 ZOverLordPremium
join:2003-10-20
Minneapolis, MN
2 edits | reply to meowBB
Re: New IE Vulnerability Allows Address Bar Spoofing said by meowBB:It seems that today's (Tuesday) patches doesn't fix this vulnerability. Wow, you are right, it still is not fixed!
For others here is the link from the first post, the test link is under "Start the Test" on the page below:
»secunia.com/Internet_Explorer_Ad···ty_Test/
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
 hpguruCurb Your DogmaPremium
join:2002-04-12 | I still get the same unreliable results - sometimes it works but most of the time it does not. |
|
 rawwhidePremium
join:2000-09-03
The Sticks | reply to ZOverLord
This is pretty serious and you would think Microsoft would fix this ASAP.
--
HUH!!! Sekurecom |
|
hpguruCurb Your DogmaPremium
join:2002-04-12 | said by rawwhide:This is pretty serious and you would think Microsoft would fix this ASAP. Given the fact it doesn't always work Secunia should downgrade it to "Less Critical" or "Not Critical".
--
Get hpHOSTS! Member ASAP
hpHOSTS Online
Paranoia is no substitute for understanding. |
|
|
|
rawwhidePremium
join:2000-09-03
The Sticks Reviews:
 ·AT&T DSL Service
| said by hpguru:said by rawwhide:This is pretty serious and you would think Microsoft would fix this ASAP. Given the fact it doesn't always work Secunia should downgrade it to "Less Critical" or "Not Critical". All it takes is just once for someone to mistype an address and for the spoof to work that one time. It might be unlikely, but serious, nonetheless to think you could possibly lose thousands of dollars.
--
HUH!!! Sekurecom |
|
hpguruCurb Your DogmaPremium
join:2002-04-12
1 edit | I would have to disagree since there are three user configurable settings either of which will cause the exploit to fail 100% of the time. Those are:
"Navigate sub-frames across different domains" = Disable
"Active Scripting" = Disable
Popup Blocker = High
Now don't get me wrong. I am not saying it isn't a vulnerability but that it is less than Moderately Critical.
For my own setting I have these set as Prompt, Enable and High respectively.
--
Get hpHOSTS! Member ASAP
hpHOSTS Online
Paranoia is no substitute for understanding. |
|
 SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:5
 ·RoadRunner Cable
 ·Clearwire Wireless
| reply to rawwhide
said by rawwhide: It might be unlikely, but serious, nonetheless to think you could possibly lose thousands of dollars. Has anyone actually seen a spoof using this 'exploit'?
A link would humble me.  |
|
2 edits | reply to ZOverLord
The patch has solved the vulnerability here anyway. XPSP2.
I have done the test several times both before and after the patch. None of my settings are changed.
I did not pass before patch. Now I pass.
(of course I have to turn on active scripting to do the test at all.)
EDIT: Navigate subframes... has been off all the time.
--
The information is provided AS IS without reponsibility for anything, including, but not limited to, the contents, typos, errors..... |
|
Reviews:
·MTS
1 edit | It seems the patch did not fix it here, either. Only by changing the security settings for the internet zone for "Navigate sub-frames accross different domains" to "Prompt" did the correct URL display. It had been enabled before... ?
Do note that if you have the Netcraft Antiphishing Toolbar installed, it shows the proper information. »toolbar.netcraft.com/ |
|
