BugTraq
DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers May 18 2010 01:17PM
MustLive (mustlive websecurity com ua) (1 replies)
Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers May 18 2010 05:38PM
Susan Bradley (sbradcpa pacbell net) (1 replies)
Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers May 19 2010 10:53PM
MustLive (mustlive websecurity com ua) (1 replies)
Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers May 19 2010 11:58PM
Susan Bradley (sbradcpa pacbell net) (1 replies)
Let's take one for example. Did you email secure (at) microsoft (dot) com [email concealed]? I have
before and 100% of the time they respond.

Patches take time. The do not occur over night. Furthermore it may
take a day for the vendor to respond to you.

This isn't about past issues, this is about this issue. A single day did
not pass between when you emailed these vendors and when you posted
here. Have you considered giving these vendors time to respond? I do
not find that 99% of them don't, rather I find that they do. Should you
have issues, would you consider emailing me first so I can introduce you
to contacts?

MustLive wrote:
> Hello Susan!
>
>> Granted I can denial of service a browser just by loading up a horrible
>> add in or just using a browser
>
> DoS of the browser is already bad thing. And there are many risks for
> users
> from DoS holes in browsers, which I wrote about in 2008 in my articles
> Dangers of DoS attacks on browsers and Dangers of resources
> consumption DoS
> attacks. But mostly browser developers ignore to fix these issues.
>
> But in this case it's not only attack on browsers, but on the whole
> user's
> computer - because it's blocking of whole computer and full resource
> consumption. Which is working in many browsers, including their last
> versions. So browser developers with their neglect to this problem make
> possible attacks on the whole users' systems. It was one of leitmotifs
> of my
> advisory.
>
>> can I respectfully ask that you give vendors time to respond before
>> posting?
>
> This informing of vendors was an exclusion. During 2007-2009 I
> informed many
> browser developers about many vulnerabilities (as DoS, as others) and
> gave
> them a lot of time for fixing in many of that cases. But they almost
> always
> ignore to fix the holes (especially DoS holes, which were only fixed few
> times by Google and one time by Microsoft, and not in IE, but in Outlook,
> and 99% of cases were completely ignored). Taking that into account last
> year I decided from 2010 never inform browser vendors about DoS holes in
> their browsers. And this time it was an exclusion (just one). In any case
> due to full disclosure the Internet community will be knowing about the
> vulnerabilities in browsers which I found and will be knowing the real
> state
> of security of browsers. It was another leitmotif of my advisory.
>
> So this time I informed browser developers and users about these
> issues. And
> did I receive any thanks from Susan (especially taking into account
> that I
> did inform vendors) or any other user of browsers for this info? No
> :-). Did
> browser vendors answered me? No :-) (at first day) - which is normal for
> such cases, based on my experience. Only on second day Opera and Mozilla
> answered me and begun investigation of these cases (which is rare case
> when
> they responded on DoS hole, based on my experience), but not other
> vendors.
>
>> These vendors do not ignore security issues and do respond
>
> As I already said, in 99% they do ignore and don't respond (and sometimes
> were such cases as responded but not fixed, and such case as not
> responded
> and not thanked me, but fixed). So taking into account my personal
> experience with finding vulnerabilities in browsers and informing
> vendors,
> I'm not informing them about DoS vulnerabilities in their browsers
> from this
> year (except this one case).
>
>> From more then 5 years of my work here is TOP of different group of
>> people,
> based on answering and fixing of vulnerabilities which I informed them
> about
> (the higher, the better):
>
> 1. Developers of Internet related software (such as web servers, ad
> blockers, etc.).
> 2. Developers of web applications.
> 3. Admins of web sites.
> 4. Developers of the browsers.
>
> Which must give you a ground for thoughts.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> ----- Original Message ----- From: "Susan Bradley" <sbradcpa (at) pacbell (dot) net [email concealed]>
> To: "MustLive" <mustlive (at) websecurity.com (dot) ua [email concealed]>; <bugtraq (at) securityfocus (dot) com [email concealed]>
> Sent: Tuesday, May 18, 2010 8:38 PM
> Subject: Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome,
> Opera and other browsers
>
>
>> 16.05.2010 - found vulnerability.
>> 17.05.2010 - disclosed at my site.
