Belated, but here are some recent bugs that you guys might find interesting: 1) DOM reference fuzzer, originally developed in 2008, crashed every browser on the market back then. This tool attempts to crawl the DOM object hierarchy from a particular starting point, collects object references discovered during the crawl by recursively calling methods and examining properties, and then reuses them in various ways after destroying the original object. In essence, the goal is to find use-after-free conditions across the browser codebase. Several of the bugs triggered by the fuzzer were rediscovered independently in the two years it took vendors to investigate; most notably, looks like the winning Pwn2own bug is a duplicate of this. The release of Microsoft MS10-035 and Apple APPLE-SA-2010-06-21-1 probably fixes the last of the known exploitable issues triggered by this tool. Likely not a great argument in favor of vendor-dependent disclosure. Additional info: http://lcamtuf.blogspot.com/2010/06/announcing-reffuzz-2yo-fuzzer.html Link to the fuzzer: http://lcamtuf.coredump.cx/ref_fuzz5.html 2) Safari SOP bypass (CVE-2010-0544) - a difference between KURL and CFNetwork URL parsing allows content fetched from different origins to be considered same-origin when a particular obscure loophole in RFC1630 used. The backstory on this vulnerability is probably interesting, but it does not feel appropriate to paste it here in its entirety. Additional info: http://lcamtuf.blogspot.com/2010/06/safari-tale-of-betrayal-and-revenge.html Link to PoC: http://lcamtuf.coredump.cx/sfbypass/ 3) Address bar spoofing in Firefox (CVE-2010-1206) - an usability-related exception causes the destination URL to be inserted in the address bar before the destination site is actually loaded; by calling window.stop() or navigating to HTTP 204, it is possible to keep this URL while rendering arbitrary attacker-controlled window contents: Additional info: http://lcamtuf.blogspot.com/2010/06/yeah-about-that-address-bar-thing.html Firefox PoC: http://lcamtuf.coredump.cx/ffox_spoof.html Related behavior in Safari: http://lcamtuf.coredump.cx/safari_spoof.html 4) Some more fun with selective mid-keystroke focus redirection in WebKit-based browsers (CVE-2010-1422) - see http://seclists.org/fulldisclosure/2010/Mar/232 for original description of the vulnerability; as it turns out, the attack scenario - where a malicious top-level window selectively redirects keystrokes to a hidden frame - can also be trivially reversed. This allows a malicious gadget embedded on a trusted page (say, a social site or a search engine) to steal any text entered in the parent. Additional info: http://lcamtuf.blogspot.com/2010/06/curse-of-inverse-strokejacking.html Link to PoC: http://lcamtuf.coredump.cx/webkit-focus/toplevel2.html /mz
