BugTraq
[Suspected Spam]DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera May 28 2010 12:57PM
MustLive (mustlive websecurity com ua) (1 replies)
Re: [Suspected Spam]DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera May 28 2010 04:06PM
Susan Bradley (sbradcpa pacbell net) (1 replies)
Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera May 31 2010 04:03PM
MustLive (mustlive websecurity com ua) (1 replies)
Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera May 31 2010 09:02PM
John Smith (at-x live com)
Hi Mustlive,
I'm not sure if there's a need to discuss or clarify this any further.
Please refer to my earlier posts, and for the sake of saving some of our
time & efforts, avoid drawing tangents about scripts and noscripts (I've
clarified both earlier) & weasel words (security vulnerability and nntp
exploit - irrelevent in this case).
JS or no-JS, this issue is nothing new, this behavior is well-defined and a
necessity and definitely not a URI (of any kind) exploit or a security
vulnerability.

Some last specifics (mostly reiterating what I said in my earlier posts) -
1. You can take this issue up with the content aggregators (CDN etc) and or
website programmers, this is not an issue to be addressed by the webbrowsers
because the solution of it remains imperfect in theory (one of my posts have
a 'workaround'...maybe a 'good to have' feature which WILL open up another
can of worms...).
2. Now the even vague non-scripted issue which you insist upon - If you are
trying to say that a 1000 lines of <iframe src='nntp:something'/> (which is
executed sequentially by any JVM as a fact) is an 'exploit' and 'security
vulnerability', isn't there a HUGE point missing?
NOTE: again, I'm not sure why you claim its an 'nntp' exploit. As I noted
earlier, its applicable to any uri handler and their behaviour is nothing
unexpected.
3. Your POC had used JS and is non-functional without scripting enabled. It
was taken offline since I last checked (my 2nd last post?), which should
have been your sample reference for this discussion (its appearing to shift
now).

Best Regards,
w

--------------------------------------------------
From: "MustLive" <mustlive (at) websecurity.com (dot) ua [email concealed]>
Sent: Monday, May 31, 2010 9:33 PM
To: "Susan Bradley" <sbradcpa (at) pacbell (dot) net [email concealed]>
Cc: <bugtraq (at) securityfocus (dot) com [email concealed]>
Subject: Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and
Opera

> Hello Susan and other readers, who replied to my previous advisory.
>
> Earlier I've already answered Vladimir, now I'd answer Susan and soon I'd
> answer John. But now one important note to every reader of the list,
> including John Smith. Which I already wrote about 1,5 week ago (after
> posting of a first advisory about DoS in browsers) to one reader of
> Full-disclosure who inattentively read that advisory (he missed message
> about attacking without JS) and also to Mozilla (who became discussing
> this
> issue and only drew attention to attacking with JS vector). That, as I
> wrote
> in both advisories, this attack via iframes can also be conducted without
> JavaScript. So even turning JS off will not help.
>
> Due to advantages of JS exploit for these vulnerabilities over non-JS
> exploit, I wrote JavaScript exploits for these advisories and I'd write
> for
> future advisories (but I'd be reminding about possibility of attacking
> without JS). But soon I'll present one exploit also in "pure-iframe"
> version
> (without JS) for Internet Explorer and other applications - in case when
> small amount of iframes lead to crash.
>
>> Thank you. Now if you could wait for patches before disclosing I'd be
>> even happier.
>
> Susan, you are welcome.
>
> I would be happy to wait for patches of browser vendors, but as already
> told you in details, it's not possible due to behavior of browser vendors.
> All they mostly ignore such holes, all they don't count DoS as
> vulnerabilities, they called them "stability issues" and so don't attend
> to
> them seriously (and not fixing or fixing slowly). I don't respect such
> statement as "stability issues" for DoS holes, and during 2008-2010 I
> worked
> hard to change vendors' mind on this issue, but they still ignore it.
>
> Also, as I already told you, they never told if they fixed or not such
> holes
> (especially taking into account that they almost always ignore my letters
> with such holes or, as Opera did few times, answering with "it's stability
> issues" statement). So I have no possibility to know from them if they
> fixed
> it or not - and because they don't care about such issues (ignoring them
> or
> calling them stability issues), they never mentioned about them in vendors
> advisories. Only one time Microsoft informed me about fixing DoS hole in
> Outlook - even they called it stability issue they informed me after they
> released a patch for it (which was serious approach, but not Microsoft for
> IE, nor other vendors use such approach for DoS holes in browsers).
>
> But take into account that I informed (at 26.05.2010) all four browser
> vendors about many vulnerabilities, which I'll disclose in the future. So
> they are informed for long time in advance :-). And so you have no need to
> worry, because with every day they become more and more "informed long
> time
> ago" and have more and more days to fix these holes.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> ----- Original Message -----
> From: "Susan Bradley" <sbradcpa (at) pacbell (dot) net [email concealed]>
> To: "MustLive" <mustlive (at) websecurity.com (dot) ua [email concealed]>
> Cc: <bugtraq (at) securityfocus (dot) com [email concealed]>
> Sent: Friday, May 28, 2010 7:06 PM
> Subject: Re: [Suspected Spam]DoS vulnerabilities in Firefox, Internet
> Explorer, Chrome and Opera
>
>
>> Thank you. Now if you could wait for patches before disclosing I'd be
>> even happier.
>>
>> MustLive wrote:
>>> Hello Bugtraq!
>>>
>>> I want to warn you about security vulnerability in different browsers.
>>>
>>> -----------------------------
>>> Advisory: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and
>>> Opera
>>> -----------------------------
>>> URL: http://websecurity.com.ua/4238/
>>> -----------------------------
>>> Affected products: Mozilla Firefox, Internet Explorer 6, Internet
>>> Explorer
>>> 8, Google Chrome, Opera.
>>> -----------------------------
>>> Timeline:
>>>
>>> 26.05.2010 - found vulnerabilities.
>>> 26.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera.
>>> Susan Bradley must be happy :-).
>>> 27.05.2010 - disclosed at my site.
>>> -----------------------------
>>> Details:
>>>
>>> After publication of previous vulnerabilities in different browsers, I
>>> continued my researches and found many new vulnerabilities in browsers,
>>> which I called by general name DoS via protocol handlers, to which
>>> belonged
>>> and previous DoS attack via mailto handler.
>>>
>>> Now I'm informing about DoS in different browsers via protocols news and
>>> nntp. These Denial of Service vulnerabilities belongs to type
>>> (http://websecurity.com.ua/2550/) blocking DoS and resources consumption
>>> DoS. These attacks can be conducted as with using JS, as without it (via
>>> creating of page with large quantity of iframes).
>>>
>>> DoS:
>>>
>>> http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Ope
ra%20DoS%20Exploit2.html
>>>
>>> This exploit for news protocol works in Mozilla Firefox 3.0.19 (and
>>> besides
>>> previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6
>>> (6.0.2900.2180), Internet Explorer 8 (8.0.7600.16385), Google Chrome
>>> 1.0.154.48 and Opera 9.52.
>>>
>>> In all mentioned browsers occurs blocking and overloading of the system
>>> from
>>> starting of Opera, which appeared as news-client at my computer, and IE8
>>> crashes (at computer without Opera). And in Opera the attack is going
>>> without blocking, only resources consumption (more slowly then in other
>>> browsers).
>>>
>>> http://websecurity.com.ua/uploads/2010/Firefox,%20IE%20&%20Opera%20DoS%2
0Exploit.html
>>>
>>> This exploit for nntp protocol works in Mozilla Firefox 3.0.19 (and
>>> besides
>>> previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6
>>> (6.0.2900.2180) and Opera 9.52.
>>>
>>> In all mentioned browsers occurs blocking and overloading of the system
>>> from
>>> starting of Opera, which appeared as nntp-client at my computer. In IE8
>>> the
>>> attack didn't work - possibly because that at that computer there was no
>>> nntp-client, Opera in particular. And in Opera the attack is going
>>> without
>>> blocking, only resources consumption (more slowly then in other
>>> browsers).
>>>
>>> Best wishes & regards,
>>> MustLive
>>> Administrator of Websecurity web site
>>> http://websecurity.com.ua
>
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus