Microsoft Internet Explorer 6 SP2 Vulnerabilities / FD vs. Security by Obscurity

• Previous message: Juergen Schmidt: "Flaws in SP2 security features, part II"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Fri, 19 Nov 2004 23:46:26 -0000
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Let s play, on Wednesday 17, Nov - Secunia released the advisory Microsoft Internet Explorer Two Vulnerabilities, related to a vulnerability discovered by cyber flash. This file download security warning bypass (unpatched) flaw could be exploited to download a malicious executable file masqueraded as a HTML document.

Microsoft said : Secunia you're bad, this vulnerability was not disclosed responsibly
Secunia said NO ! No ! We did not release the technical details of this flaw and our policy is to not reveal vulnerability details until a fix had been provided, unless they were already in the wild. We did not discover this vulnerability, so we can not censure it
Some people said Who is cyberflash ? perhaps Secunia discovered this flaw, but masked it behind a third party researcher
K-OTik Says to Some people : cyber flash is not a fictitious security researcher
K-OTik Says to MS & Secunia : There is no security through obscurity...and full disclosure is our policy

----------------------------------------------------------------
Internet Explorer 6.0 SP2 File Download Security Warning Bypass
----------------------------------------------------------------

Exploit -> http://www.k-otik.com/exploits/20041119.IESP2Unpatched.php
Technical Details - > http://www.k-otik.com/exploits/20041119.IESP2disclosure.php

all credits go to Cyber flash A.K.A Vengy

Regards
K-OTik Security Research & Survey Team 24/7
kttp://www.k-otik.com

--
Editor's Note: The 43rd Most Powerful Person in Networking says...
Register today to take the TruSecure ICSA exam by 12/31/04  at
<http://www.2test.com> ,  use promo code "CT1204" and you will pay just
$221.25 US Dollars for domestic exam delivery and  $296.25 US Dollars
for international delivery.
Visit <https://ticsa.trusecure.com>  for complete details regarding the
TICSA credential and to take the free sample exam.
--

• Previous message: Juergen Schmidt: "Flaws in SP2 security features, part II"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [Full-Disclosure] Microsoft Internet Explorer 6 SP2 Vulnerabilities / FD vs. Security by Obscurity ... Secunia you're bad, this vulnerability was not disclosed responsibly ... cyber flash is not a fictitious security researcher ... K-OTik Says to MS & Secunia: There is no security through obscurity...and full disclosure is our policy ... (Full-Disclosure) Re: [Full-disclosure] VulnSale: IE 6.0.2900.2180.yeahlatestversion ... Full-Disclosure - We believe in it. ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ... tel;work:Independent Security Researcher ... (Full-Disclosure) Re: [Full-disclosure] Internet Explorer Ver 6.0.2800.1106 vulnerability ... Full-Disclosure - We believe in it. ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ... tel;work:Independent Security Researcher ... (Full-Disclosure) Re: [Full-disclosure] XSS at msn.com =?KOI8-R?Q?=C9_cisco=2Eco?= =?KOI8-R?Q?m?= ... Full-Disclosure - We believe in it. ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ... tel;work:Independent Security Researcher ... (Full-Disclosure) Re: [Full-disclosure] Cisco Certifications ... Andrew Smith wrote: ... their books and some training material they have, assuming it's possible to pass an exam without training is it possible to simply sit the exam? ... Hosted and sponsored by Secunia - http://secunia.com/ ... (Full-Disclosure)