ZDI-11-041: (0day) Multiple Browser Node Processing Stack Overflow Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-911 April 1, 2011 -- CVE ID: CVE-C000-00FD -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Microsoft Google Mikul Apple ISC -- Affected Products: Microsoft Internet Explorer Google Chrome Mikul Links Apple Safari ISC Lynx -- Vulnerability Details: Multiple vulnerabilities allow remote attackers to remotely terminate mission critical web applications on vulnerable installations of Apple Safari, Microsoft Internet Explorer, Google Chrome, Mikul Links, and ISC Lynx. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaws exists within the handling of node attributes, specifically nodes with large quantities of attributes or large values within such nodes. When handling these objects, several functions are called recursively for each value provided defined within. The functions use a shared memory region referred to internally as the stack. The size of the stack is not properly verified during processing which can result in the consumption of all the its available address space. This process is extremely exhausting for the application and it cannot continue functioning. A remote attacker can exploit this vulnerability to terminate web applications under the context of the Internet. -- Vendor Response: Vendors claimed to be unable to respond due to unexpected browser termination upon accessing web form. -- Disclosure Timeline: 2011-04-01 - Vulnerability reported to vendor 2011-04-01 - Public release of advisory -- Credit: This vulnerability was discovered by: * Spencer Pratt -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi