BugTraq
DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers May 18 2010 01:17PM
MustLive (mustlive websecurity com ua) (1 replies)
Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers May 18 2010 05:38PM
Susan Bradley (sbradcpa pacbell net) (1 replies)
16.05.2010 - found vulnerability.
17.05.2010 - disclosed at my site.
18.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera.

Found on the 16th
Blogged on the 17th
Told vendors on the 18th
Posted here on the 18th

Granted I can denial of service a browser just by loading up a horrible
add in or just using a browser, but as a customer of each of these
vendors, can I respectfully ask that you give vendors time to respond
before posting? These vendors do not ignore security issues and do
respond (unlike some of the web sites with the captcha issues) So why
haven't you given them that opportunity?

MustLive wrote:
> Hello Bugtraq!
>
> I want to warn you about security vulnerability in different browsers.
>
> -----------------------------
> Advisory: DoS vulnerabilities in Firefox, Internet Explorer, Chrome,
> Opera
> and other browsers
> -----------------------------
> URL: http://websecurity.com.ua/4206/
> -----------------------------
> Affected products: Mozilla Firefox, Internet Explorer 6, Internet
> Explorer
> 8, Google Chrome, Opera and other browsers.
> -----------------------------
> Timeline:
>
> 16.05.2010 - found vulnerability.
> 17.05.2010 - disclosed at my site.
> 18.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera.
> -----------------------------
> Details:
>
> At 30.02.2010 Mozilla fixed vulnerability (small one, which poses no
> security risk, as they said), found by Henry Sudhof - Mozilla Foundation
> Security Advisory 2010-23
> (http://www.mozilla.org/security/announce/2010/mfsa2010-23.html)
> (Image src
> redirect to mailto: URL opens email editor). Which allow to open email
> client at user's computer via redirector, which redirecting to mailto:
> URL.
> But this vulnerability was fixed only in Firefox 3.5.9, Firefox 3.6.2 and
> SeaMonkey 2.0.4, but not in Firefox 3.0.x.
>
> After I recently read this advisory, I decided to check different
> browsers.
> And as I checked at 16.05.2010, to this vulnerability are vulnerable web
> browsers Firefox 3.0.19 and Opera 9.52. And I created exploit for
> conducting
> of DoS attack on Firefox.
>
> Also I found possibility to open email client via iframe with mailto:
> URL.
> Which works in browsers Firefox 3.0.19, IE6, IE8 and Chrome. And I
> created
> exploit for conducting of attack on all browsers, which I called DoS via
> email. This attack can be conducted as with using JS, as without it (via
> creating of page with large quantity of iframes).
>
> If attack via images at a page (which open email client) is only
> discomfort,
> then attack via images or iframes with using my exploits is Denial of
> Service vulnerability. It belongs to type
> (http://websecurity.com.ua/2550/)
> blocking DoS and resources consumption DoS. These exploits are very
> dangerous - at their starting, if to not stop attack in time, they can
> lead
> to full consumption of computer's resources (potentially even to
> freezing of
> the system).
>
> DoS:
>
> http://websecurity.com.ua/uploads/2010/Firefox%20DoS%20Exploit.html
>
> This exploit works in Mozilla Firefox (Firefox <= 3.0.19, Firefox <
> 3.5.9,
> Firefox < 3.6.2) and SeaMonkey < 2.0.4.
>
> http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Ope
ra%20DoS%20Exploit.html
>
>
> This exploit works in Mozilla Firefox (besides 3.0.x and previous
> versions,
> it must work in 3.5.x and 3.6.x), Internet Explorer 6 (6.0.2900.2180),
> Internet Explorer 8 (8.0.7600.16385), Google Chrome 1.0.154.48 and Opera
> 9.52. At that in Opera the exploit don't open email client, so DoS
> attack is
> going without blocking, only resources consumption (more slowly then in
> other browsers). And also this exploit must work in SeaMonkey, Internet
> Explorer 7 and other browsers.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
>

[ reply ]
Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers May 19 2010 10:53PM
MustLive (mustlive websecurity com ua) (1 replies)
Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers May 19 2010 11:58PM
Susan Bradley (sbradcpa pacbell net) (1 replies)
Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers May 27 2010 08:53PM
MustLive (mustlive websecurity com ua) (1 replies)
Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers May 28 2010 03:07PM
John Smith (at-x live com) (1 replies)
Re[2]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers May 28 2010 06:17PM
Vladimir '3APA3A' Dubrovin (3APA3A SECURITY NNOV RU) (1 replies)
Re: Re[2]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers May 28 2010 07:55PM
John Smith (at-x live com) (2 replies)
Re[3]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers Jun 03 2010 08:12PM
MustLive (mustlive websecurity com ua)
Re[4]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers May 28 2010 08:35PM
Vladimir '3APA3A' Dubrovin (3APA3A SECURITY NNOV RU) (1 replies)


 

Privacy Statement
Copyright 2010, SecurityFocus