>> 18.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera.
>>
>>
>> Found on the 16th
>> Blogged on the 17th
>> Told vendors on the 18th
>> Posted here on the 18th
>>
>> Granted I can denial of service a browser just by loading up a horrible
>> add in or just using a browser, but as a customer of each of these
>> vendors, can I respectfully ask that you give vendors time to respond
>> before posting? These vendors do not ignore security issues and do
>> respond (unlike some of the web sites with the captcha issues) So why
>> haven't you given them that opportunity?
>>
>>
>> MustLive wrote:
>>> Hello Bugtraq!
>>>
>>> I want to warn you about security vulnerability in different browsers.
>>>
>>> -----------------------------
>>> Advisory: DoS vulnerabilities in Firefox, Internet Explorer, Chrome,
>>> Opera
>>> and other browsers
>>> -----------------------------
>>> URL: http://websecurity.com.ua/4206/
>>> -----------------------------
>>> Affected products: Mozilla Firefox, Internet Explorer 6, Internet
>>> Explorer
>>> 8, Google Chrome, Opera and other browsers.
>>> -----------------------------
>>> Timeline:
>>>
>>> 16.05.2010 - found vulnerability.
>>> 17.05.2010 - disclosed at my site.
>>> 18.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera.
>>> -----------------------------
>>> Details:
>>>
>>> At 30.02.2010 Mozilla fixed vulnerability (small one, which poses no
>>> security risk, as they said), found by Henry Sudhof - Mozilla
>>> Foundation
>>> Security Advisory 2010-23
>>> (http://www.mozilla.org/security/announce/2010/mfsa2010-23.html) (Image
>>> src
>>> redirect to mailto: URL opens email editor). Which allow to open email
>>> client at user's computer via redirector, which redirecting to mailto:
>>> URL.
>>> But this vulnerability was fixed only in Firefox 3.5.9, Firefox
>>> 3.6.2 and
>>> SeaMonkey 2.0.4, but not in Firefox 3.0.x.
>>>
>>> After I recently read this advisory, I decided to check different
>>> browsers.
>>> And as I checked at 16.05.2010, to this vulnerability are vulnerable
>>> web
>>> browsers Firefox 3.0.19 and Opera 9.52. And I created exploit for
>>> conducting
>>> of DoS attack on Firefox.
>>>
>>> Also I found possibility to open email client via iframe with mailto:
>>> URL.
>>> Which works in browsers Firefox 3.0.19, IE6, IE8 and Chrome. And I
>>> created
>>> exploit for conducting of attack on all browsers, which I called DoS
>>> via
>>> email. This attack can be conducted as with using JS, as without it
>>> (via
>>> creating of page with large quantity of iframes).
>>>
>>> If attack via images at a page (which open email client) is only
>>> discomfort,
>>> then attack via images or iframes with using my exploits is Denial of
>>> Service vulnerability. It belongs to type
>>> (http://websecurity.com.ua/2550/)
>>> blocking DoS and resources consumption DoS. These exploits are very
>>> dangerous - at their starting, if to not stop attack in time, they can
>>> lead
>>> to full consumption of computer's resources (potentially even to
>>> freezing
>>> of
>>> the system).
>>>
>>> DoS:
>>>
>>> http://websecurity.com.ua/uploads/2010/Firefox%20DoS%20Exploit.html
>>>
>>> This exploit works in Mozilla Firefox (Firefox <= 3.0.19, Firefox <
>>> 3.5.9,
>>> Firefox < 3.6.2) and SeaMonkey < 2.0.4.
>>>
>>> http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Ope
ra%20DoS%20Exploit.html
>>>
>>>
>>> This exploit works in Mozilla Firefox (besides 3.0.x and previous
>>> versions,
>>> it must work in 3.5.x and 3.6.x), Internet Explorer 6 (6.0.2900.2180),
>>> Internet Explorer 8 (8.0.7600.16385), Google Chrome 1.0.154.48 and
>>> Opera
>>> 9.52. At that in Opera the exploit don't open email client, so DoS
>>> attack
>>> is
>>> going without blocking, only resources consumption (more slowly then in
>>> other browsers). And also this exploit must work in SeaMonkey, Internet
>>> Explorer 7 and other browsers.
>>>
>>> Best wishes & regards,
>>> MustLive
>>> Administrator of Websecurity web site
>>> http://websecurity.com.ua
>
>

[ reply ]
Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers May 27 2010 08:53PM
MustLive (mustlive websecurity com ua) (1 replies)
Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers May 28 2010 03:07PM
John Smith (at-x live com) (1 replies)
Re[2]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers May 28 2010 06:17PM
Vladimir '3APA3A' Dubrovin (3APA3A SECURITY NNOV RU) (1 replies)
Re: Re[2]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers May 28 2010 07:55PM
John Smith (at-x live com) (2 replies)
Re[3]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers Jun 03 2010 08:12PM
MustLive (mustlive websecurity com ua)
Re[4]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers May 28 2010 08:35PM
Vladimir '3APA3A' Dubrovin (3APA3A SECURITY NNOV RU) (1 replies)


 

Privacy Statement
Copyright 2010, SecurityFocus