DANGEROUS new internet security hole

[Gabriele Neukam]

On that special day, Sugien, ([email protected])
said...

The bad guys have now found a new way to make you think you are at a
different web page then what you really are.

I've already read about the special-character-in-URL-hides-*real*-URL-
after-the-(at) on Dec. 9th, in the Newsticker of heise. So you're a bit
late, soog.


Gabriele Neukam

(e-mail address removed)

 

[Sugien]

Thanks for posting this Sugien. I was totally unaware of this. I
find this most disturbing and wonder how long it will take MS to post
a critical update to fix this security hole? MS IS aware of this
aren't they????

As old as it is I would hope so, however it is sort of a minor tweak of an
old hole. There are still lots of stuff that M$ doesn't even consider a
hole/problem; because when they are reported to M$ they come back with "An
abuse of a functionality and not a security hole"
Just like my old NewsBug hole which I reported to them quite a few
years ago and which will open OE when you are sent an email or from a web
page and then multiple bogus news groups are created in your OE and it keeps
doing so until your OE crashes. If you have never seen my NewsBug in action
let me know and I will send you a link. I will have to send it via email;
because the last time I posted the link my ISP made me take the page down;
because of skdiddies sending people there without first warning them what
was going to happen.

 

[Sugien]

On that special day, Sugien, ([email protected])
said...


I've already read about the special-character-in-URL-hides-*real*-URL-
after-the-(at) on Dec. 9th, in the Newsticker of heise. So you're a bit
late, soog.

Only a bit late to those that have already seen it somewheres else. You
should remember however that quite a few that come here are not as agressive
as you and myself and others when scouring the web for holes;o)

 

[Bart Bailey]

Adam Pepper asked:

Does it work with other browsers?

Didn't work with Opera

 

[Bart Bailey]

schrieb Christa Bartsch:

It seems to be a "Microsoft Internet Explorer" hole.

Ain't they all? ;-)

 

[T.R.]

I've already read about the special-character-in-URL-hides-*real*-URL-
after-the-(at) on Dec. 9th, in the Newsticker of heise. So you're a bit
late, soog.

With all due respect, it appears from the replies that a lot of
people are appreciative that he was thoughtful enough to take the time
to post his "Late" findings in a message here. I applaud his efforts,
even though a bit late, to make sure EVERYONE is aware of this.

This NG is not about who comes across what information first or who is
late with what information but this NG is about sharing information
not matter who is first or who is late or whatever. I think this
specific information should be reposted over and over and over until
MS decides to supply a fix for it so we can make sure everyone knows
about it. Isn't that the real idea behind NG's such as this instead
of who is first or who is late with said critical information?

Regards,
ô¿ô
~


Communists: Liberals who know what they're doing!

 

[Laura Fredericks]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've already read about the
special-character-in-URL-hides-*real*-URL-
after-the-(at) on Dec. 9th, in the Newsticker of
heise. So you're a bit late, soog.

Absolutely, Gabriele. ;-) The story's all over the
place... But you know Sooooooooooge -- trying to
impress his script kiddy friends. ;-) Anyone with
half-a-brain already knew about this exploit, because
they read computer security sites on a regular basis.

There was no reason for him to create demo links on
his site, 'cause these demos *already exist*. He's
just trying to make himself into some be-all, know-all
god, ya know? <snicker> Like it was *him* that
discovered this exploit! ROFLMAO! Note how he doesn't
cite even one source in his post! ;-)

All Sooooooooge had to do was make a post saying, "In
case you missed it..." and provide a URL to one of the
MANY credible source articles -- so as not to insult
the intelligence of the *rest* of us. ;-)

But what do you expect from a known coderipper and
plagiarist? ;-)

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
Comment: http://www.queenofcyberspace.com/laura_fredericks.asc

iQA/AwUBP9uOW6RseRzHUwOaEQJ3OgCff2WxdWGEyd2DZwvEewfImNIm5xMAoPaE
St1ft3XpAnoWVSxgtqX2rtLw
=pEX+
-----END PGP SIGNATURE-----

--
Laura Fredericks
PGP key ID - DH/DSS 2048/1024: 0xC753039A

http://www.queenofcyberspace.com/usenet/

Remove CLOTHES to reply.

 

[Mal]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Absolutely, Gabriele. ;-) The story's all over the
place... But you know Sooooooooooge -- trying to
impress his script kiddy friends. ;-) Anyone with
half-a-brain already knew about this exploit, because
they read computer security sites on a regular basis.

There was no reason for him to create demo links on
his site, 'cause these demos *already exist*. He's
just trying to make himself into some be-all, know-all
god, ya know? <snicker> Like it was *him* that
discovered this exploit! ROFLMAO! Note how he doesn't
cite even one source in his post! ;-)

Hmmm. Yep, would be nice if the appropriate finder of this issue is
cited.

