, who
found this. Let's not have the excitement of the moment get in the
way of the facts.:
http://www.zapthedingbat.com/security/ex01/vun1.htm
--
http://www.malware.com