In general case we are discussing, DoS may be caused by e.g. some
combination of allowed tags/properties or by malformed image.
As it was pointed by author, this attack may be performed with
scripting disabled (with [iframe src=]). That's why e-mail vector may
be significant.
--Friday, May 28, 2010, 11:55:28 PM, you wrote to 3APA3A (at) SECURITY.NNOV (dot) RU [email concealed]:
JS> Point taken. But that'd be a non-issue on the browser's end as much as
JS> site's that is allowing the rogue scripts (or malformed ads, as per your
JS> example).
JS> The fork of this mail thread clearly explains what I'm talking about. The
JS> issue noted there is a simple DoS attack which every programming language
JS> and platform is vulnerable too. Its called the "infinite loop". It is not a
JS> 'security vulnerability' by itself and is completely agnostic of the uri
JS> handler (try http or anything instead of nntp).
JS> Here's the simplified JS version of it (lets call it the Universal DoS --
JS> yes, it'd work for every browser on the planet that can execute JS) -
JS> Workaround:
JS> None very intuitive. Maybe allow the user to terminate the script at every
JS> iteration? specific time period? etc...
JS> --------------------------------------------------
JS> From: "Vladimir '3APA3A' Dubrovin" <3APA3A (at) SECURITY.NNOV (dot) RU [email concealed]>
JS> Sent: Friday, May 28, 2010 11:47 PM
JS> To: "John Smith" <at-x (at) live (dot) com [email concealed]>
JS> Cc: "MustLive" <mustlive (at) websecurity.com (dot) ua [email concealed]>; "Susan Bradley"
JS> <sbradcpa (at) pacbell (dot) net [email concealed]>; <bugtraq (at) securityfocus (dot) com [email concealed]>
JS> Subject: Re[2]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome,
JS> Opera and other browsers
>> Dear John Smith,
>>
>> Actually, browser DoS may be quite serious vulnerability, depending on
>> nature of DoS. Think about e.g. banner or content exchange network,
>> social networks, web boards, etc where browser vulnerability may be
>> used against site or page because it will harm any visitors of this
>> site or page.
>>
>> In case of this very vulnerability, most serious impact may be from
>> e-mail vector.
>>
>> --Friday, May 28, 2010, 7:07:50 PM, you wrote to
>> mustlive (at) websecurity.com (dot) ua [email concealed]:
>>
>> JS> Just a few cents - DoS in webbrowsers doesn't fall under the category
>> of
>> JS> "vulnerabilities" rather more of "annoyances". Although I don't deny
>> the
>> JS> fact that certain DoS attacks *may lead* or *may serve as hints* to
>> other
>> JS> more serious exploits, but that's a different topic and with ASLR in
>> the
>> JS> scene, a very grey area of discussion.
>>
>>
>>
>> --
>> Skype: Vladimir.Dubrovin
>> ~/ZARAZA http://securityvulns.com/
>> Ñòðåëÿÿ âî âòîðîé ðàç, îí èñêàëå÷èë ïîñòîðîííåãî. Ïîñòîðîííèì áûë ÿ.
>> (Òâåí)
>>
>>
--
Skype: Vladimir.Dubrovin
~/ZARAZA http://securityvulns.com/
Ìàøèíà îêàçàëàñü ñïîñîáíîé ê åäèíñòâåííîìó äåéñòâèþ,
à èìåííî óìíîæåíèþ 2x2, äà è òî ïðè ýòîì îøèáàÿñü. (Ëåì)
In general case we are discussing, DoS may be caused by e.g. some
combination of allowed tags/properties or by malformed image.
As it was pointed by author, this attack may be performed with
scripting disabled (with [iframe src=]). That's why e-mail vector may
be significant.
--Friday, May 28, 2010, 11:55:28 PM, you wrote to 3APA3A (at) SECURITY.NNOV (dot) RU [email concealed]:
JS> Point taken. But that'd be a non-issue on the browser's end as much as
JS> site's that is allowing the rogue scripts (or malformed ads, as per your
JS> example).
JS> The fork of this mail thread clearly explains what I'm talking about. The
JS> issue noted there is a simple DoS attack which every programming language
JS> and platform is vulnerable too. Its called the "infinite loop". It is not a
JS> 'security vulnerability' by itself and is completely agnostic of the uri
JS> handler (try http or anything instead of nntp).
JS> Here's the simplified JS version of it (lets call it the Universal DoS --
JS> yes, it'd work for every browser on the planet that can execute JS) -
JS> <script>
JS> while(1)alert('hello world');
JS> </script>
JS> Done!
JS> Workaround:
JS> None very intuitive. Maybe allow the user to terminate the script at every
JS> iteration? specific time period? etc...
JS> --------------------------------------------------
JS> From: "Vladimir '3APA3A' Dubrovin" <3APA3A (at) SECURITY.NNOV (dot) RU [email concealed]>
JS> Sent: Friday, May 28, 2010 11:47 PM
JS> To: "John Smith" <at-x (at) live (dot) com [email concealed]>
JS> Cc: "MustLive" <mustlive (at) websecurity.com (dot) ua [email concealed]>; "Susan Bradley"
JS> <sbradcpa (at) pacbell (dot) net [email concealed]>; <bugtraq (at) securityfocus (dot) com [email concealed]>
JS> Subject: Re[2]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome,
JS> Opera and other browsers
>> Dear John Smith,
>>
>> Actually, browser DoS may be quite serious vulnerability, depending on
>> nature of DoS. Think about e.g. banner or content exchange network,
>> social networks, web boards, etc where browser vulnerability may be
>> used against site or page because it will harm any visitors of this
>> site or page.
>>
>> In case of this very vulnerability, most serious impact may be from
>> e-mail vector.
>>
>> --Friday, May 28, 2010, 7:07:50 PM, you wrote to
>> mustlive (at) websecurity.com (dot) ua [email concealed]:
>>
>> JS> Just a few cents - DoS in webbrowsers doesn't fall under the category
>> of
>> JS> "vulnerabilities" rather more of "annoyances". Although I don't deny
>> the
>> JS> fact that certain DoS attacks *may lead* or *may serve as hints* to
>> other
>> JS> more serious exploits, but that's a different topic and with ASLR in
>> the
>> JS> scene, a very grey area of discussion.
>>
>>
>>
>> --
>> Skype: Vladimir.Dubrovin
>> ~/ZARAZA http://securityvulns.com/
>> Ñòðåëÿÿ âî âòîðîé ðàç, îí èñêàëå÷èë ïîñòîðîííåãî. Ïîñòîðîííèì áûë ÿ.
>> (Òâåí)
>>
>>
--
Skype: Vladimir.Dubrovin
~/ZARAZA http://securityvulns.com/
Ìàøèíà îêàçàëàñü ñïîñîáíîé ê åäèíñòâåííîìó äåéñòâèþ,
à èìåííî óìíîæåíèþ 2x2, äà è òî ïðè ýòîì îøèáàÿñü. (Ëåì)
[ reply ]