Just checked out the first link on Sug's site
(http://dino-soft.org/security/vun1.html)

<title>Internet Explorer Vulnerability</title>
<meta NAME="KEYWORDS" CONTENT="zapthedingbat; window; location; link;
href; url; vulnerability; exploit; proof of consept; bug; news;
security;" />

(continues)

Now let's look at the original POC page:
http://zapthedingbat.com/security/ex01/vun1.htm

<title>Internet Explorer Vulnerability</title>
<meta NAME="KEYWORDS" CONTENT="zapthedingbat; window; location; link;
href; url; vulnerability; exploit; proof of consept; bug; news;
security;" />

(continues)...


So this page has been directly "borrowed" from Zapthedingbat's POC page
and even contains the exact links back to ZaptheDingbat's page and the
spelling issues? Hmmm. More interesting. (*cough* -- everyone knows what
often goes here when talking about Sugien)

At least the 2nd page has been given some original thought... even
without it's reference to the proper finder.

 

[Mal]

****************** REPLY SEPARATER *******************
Doesn't work at all in IE6 if you change Active Scripting to <Prompt> or
<Disable> to prevent porn loops. Mozilla Firebird displays:

<snip>

Are you sure?

The POC (Proof of concept) page doesn't work because it has Javascript
on it and that fails when you turn off Active Scripting. The issue still
remains, and would work if a normal URL link is made.

 

[Guillermito]

Just checked out the first link on Sug's site
(http://dino-soft.org/security/vun1.html)

<title>Internet Explorer Vulnerability</title>
<meta NAME="KEYWORDS" CONTENT="zapthedingbat; window; location; link;
href; url; vulnerability; exploit; proof of consept; bug; news;
security;" />

Now let's look at the original POC page:
http://zapthedingbat.com/security/ex01/vun1.htm

<title>Internet Explorer Vulnerability</title>
<meta NAME="KEYWORDS" CONTENT="zapthedingbat; window; location; link;
href; url; vulnerability; exploit; proof of consept; bug; news;
security;" />

Haha. The good thing in alt.comp.virus is that some things never
change

We can add this to the (already long) list:

http://groups.google.com/groups?selm=d4bjru8jdrq06hm80p6v0o2ig3l3ce36ks@news.asynchrone.net

 

[D McAuliffe]

****************** REPLY SEPARATER *******************
Doesn't work at all in IE6 if you change Active Scripting to <Prompt> or
<Disable> to prevent porn loops. Mozilla Firebird displays:

http://www.microsoft.com
@zapthedingbat.com/security/ex01/vun2.htm

J.A. Coutts

My IE6/patched has all active scripting disabled and activeX disabled or
prompt with Java on high safety. Examples 4 and 5 worked with no indication
of trouble.
--
~~~~~~~~~~~~~~~~~
Dave McAuliffe
Central Mass. USA
To Reply -
Replace: mailinator.com
With: email.com
~~~~~~~~~~~~~~~~~

 

[Sugien]

Hmmm. Yep, would be nice if the appropriate finder of this issue is
cited.

Just checked out the first link on Sug's site
(http://dino-soft.org/security/vun1.html)

<title>Internet Explorer Vulnerability</title>
<meta NAME="KEYWORDS" CONTENT="zapthedingbat; window; location; link;
href; url; vulnerability; exploit; proof of consept; bug; news;
security;" />

(continues)

Now let's look at the original POC page:
http://zapthedingbat.com/security/ex01/vun1.htm

<title>Internet Explorer Vulnerability</title>
<meta NAME="KEYWORDS" CONTENT="zapthedingbat; window; location; link;
href; url; vulnerability; exploit; proof of consept; bug; news;
security;" />

(continues)...


So this page has been directly "borrowed" from Zapthedingbat's POC page
and even contains the exact links back to ZaptheDingbat's page and the
spelling issues? Hmmm. More interesting. (*cough* -- everyone knows what
often goes here when talking about Sugien)

At least the 2nd page has been given some original thought... even
without it's reference to the proper finder.

If I had been trying to steal anyones thunder I would *not* have left the
stuff in from the orignal POC. However knowing that those in the know would
check the source I chose to leave it in and figured if they were interested
enough in it that they would look at the source. I am just not one much for
sending out *shouts or greets* to someone for puting up a POC which I think
others need to be made awaare of and then I likewise make a copy of their
page and then so as to have it up in more then one place put it on my
server.
If you would give it some thought , in order for it to work from my ISP
corectley some changes needed to be made; but *no where* did I or would I
make any type of statement about my having either discovered or created
something I had not, reguardless of what others may try and say differently
because of what they consider to be past what evers.

 

[Sugien]

If I had been trying to steal anyones thunder I would *not* have left the
stuff in from the orignal POC. However knowing that those in the know would
check the source I chose to leave it in and figured if they were interested
enough in it that they would look at the source. I am just not one much for
sending out *shouts or greets* to someone for puting up a POC which I think
others need to be made awaare of and then I likewise make a copy of their
page and then so as to have it up in more then one place put it on my
server.
If you would give it some thought , in order for it to work from my ISP
corectley some changes needed to be made; but *no where* did I or would I
make any type of statement about my having either discovered or created
something I had not, reguardless of what others may try and say differently
because of what they consider to be past what evers.

