Hello Susan!
Granted I can denial of service a browser just by loading up a horrible
add in or just using a browser
DoS of the browser is already bad thing. And there are many risks for
users
from DoS holes in browsers, which I wrote about in 2008 in my articles
Dangers of DoS attacks on browsers and Dangers of resources
consumption DoS
attacks. But mostly browser developers ignore to fix these issues.
But in this case it's not only attack on browsers, but on the whole
user's
computer - because it's blocking of whole computer and full resource
consumption. Which is working in many browsers, including their last
versions. So browser developers with their neglect to this problem make
possible attacks on the whole users' systems. It was one of leitmotifs
of my
advisory.
can I respectfully ask that you give vendors time to respond before
posting?
This informing of vendors was an exclusion. During 2007-2009 I
informed many
browser developers about many vulnerabilities (as DoS, as others) and
gave
them a lot of time for fixing in many of that cases. But they almost
always
ignore to fix the holes (especially DoS holes, which were only fixed few
times by Google and one time by Microsoft, and not in IE, but in Outlook,
and 99% of cases were completely ignored). Taking that into account last
year I decided from 2010 never inform browser vendors about DoS holes in
their browsers. And this time it was an exclusion (just one). In any case
due to full disclosure the Internet community will be knowing about the
vulnerabilities in browsers which I found and will be knowing the real
state
of security of browsers. It was another leitmotif of my advisory.
So this time I informed browser developers and users about these
issues. And
did I receive any thanks from Susan (especially taking into account
that I
did inform vendors) or any other user of browsers for this info? No
:-). Did
browser vendors answered me? No :-) (at first day) - which is normal for
such cases, based on my experience. Only on second day Opera and Mozilla
answered me and begun investigation of these cases (which is rare case
when
they responded on DoS hole, based on my experience), but not other
vendors.
These vendors do not ignore security issues and do respond
As I already said, in 99% they do ignore and don't respond (and sometimes
were such cases as responded but not fixed, and such case as not
responded
and not thanked me, but fixed). So taking into account my personal
experience with finding vulnerabilities in browsers and informing
vendors,
I'm not informing them about DoS vulnerabilities in their browsers
from this
year (except this one case).
From more then 5 years of my work here is TOP of different group of
people,
based on answering and fixing of vulnerabilities which I informed them
about
(the higher, the better):
1. Developers of Internet related software (such as web servers, ad
blockers, etc.).
2. Developers of web applications.
3. Admins of web sites.
4. Developers of the browsers.
Which must give you a ground for thoughts.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message ----- From: "Susan Bradley" <sbradcpa@xxxxxxxxxxx>
To: "MustLive" <mustlive@xxxxxxxxxxxxxxxxxx>; <bugtraq@xxxxxxxxxxxxxxxxx>
Sent: Tuesday, May 18, 2010 8:38 PM
Subject: Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome,
Opera and other browsers
16.05.2010 - found vulnerability.
17.05.2010 - disclosed at my site.
18.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera.
Found on the 16th
Blogged on the 17th
Told vendors on the 18th
Posted here on the 18th
Granted I can denial of service a browser just by loading up a horrible
add in or just using a browser, but as a customer of each of these
vendors, can I respectfully ask that you give vendors time to respond
before posting? These vendors do not ignore security issues and do
respond (unlike some of the web sites with the captcha issues) So why
haven't you given them that opportunity?
MustLive wrote:
Hello Bugtraq!
I want to warn you about security vulnerability in different browsers.
-----------------------------
Advisory: DoS vulnerabilities in Firefox, Internet Explorer, Chrome,
Opera
and other browsers
-----------------------------
URL: http://websecurity.com.ua/4206/
-----------------------------
Affected products: Mozilla Firefox, Internet Explorer 6, Internet
Explorer
8, Google Chrome, Opera and other browsers.
-----------------------------
Timeline:
16.05.2010 - found vulnerability.
17.05.2010 - disclosed at my site.
18.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera.
-----------------------------
Details:
At 30.02.2010 Mozilla fixed vulnerability (small one, which poses no
security risk, as they said), found by Henry Sudhof - Mozilla
Foundation
Security Advisory 2010-23
(http://www.mozilla.org/security/announce/2010/mfsa2010-23.html) (Image
src
redirect to mailto: URL opens email editor). Which allow to open email
client at user's computer via redirector, which redirecting to mailto:
URL.
But this vulnerability was fixed only in Firefox 3.5.9, Firefox
3.6.2 and
SeaMonkey 2.0.4, but not in Firefox 3.0.x.
After I recently read this advisory, I decided to check different
browsers.
And as I checked at 16.05.2010, to this vulnerability are vulnerable
web
browsers Firefox 3.0.19 and Opera 9.52. And I created exploit for
conducting
of DoS attack on Firefox.
Also I found possibility to open email client via iframe with mailto:
URL.
Which works in browsers Firefox 3.0.19, IE6, IE8 and Chrome. And I
created
exploit for conducting of attack on all browsers, which I called DoS
via
email. This attack can be conducted as with using JS, as without it
(via
creating of page with large quantity of iframes).
If attack via images at a page (which open email client) is only
discomfort,
then attack via images or iframes with using my exploits is Denial of
Service vulnerability. It belongs to type
(http://websecurity.com.ua/2550/)
blocking DoS and resources consumption DoS. These exploits are very
dangerous - at their starting, if to not stop attack in time, they can
lead
to full consumption of computer's resources (potentially even to
freezing
of
the system).
DoS:
http://websecurity.com.ua/uploads/2010/Firefox%20DoS%20Exploit.html
This exploit works in Mozilla Firefox (Firefox <= 3.0.19, Firefox <
3.5.9,
Firefox < 3.6.2) and SeaMonkey < 2.0.4.
http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Opera%20DoS%20Exploit.html
This exploit works in Mozilla Firefox (besides 3.0.x and previous
versions,
it must work in 3.5.x and 3.6.x), Internet Explorer 6 (6.0.2900.2180),
Internet Explorer 8 (8.0.7600.16385), Google Chrome 1.0.154.48 and
Opera
9.52. At that in Opera the exploit don't open email client, so DoS
attack
is
going without blocking, only resources consumption (more slowly then in
other browsers). And also this exploit must work in SeaMonkey, Internet
Explorer 7 and other browsers.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua