Firstly, a brief update on the status of reported sample vulnerabilities: - mozilla_die1.html: confirmed, fixed in snapshots (DoS most of the time) - mozilla_die2.html: confirmed, being worked on (likely exploitable) - opera_die1.html: confirmed, being worked on (likely exploitable) - lynx_die1.html: confirmed, independent fixes from OpenBSD team (DoS) - links_die1.html: no official confirmation, no data (DoS) I have no data on whether any of the vendors bothered to run my scripts to find any further problems that are bound to surface. I have also received reports of crashes caused by mangeme.cgi with the following browsers: - Safari / Konqueror (KHTML engine) - elvis - elinks (links engine) - w3m Last but not least, MSIE gives in: > Only MSIE appears to be able to consistently handle [*] malformed > input well, suggesting this is the only program that underwent > rudimentary security QA testing with a similar fuzz utility. To all those who considered my original post to be a great propaganda ammunition for praising MSIE, bad news - although it did take a longer while for it to give up - three hours - (impressive by comparison to competitors), it eventually did: http://lcamtuf.coredump.cx/mangleme/gallery/ie_die1.html Tested on 6.0.2800.1106, dies in mshtml.dll. This is a NULL pointer dereference, so merely a DoS condition, but still an evident flaw in basic HTML parsing. ****************************************************************** * This means that VIRTUALLY EVERY BROWSER IN USE TODAY is unable * * to securely render HTML. Keeping in mind that not only web * * browsing, but also integrated e-mail is at risk, it is a grim * * thought. * ****************************************************************** Because I did not ask CERT or NIPC for patronage, did not get 20 CVE numbers for each variant of each of the issues, nor do I have a black-on-white webpage with stock graphics, this will likely not generate any media splash, but I for one consider my findings to be far more chilling that a wave of tabbed browsing URL spoofing flaws and similar recent browser issues. For those interested in doing some of my homework, I've updated the tool, incorporating several minor changes to its semantics to make it somewhat more powerful: download http://lcamtuf.coredump.cx/soft/mangleme.tgz for version 1.2. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2004-10-23 00:11 -- http://lcamtuf.coredump.cx/photo/current/
