mailing list archives
Re: Apple IOS security issue pre-advisory record
From: Dave <mrx () propergander org uk>
Date: Sat, 24 Mar 2012 00:52:45 +0000
-----BEGIN PGP SIGNED MESSAGE-----
On 23/03/2012 23:26, Michal Zalewski wrote:
I find it very unfortunate that 300 supposed security professionals clicked
on a hidden link like that without first checking what it was, or if not
simply ignoring it like I did!!!
So how do you meaningfully "check what it is" without actually
requesting the document?
And what's the difference between that post and a hidden <img> or
<iframe> included on a less obvious website?
I am not an expert so please, for my education, correct me if I am wrong.
Is it not so much the request, but what the request is made with?
Would not requesting with wget mitigate any attack?
The source of the page and any scripts called by the page should be enough to ascertain whether the page is malicious
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/