-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi This release isn’t up to the same standard as my other three, my apologies for that. Your mileage with this vulnerability may vary; some people will think it’s irrelevant; some may be able to make use of it. But its not for me to judge whether it should be released, CERT obviously thinks its worth while, so I’ve take the choice out of their hands too and released it anyway. I have decided on a new policy for release of vulnerabilities. In future all vulnerabilities will be released at approximately 7pm on Friday evenings. This is to give hackers the maximum amount of time to actively exploit the vulnerability before sys-admins, CERT, and Vendors can act to patch the issue on Monday morning after their weekend off. Many people seem to have forgotten that holes are not released to help the Admins, they are there to help the hackers and that is who should be using them! I will release a further hole at the same time next week. HACK4LIFE Still Hacking, Still Kicking Arse ======================================================================== Hello, Microsoft has contacted us regarding an issue reported to Bugtraq a while ago. This vulnerability affects a number of different portal sites. They have asked us to contact sites we think may be affected. If you can think of any other sites vulnerable to this problem, we would appreciate your feedback. The issue involves web redirectors. It looks like spammers are targeting these in attempt to legitimize their activities, by using redirected URLs so that spam victims think the URL's in spam are legitimate. Here's an example: http://go.msn.com/0000/5/1.asp?target=http://207.46.230.218 - this is pretty straightforward - it uses the http://go.msn.com/0000/5/1.asp page to redirect to the IP address of Microsoft.com. This page is a legitimate service for MSN - for example one of the things they use pages like this for is to redirect users in UK who type in www.msn.com to www.msn.co.uk. What spammers are doing is using these to bounce off in an attempt to look legitimate. By further obfuscation of the URL with dotless IP addresses and unicode characters, you get left with a URL where the only distinguishable name in the URL is 'go.msn.com', which looks legitimate. There's 2 issues here: 1. Users are being tricked into going to what they think is a legitimate site they trust, but are in fact being steered off to another site which they are unlikely to trust. This could be a hostile site, an unsavory site, or worse, a site mocked up to look like the trusted site in an attempt to further trick the user. 2. The servers that handle this service are scaled for the specific service they provide. MSN understands the throughputs and loads and have capacity planned as such. If spammers start to make widespread use of this method, they could in effect cause a Denial of Service to elements of MSN (or insert your favorite portal here). The way spammers are identifying these redirectors is pretty straightforward. In Internet Explorer it is possible to inspect a URL in the status bar without following it, just by mousing over it (you need "View|status bar" enabled). Most of the big portals have at least one redirector right on their home page, and by simply mousing over all the URL's you can quickly identify those that are redirecting to another domain. You can then copy the URL to the clipboard, paste it into a document and delete the proper target domain and insert the new target domain. You then copy the new URL into your spam e-mail. So, please evaluate your exposure to this problem and let us know in the form of a vendor statement. We understand that fixing this problem may require some architectural changes, so we don't expect it to be solved overnight. We have not yet established a timeframe for publishing information regarding this problem. Thanks, Ian - -- Ian A Finlay <iafat_private> CERT (R) Coordination Center My Key Fingerprint: 8E45 ED14 46D5 F9EF 18C1 5BC7 301E B19A F081 F52C CERT/CC Fingerprint: E0 1E DF F5 FC 76 00 32 77 8F 25 F7 B0 2E 2C 27 -----BEGIN PGP SIGNATURE----- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify wl4EARECAB4FAj57zC0XHGhhY2s0bGlmZUBodXNobWFpbC5jb20ACgkQgSjHzuae7+pN zgCgqaKad7gxrIddi4Q4KmT0aABsxhEAnjbRtdZ9vgLc/xzVIRpI2o/Lu3fi =JGg6 -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Fri Mar 21 2003 - 11:32:58 PST