Re: Microsoft: Change to IE will block some Web URLs
From: George Hester (hesterloli_at_hotmail.com)
Date: 02/03/04
- Next message: George Hester: "Re: kb832894"
- Previous message: ron: "spyware"
- In reply to: Bill Sanderson: "Re: Microsoft: Change to IE will block some Web URLs"
- Next in thread: Bill Sanderson: "Re: Microsoft: Change to IE will block some Web URLs"
- Reply: Bill Sanderson: "Re: Microsoft: Change to IE will block some Web URLs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 3 Feb 2004 13:02:31 -0500
Oooh interesting. Microsoft released a "hotfix" for this yesterday.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/current.asp
Anyway here is how it is done(was done):
<form>
<button onclick="location.href=unescape('http://www.microsoft.com%01@www.adobe.com/');">Test Exploit</button>
</form>
-- George Hester __________________________________ "Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message news:O4#KNBn6DHA.1968@TK2MSFTNGP11.phx.gbl... > I've got an email using this exploit which could have looked quite > authentic--the link apparently read www.microsoft.com/download, but in fact, > took you to an IP address and a user directory under that--site now shut > down. > > That definitely worked in Outlook Express under XP. > > "George Hester" <hesterloli@hotmail.com> wrote in message > news:eCVd4Fj6DHA.3008@TK2MSFTNGP09.phx.gbl... > Yes I know some AV is catching this. I don't think the @ hides the address > in Windows XP either. Only in IE 6 on Windows 2003. At least that is what > I understood they said. > > The link I gave you is nothing. It just shows the exploit. The guy who > found it (this is he) tried to report it to Microsoft and they snubbed him. > At least he felt snubbed. In fact Microsoft was pooh-poohing this until the > press got a holt of it. > > -- > George Hester > __________________________________ > "Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message > news:uDWF#7S6DHA.1040@TK2MSFTNGP10.phx.gbl... > > In my own recent experience with the email in question (no, I didn't click > > on the link, merely stared hard at it and thought about the millions of > > other less-savvy users out there)--it does obscure the full address in > > Windows XP. > > > > I don't know what the proportions of use are of Windows 2000 versus > > Windows > > XP--but although the Windows Server 2003 users may not be a very large > > contingent, the XP users assuredly are. > > > > Well--I did learn in attempting to (re)take this test that my current > > antivirus program now detects and blocks this exploit--good to know! > > > > (send me email (sans plugh.org) if you want to see the mail that I got > > which > > attempts to use this vulnerability effectively. I believe that it is now > > safe, since the actual web site to which it points is shut down, but can't > > guarantee that.) > > > > "George Hester" <hesterloli@hotmail.com> wrote in message > > news:uDYgELS6DHA.2572@TK2MSFTNGP09.phx.gbl... > > Bill according to Microsoft the @ does hide the full address in Windows > > 2003. It does not do that in Windows 2000. Since the vast majority of > > users are NOT at Windows 2003 this is a red herring. > > > > Here is the person that found it: > > > > http://zapthedingbat.com/ > > Try his IE Exploit test. > > > > -- > > George Hester > > __________________________________ > > > > "Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message > > news:OX7crCD6DHA.1020@tk2msftngp13.phx.gbl... > > > I've got a lovely email I received this morning from "microsoft" that > > > asks > > > me to download code from www.microsoft.com/download that'll prove you > > > wrong > > > in a second. > > > > > > "George Hester" <hesterloli@hotmail.com> wrote in message > > > news:e1IPB2$5DHA.2496@TK2MSFTNGP09.phx.gbl... > > > The @ symbol does NOT hide the address. It is the null character > > > char(0) > > > or > > > � > > > > > > -- > > > George Hester > > > __________________________________ > > > "Tedd Riggs" <T_Riggs@MSN,C0M> wrote in message > > > news:urMIHiy5DHA.2064@TK2MSFTNGP11.phx.gbl... > > > > Has anyone else seen this article and know about when this will come > > > > out > > > > ? > > > > It sounds like a badly needed fix that sure should slow down the > > > > "phising" > > > > that is going on. I assume this will be posted on the Windows Update > > > > Page > > > > and/or the Security Page ? > > > > > > > > I borrowed a short piece of the Computerworld Article below: > > > > Microsoft: Change to IE will block some Web URLs. > > > > Microsoft will soon release a software update for IE that will end > > > > that > > > > browser's ability to accept Web URLs that hide the address of the Web > > > > page > > > > being displayed using the "@" symbol > > > > > > > > http://www.computerworld.com/developmenttopics/websitemgmt/story/0,10801,89544,00.html?nas=PM-89544 > > > > > > > > Thanks ! > > > > -- > > > > Tedd Riggs > > > > PDA Square Content Developer > > > > www.pdasquare.com > > > > > > > > > > > > > > > > > > > > > > > >
- Next message: George Hester: "Re: kb832894"
- Previous message: ron: "spyware"
- In reply to: Bill Sanderson: "Re: Microsoft: Change to IE will block some Web URLs"
- Next in thread: Bill Sanderson: "Re: Microsoft: Change to IE will block some Web URLs"
- Reply: Bill Sanderson: "Re: Microsoft: Change to IE will block some Web URLs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