 

[Heather]

by the way
I figured I would post a LONG post; because , well just to see who would
say what, lol who knows maybe I will be accused of being the <cough> master
programmer/coderipper extraordinaire.

I sincerely doubt it!! Perhaps if you could learn how to set your clock
properly, then you might be considered half-way intelligent. Or perhaps
this is just Soooooooge, pretending to be you.......and was in such a
rush, he/you forgot to set the Time Zone.

 

[Laura Fredericks]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Get off the guys back.

Does his ass taste good?

...I read the local paper in which Sugien admitted
the mistake and printed a correction.

So you're one of his many Chillicothe cousins he sent
the animated gif to of his (purported) 18" schlong...
That explains a lot.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
Comment: http://www.queenofcyberspace.com/laura_fredericks.asc

iQA/AwUBP9vueaRseRzHUwOaEQIiDgCg2umV8eo/fVfbB0HfHNNl3uFVhQ8AoOyp
KNP9xXekF2UYdcLkUAdDESds
=HaCk
-----END PGP SIGNATURE-----

 

[Laura Fredericks]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

...afaik Sugien has never made dollar one with
anything he has ever created as he has said "Lego
Style"...

Why am I not surprised? Lol.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
Comment: http://www.queenofcyberspace.com/laura_fredericks.asc

iQA/AwUBP9vrLaRseRzHUwOaEQIUdwCg5SF/elDTsv5qKF+d+fjS3k5SieAAnR1L
TJSZMWEI0fgvFbUOTP2/Or/K
=hVSO
-----END PGP SIGNATURE-----

--
Laura Fredericks
PGP key ID - DH/DSS 2048/1024: 0xC753039A

http://www.queenofcyberspace.com/usenet/

Remove CLOTHES to reply.

 

[Laura Fredericks]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just checked out the first link on Sug's site
(http://dino-soft.org/security/vun1.html)

<title>Internet Explorer Vulnerability</title>
<meta NAME="KEYWORDS" CONTENT="zapthedingbat; window;
location; link; href; url; vulnerability; exploit;
proof of consept; bug; news; security;"

Now let's look at the original POC page:
http://zapthedingbat.com/security/ex01/vun1.htm

<title>Internet Explorer Vulnerability</title>
<meta NAME="KEYWORDS" CONTENT="zapthedingbat; window;
location; link; href; url; vulnerability; exploit;
proof of consept; bug; news; security;"

Ha! So obvious a rip! He even picked up the author's
typo, i.e. "consept".

What a dimbulb. ;-)

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
Comment: http://www.queenofcyberspace.com/laura_fredericks.asc

iQA/AwUBP9vsNKRseRzHUwOaEQLfxACgpTrnIOuow9wU9PKZpQ0Alylc/aQAn2GO
0sYUd28/PX+OoBsVqJfjHmmM
=k5E5
-----END PGP SIGNATURE-----

--
Laura Fredericks
PGP key ID - DH/DSS 2048/1024: 0xC753039A

http://www.queenofcyberspace.com/usenet/

Remove CLOTHES to reply.

 

[Laura Fredericks]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have lurked here and other UseNet groups for some
time and personally I wish there were quite a few
more like him.

(Rod! ROD! Get back here, NOW! We need you *post
haste*!)

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
Comment: http://www.queenofcyberspace.com/laura_fredericks.asc

iQA/AwUBP9vs7qRseRzHUwOaEQKoGwCfV2GfGki8suC9YXdYZ5JkUNnV9YgAn0En
uabbAhKu0niIRiGzuYlh26ms
=cVK3
-----END PGP SIGNATURE-----

--
Laura Fredericks
PGP key ID - DH/DSS 2048/1024: 0xC753039A

http://www.queenofcyberspace.com/usenet/

Remove CLOTHES to reply.

 

[Laura Fredericks]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

...I am just not one much for sending out *shouts or
greets* to someone for puting up a POC which I think
others need to be made awaare of...

"Shouts or greets"??? What are you stupid, or
sumthin'? (Oh wait...)

The media all credited him and posted the url to his
poc on his site. Why couldn't YOU?

Coderipper.

Plagiarist.

Dimbulb.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
Comment: http://www.queenofcyberspace.com/laura_fredericks.asc

iQA/AwUBP9vt8qRseRzHUwOaEQIWfwCgoRf7q9usR727HPUqlJ4iv1FPcNcAn3YV
hHBTtj11i4SNjK7J1VYrcxY0
=gXKP
-----END PGP SIGNATURE-----

--
Laura Fredericks
PGP key ID - DH/DSS 2048/1024: 0xC753039A

http://www.queenofcyberspace.com/usenet/

Remove CLOTHES to reply.

 

[Bart Bailey]

In Message-ID:<[email protected]> posted on Sat, 13 Dec

by the way
I figured I would post a LONG post; because , well just to see who would
say what

Actually, your spelling, syntax, and ideation, all bear a striking
similarity to that of our friend Paul. <g>
You will probably make an interesting addition to Guillermito's
collection of dissociative personality types who manifest a vicarious
persona via usenet.