While Secunia is doing a fantastic job [truly] of compiling advisories as soon as issues are discovered by others, they do need to make it absolutely clear to the media that they appear to have to talk to and in the information that they release just who found these flaws. This particular url spoofing issue is being diluted across the major wires as follows [there are several others as well]: 'The Web browser flaw, discovered Tuesday by Danish tech security firm Secunia, could trigger a surge in an e-mail scam, called phishing, security experts say.' http://www.usatoday.com/tech/news/2003-12-11-microsoft2_x.htm 'Secunia says it has found an "input validation" error in Internet Explorer. By exploiting this vulnerability, known as a URL-spoofing vulnerability, attackers can display any URL name they wish in the address and status bars of IE.' http://www.internetwk.com/breakingNews/showArticle.jhtml? articleID=16700306 'Secunia, a company that provides security services worldwide, claims to have found a vulnerability in Internet Explorer 6 that would allow domain names to be spoofed. The result would make it appear that a user were connecting to one domain when, in reality, he or she was communicating with a completely different domain. If done properly, an attacker could fool a user into inputting sensitive or private information.' http://www.geek.com/news/geeknews/2003Dec/gee20031211023028.htm There is a tiny credit notation at the end of each of the so-called Secunia 'advisories' on secunia.com but that is proving to be insufficient. Initial reporting was accurate in crediting: Zap The Dingbat, who found this. Let's not have the excitement of the moment get in the way of the facts.: http://www.zapthedingbat.com/security/ex01/vun1.htm -- http://www.malware.com
