ground418 security advisory Date: 30-10-2007 Subject: Firefox / IE6 crash on javascript nested loops Author: Vincent Audet Menard Original file: http://www.ground418.org/exploits/read.php?file=07-ffox-loops Risk: low Tested on: IE6, IE7, Firefox, Safari Vulnerable: IE6 and older, Firefox 2.0.0.8 and older (mac, window, linux) Not Vulnerable: IE7, Safari 2.0.4 -[ Remote Firefox / IE6 crash ] It's possible to crash and/or force the user to kill Firefox 2.0.0.8 and IE6 by coding an endless loop using javascript functions onblur() and onfocusout(). By using 2 text input fields that are respectively setting focus on each other, you can force the user to quit the browser and eventually crash it if the user holds the enter key when a javascript alert window appears. This bug seems to be fixed in Internet Explorer 7, Microsoft seems to have added a counter that limits the number of consecutive pop-up alerts. A variation of that bug has been reported to firefox a few years ago (see related file), but seems to never have been posted on official security channels. -[ Related files ] Original file: http://www.ground418.org/exploits/read.php?file=07-ffox-loops Proof of concept available on (at your own risk): http://www.ground418.org/exploits/archived/ffox2-poc.html Related on bugzilla https://bugzilla.mozilla.org/show_bug.cgi?id=302787 --- Vincent A. Ménard CTO - Heptacube inc. http://www.heptacube.com
