Fog Creek Software
g
Discussion Board

Worst IE Bug I have seen.

Check http://www.exclipy.com/upgrade/

Do you see the trick there? Can you imagine how crackers can use it to create havocs??

From http://www.kb.cert.org/vuls/id/652278 , it says that problem status was 'updated on' 19th Dec. and today is 19th Jan. One month and there is no patch from Microsoft! I can't believe! I wonder what's going on at Redmond.

JD
http://jdk.phpkid.org

JD
Monday, January 19, 2004

Last seen from Scoble, MS's PR-blogger-laureate at http://scoble.weblogs.com, they're "working on it"... yikes.

Greg Hurlman
Monday, January 19, 2004

This is the phishing that has been roported previously. The code given in "The Register" didn't work but this does.

There was actually an Open Source "patch" for this issued, that was hastily withdrawn when it was pointed out that the patch had more bugs (including buffer overruns) than the original problem.

Stephen Jones
Monday, January 19, 2004

Yeah, I heard about that 'open source' patch.

But I didn't know that they were trying to fix this problem. and believe me, this sure is a BIG PROBLEM.

JD

JD
Monday, January 19, 2004

Doesn't seem that serious to me. Plenty of people don't even have the address bar visible. People are much more likely to look at the title bar, which carries the tiltle given in the HTML, than the address bar, and a phisher simply fills the address bar with lots of meaningless symbols so it looks like what most people see.

Stephen Jones
Monday, January 19, 2004

I actually saw spam today that exploited this bug to phish for credit cards.

Joel Spolsky
Monday, January 19, 2004

The exploit has led to more of this spam, but the scams have been happening for a long time.

Now, if all the banks had insisted on Netscape instead of insisiting on IE :)

Stephen Jones
Monday, January 19, 2004

Its worrying that it is taking so long but let me ask you.

Do you want something done right
Or do you want it done in a hurry?

Robert Moir
Tuesday, January 20, 2004

I actually find it worrying that the IE patch/test/release cycle appears to be this long.

Just me (Sir to you)
Tuesday, January 20, 2004

"Do you want something done right
Or do you want it done in a hurry?"

Since you ask, I would rather have IE crash once an hour than have this vulnerability.

Kyralessa
Tuesday, January 20, 2004

"Do you want something done right
Or do you want it done in a hurry? "

How about both, that would work for me. "Fast, good, cheap - pick two." You see, fast and good are possible if you want it, and Microsoft isn't exactly running out of cash any day soon.


Tuesday, January 20, 2004

It's scanning for a NULL terminator in the buffer that holds the URL.  There shouldn't be any NULL terminators there until the pathname component of the URL - and then they should be escaped.  It's a simple fix, and there's no excuse for this delay.

Duffman
Wednesday, January 21, 2004

*  Recent Topics

*  Fog Creek Home