Hi Mustlive,
I'm not sure if there's a need to discuss or clarify this any further.
Please refer to my earlier posts, and for the sake of saving some of our
time & efforts, avoid drawing tangents about scripts and noscripts (I've
clarified both earlier) & weasel words (security vulnerability and nntp
exploit - irrelevent in this case).
JS or no-JS, this issue is nothing new, this behavior is well-defined and a
necessity and definitely not a URI (of any kind) exploit or a security
vulnerability.
Some last specifics (mostly reiterating what I said in my earlier posts) -
1. You can take this issue up with the content aggregators (CDN etc) and or
website programmers, this is not an issue to be addressed by the webbrowsers
because the solution of it remains imperfect in theory (one of my posts have
a 'workaround'...maybe a 'good to have' feature which WILL open up another
can of worms...).
2. Now the even vague non-scripted issue which you insist upon - If you are
trying to say that a 1000 lines of <iframe src='nntp:something'/> (which is
executed sequentially by any JVM as a fact) is an 'exploit' and 'security
vulnerability', isn't there a HUGE point missing?
NOTE: again, I'm not sure why you claim its an 'nntp' exploit. As I noted
earlier, its applicable to any uri handler and their behaviour is nothing
unexpected.
3. Your POC had used JS and is non-functional without scripting enabled. It
was taken offline since I last checked (my 2nd last post?), which should
have been your sample reference for this discussion (its appearing to shift
now).
Best Regards,
w
--------------------------------------------------
From: "MustLive" <mustlive@xxxxxxxxxxxxxxxxxx>
Sent: Monday, May 31, 2010 9:33 PM
To: "Susan Bradley" <sbradcpa@xxxxxxxxxxx>
Cc: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and
Opera
Hello Susan and other readers, who replied to my previous advisory.
Earlier I've already answered Vladimir, now I'd answer Susan and soon I'd
answer John. But now one important note to every reader of the list,
including John Smith. Which I already wrote about 1,5 week ago (after
posting of a first advisory about DoS in browsers) to one reader of
Full-disclosure who inattentively read that advisory (he missed message
about attacking without JS) and also to Mozilla (who became discussing
this
issue and only drew attention to attacking with JS vector). That, as I
wrote
in both advisories, this attack via iframes can also be conducted without
JavaScript. So even turning JS off will not help.
Due to advantages of JS exploit for these vulnerabilities over non-JS
exploit, I wrote JavaScript exploits for these advisories and I'd write
for
future advisories (but I'd be reminding about possibility of attacking
without JS). But soon I'll present one exploit also in "pure-iframe"
version
(without JS) for Internet Explorer and other applications - in case when
small amount of iframes lead to crash.
Thank you. Now if you could wait for patches before disclosing I'd be
even happier.
Susan, you are welcome.
I would be happy to wait for patches of browser vendors, but as already
told you in details, it's not possible due to behavior of browser vendors.
All they mostly ignore such holes, all they don't count DoS as
vulnerabilities, they called them "stability issues" and so don't attend
to
them seriously (and not fixing or fixing slowly). I don't respect such
statement as "stability issues" for DoS holes, and during 2008-2010 I
worked
hard to change vendors' mind on this issue, but they still ignore it.
Also, as I already told you, they never told if they fixed or not such
holes
(especially taking into account that they almost always ignore my letters
with such holes or, as Opera did few times, answering with "it's stability
issues" statement). So I have no possibility to know from them if they
fixed
it or not - and because they don't care about such issues (ignoring them
or
calling them stability issues), they never mentioned about them in vendors
advisories. Only one time Microsoft informed me about fixing DoS hole in
Outlook - even they called it stability issue they informed me after they
released a patch for it (which was serious approach, but not Microsoft for
IE, nor other vendors use such approach for DoS holes in browsers).
But take into account that I informed (at 26.05.2010) all four browser
vendors about many vulnerabilities, which I'll disclose in the future. So
they are informed for long time in advance :-). And so you have no need to
worry, because with every day they become more and more "informed long
time
ago" and have more and more days to fix these holes.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message -----
From: "Susan Bradley" <sbradcpa@xxxxxxxxxxx>
To: "MustLive" <mustlive@xxxxxxxxxxxxxxxxxx>
Cc: <bugtraq@xxxxxxxxxxxxxxxxx>
Sent: Friday, May 28, 2010 7:06 PM
Subject: Re: [Suspected Spam]DoS vulnerabilities in Firefox, Internet
Explorer, Chrome and Opera
Thank you. Now if you could wait for patches before disclosing I'd be
even happier.
MustLive wrote:
Hello Bugtraq!
I want to warn you about security vulnerability in different browsers.
-----------------------------
Advisory: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and
Opera
-----------------------------
URL: http://websecurity.com.ua/4238/
-----------------------------
Affected products: Mozilla Firefox, Internet Explorer 6, Internet
Explorer
8, Google Chrome, Opera.
-----------------------------
Timeline:
26.05.2010 - found vulnerabilities.
26.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera.
Susan Bradley must be happy :-).
27.05.2010 - disclosed at my site.
-----------------------------
Details:
After publication of previous vulnerabilities in different browsers, I
continued my researches and found many new vulnerabilities in browsers,
which I called by general name DoS via protocol handlers, to which
belonged
and previous DoS attack via mailto handler.
Now I'm informing about DoS in different browsers via protocols news and
nntp. These Denial of Service vulnerabilities belongs to type
(http://websecurity.com.ua/2550/) blocking DoS and resources consumption
DoS. These attacks can be conducted as with using JS, as without it (via
creating of page with large quantity of iframes).
DoS:
http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Opera%20DoS%20Exploit2.html
This exploit for news protocol works in Mozilla Firefox 3.0.19 (and
besides
previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6
(6.0.2900.2180), Internet Explorer 8 (8.0.7600.16385), Google Chrome
1.0.154.48 and Opera 9.52.
In all mentioned browsers occurs blocking and overloading of the system
from
starting of Opera, which appeared as news-client at my computer, and IE8
crashes (at computer without Opera). And in Opera the attack is going
without blocking, only resources consumption (more slowly then in other
browsers).
http://websecurity.com.ua/uploads/2010/Firefox,%20IE%20&%20Opera%20DoS%20Exploit.html
This exploit for nntp protocol works in Mozilla Firefox 3.0.19 (and
besides
previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6
(6.0.2900.2180) and Opera 9.52.
In all mentioned browsers occurs blocking and overloading of the system
from
starting of Opera, which appeared as nntp-client at my computer. In IE8
the
attack didn't work - possibly because that at that computer there was no
nntp-client, Opera in particular. And in Opera the attack is going
without
blocking, only resources consumption (more slowly then in other
browsers).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
