Page 1 of 2 12 LastLast
Results 1 to 10 of 13
  1. #1
    stu140103
    Guest

    Default News: Open source firm releases patch for IE spoofing flaw

    Open source firm releases patch for IE spoofing flaw

    An open source and freeware software development web site has released a patch to fix the URL spoofing vulnerability in Internet Explorer, which can be exploited by scammers who try to trick people into revealing details of online banking accounts or other private information.

    Openwares.org , a Vaunatian company, with branches in Israel, the US and France, released the patch and the source code for the same a couple of days back.

    The company has also set up two pages where users can test to see if they are vulnerable to the exploit, one a fake Microsoft Update example and the other an example of a fake PayPal site.

    In its advisory, issued along with the patch, Openwares.org said: "Successful exploitation (of this flaw) allows a malicious person to display an arbitrary FQDN (Fully Qualified Domain Name) in the address and status bars, which is different from the actual location of the page."

    It gave the vulnerability a rating of 5 on a five-point scale.

    While Microsoft has released an article providing details about the vulnerability, the company is yet to provide a patch.

    The flaw was disclosed on December 9 by
    graphic designer Sam Greenhalgh.

  2. #2
    bmason
    Guest

    Default Re: News: Open source firm releases patch for IE spoofing flaw

    From the age article, no firebird is not vulnerable it correctly displays "http://windowsupdate.microsoft.com%01@security.openwares. org/Update.htm" on the test pages.

    I imagine it will not take long to spammers, etc to star exploiting this bug. It is trivial to use and MS won't be releasing a patch until ~15 Jan at the earliest so it is part of their monthly patch set.

  3. #3
    Graham L
    Guest

    Default Re: News: Open source firm releases patch for IE spoofing flaw

    And after all, MS had declared December a patch-free month.

  4. #4
    Susan B
    Guest

    Default Re: News: Open source firm releases patch for IE spoofing flaw

    Interesting. Firebird displayed the entire URL for me so it is strange that they are claiming that it can be spoofed in Firebird.

    > And after all, MS had declared December a patch-free month.

    They said they are giving us a holiday from patches.

  5. #5
    ilikelinux
    Guest

    Default Re: News: Open source firm releases patch for IE spoofing flaw

    > And after all, MS had declared December a patch-free month.

    What??? How do they expect to keep their os's running?

  6. #6
    agent
    Guest

    Default Re: News: Open source firm releases patch for IE spoofing flaw

    Windows 95 runs fine, and it hasn't had patches released for some time now...

  7. #7
    ugh1
    Guest

    Default Re: News: Open source firm releases patch for IE spoofing flaw

    Yet another reason to ditch IE and move to a more safer and faster browser..

    Gee when will people get the message!

    <grin>

  8. #8
    Graham L
    Guest

    Default Re: News: Open source firm releases patch for IE spoofing flaw

    The classic patch for W95 was the one which fixed the "48.2 day" bug. If it ran that long without crashing, it was guaranteed to crash then.

  9. #9
    bmason
    Guest

    Default Re: News: Open source firm releases patch for IE spoofing flaw

    Any IE users thinking about installing the patch might want to read this. Sounds like it was poorly implemented, and may have included spyware.

    BTW, according to the link the problem is with both %01 and %00 (NULL). If it does work with NULL then the lack of security testing done on IE is shocking. Checking it handles the NULL character correctly would be one of the first things to check for a program written in C/C++ (C uses NULL to mark the end of strings).

  10. #10
    stu140103
    Guest

    Default Re: News: Open source firm releases patch for IE spoofing flaw

    > Any IE users thinking about installing the patch
    > might want to read
    > this. Sounds like it was poorly implemented,
    > and may have included spyware.

    bugger!!!!( I have all ready install the patch :_|) System Restore time......

    :|

Similar Threads

  1. Replies: 3
    Last Post: 25-06-2005, 04:08 PM
  2. NEWS: Zone Alarm Flaw found
    By Big John in forum PressF1
    Replies: 8
    Last Post: 21-02-2004, 03:58 PM
  3. Replies: 3
    Last Post: 23-12-2003, 11:45 PM
  4. Replies: 2
    Last Post: 20-12-2003, 12:56 PM
  5. Microsoft Releases Patch
    By hamstar in forum PressF1
    Replies: 3
    Last Post: 13-07-2003, 12:30 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •