[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
- To: "Schmehl, Paul L" <pauls@utdallas.edu>
- Subject: RE: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
- From: S G Masood <sgmasood@yahoo.com>
- Date: Wed, 10 Dec 2003 20:41:05 -0800 (PST)
--- "Schmehl, Paul L" <pauls@utdallas.edu> wrote:
> > -----Original Message-----
> > From: full-disclosure-admin@lists.netsys.com
> > [mailto:full-disclosure-admin@lists.netsys.com] On
> Behalf Of
> > S G Masood
> > Sent: Wednesday, December 10, 2003 12:01 PM
> > To: full-disclosure@lists.netsys.com
> > Subject: Re: [Full-Disclosure] Re: Internet
> Explorer URL
> > parsing vulnerability
> >
> > Hey, to be very honest, if this was 0day and the
> spoof was
> > well constructed, even you and me would probably
> fall for it. ;D
> >
> Really? I kind of doubt it, since I would never
> click on a link in an
> email message that had anything to do with financial
> matters. I doubt
> that you would either - 0day or not.
I was not talking about spoofs of banking or financial
sites alone. There is a whole range of subtle social
engineering goals that you could accomplish with such
a spoof. For instance, the headline "Gnu Members
Combine Resources to Buy Out Microsoft" would look
pretty on http://Microsoft.com... :) Subtlety is the
key here.
Infact, you dont necessarily have "to click on a link
in an email message". There are a whole lot of other
ways to feed the URL to the victim which are even more
covert.
--
Masood
__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html