Re[3]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers
ent versions of exploit, one of which bypassed Chrome's protection. So the first workaround is more reliable one. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua - Original Message - From: "John Smith" To: "Vladimir '3APA3A' Dubrovin" <3ap...@security.nnov.ru> Cc: "MustLive" ; "Susan Bradley" ; Sent: Friday, May 28, 2010 10:55 PM Subject: Re: Re[2]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers Point taken. But that'd be a non-issue on the browser's end as much as site's that is allowing the rogue scripts (or malformed ads, as per your example). The fork of this mail thread clearly explains what I'm talking about. The issue noted there is a simple DoS attack which every programming language and platform is vulnerable too. Its called the "infinite loop". It is not a 'security vulnerability' by itself and is completely agnostic of the uri handler (try http or anything instead of nntp). Here's the simplified JS version of it (lets call it the Universal DoS -- yes, it'd work for every browser on the planet that can execute JS) - while(1)alert('hello world'); Done! Workaround: None very intuitive. Maybe allow the user to terminate the script at every iteration? specific time period? etc... ------------------ From: "Vladimir '3APA3A' Dubrovin" <3ap...@security.nnov.ru> Sent: Friday, May 28, 2010 11:47 PM To: "John Smith" Cc: "MustLive" ; "Susan Bradley" ; Subject: Re[2]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers Dear John Smith, Actually, browser DoS may be quite serious vulnerability, depending on nature of DoS. Think about e.g. banner or content exchange network, social networks, web boards, etc where browser vulnerability may be used against site or page because it will harm any visitors of this site or page. In case of this very vulnerability, most serious impact may be from e-mail vector. --Friday, May 28, 2010, 7:07:50 PM, you wrote to mustl...@websecurity.com.ua: JS> Just a few cents - DoS in webbrowsers doesn't fall under the category of JS> "vulnerabilities" rather more of "annoyances". Although I don't deny the JS> fact that certain DoS attacks *may lead* or *may serve as hints* to other JS> more serious exploits, but that's a different topic and with ASLR in the JS> scene, a very grey area of discussion. -- Skype: Vladimir.Dubrovin ~/ZARAZA http://securityvulns.com/ Стреляя во второй раз, он искалечил постороннего. Посторонним был я. (Твен)
Re: Re[4]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers
Hi Vladimir, Thanks for your views. I was carried away because the author used scripts (in a global script tag) in the PoC of the issue in question which made unconditional recursion possible. Without scripts enabled, if iframe's src property is set to itself(?), it is parsed upto 1 level (i.e. not recursed). Hence it doesn't affect or DoS the latest browsers (the best I can say...). A few other points: 1. if a links/ads or any other content-syndication provider allow unverified javascript to be served, DoS would be the least of the concern (read: it’s the breeding ground of XSS exploits) 2. I more than agree that an issue to be classified as a security vulnerability if a combination of tags/properties/scripts causes or is capable of causing malice in any form while conforming to the standards (which isn't the case here). 3. Just to reiterate my earlier post, DoS is more of an annoyance than malice. If the issue noted in this context DoS by a form of unconditional recursion (or infinite loop) to create 'out of memory' or stack overflow sortof situation (though modern uri handlers handle it gracefully) but requires a task kill operation on the script engine's host (the browser in this context). Sadly, there're too many known unknowns to the #2 above which involves the support of non-standard techniques like Anti-Phishing Working Group/SmartScreen filter etc which doesn't attempt to or can be absolutely 100% fool-proof... Best Regards, w PS: Lets put IE6 out of context, I'm not sure why it is still brought up or why it's still used, because it’s a browser from the times when the first ancestor of Firefox (Phoenix) didn't exist. Yes, its that ancient! :) -- From: "Vladimir '3APA3A' Dubrovin" <3ap...@security.nnov.ru> Sent: Saturday, May 29, 2010 2:05 AM To: "John Smith" Cc: "MustLive" ; "Susan Bradley" ; Subject: Re[4]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers Dear John Smith, In general case we are discussing, DoS may be caused by e.g. some combination of allowed tags/properties or by malformed image. As it was pointed by author, this attack may be performed with scripting disabled (with [iframe src=]). That's why e-mail vector may be significant. --Friday, May 28, 2010, 11:55:28 PM, you wrote to 3ap...@security.nnov.ru: JS> Point taken. But that'd be a non-issue on the browser's end as much as JS> site's that is allowing the rogue scripts (or malformed ads, as per your JS> example). JS> The fork of this mail thread clearly explains what I'm talking about. The JS> issue noted there is a simple DoS attack which every programming language JS> and platform is vulnerable too. Its called the "infinite loop". It is not a JS> 'security vulnerability' by itself and is completely agnostic of the uri JS> handler (try http or anything instead of nntp). JS> Here's the simplified JS version of it (lets call it the Universal DoS -- JS> yes, it'd work for every browser on the planet that can execute JS) - JS> JS> while(1)alert('hello world'); JS> JS> Done! JS> Workaround: JS> None very intuitive. Maybe allow the user to terminate the script at every JS> iteration? specific time period? etc... JS> -- JS> From: "Vladimir '3APA3A' Dubrovin" <3ap...@security.nnov.ru> JS> Sent: Friday, May 28, 2010 11:47 PM JS> To: "John Smith" JS> Cc: "MustLive" ; "Susan Bradley" JS> ; JS> Subject: Re[2]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, JS> Opera and other browsers Dear John Smith, Actually, browser DoS may be quite serious vulnerability, depending on nature of DoS. Think about e.g. banner or content exchange network, social networks, web boards, etc where browser vulnerability may be used against site or page because it will harm any visitors of this site or page. In case of this very vulnerability, most serious impact may be from e-mail vector. --Friday, May 28, 2010, 7:07:50 PM, you wrote to mustl...@websecurity.com.ua: JS> Just a few cents - DoS in webbrowsers doesn't fall under the category of JS> "vulnerabilities" rather more of "annoyances". Although I don't deny the JS> fact that certain DoS attacks *may lead* or *may serve as hints* to other JS> more serious exploits, but that's a different topic and with ASLR in the JS> scene, a very grey area of discussion. -- Skype: Vladimir.Dubrovin ~/ZARAZA http://securityvulns.com/ Стреляя во второй раз, он искалечил постороннего. Посторонним был я. (Твен) -- Skype: Vladimir.Dubrovin ~/ZARAZA http://securityvulns.com/ Машина оказалась способной к единственному действию, а именно умножению 2x2, да и то при этом ошибаясь. (Лем)
Re[4]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers
Dear John Smith, In general case we are discussing, DoS may be caused by e.g. some combination of allowed tags/properties or by malformed image. As it was pointed by author, this attack may be performed with scripting disabled (with [iframe src=]). That's why e-mail vector may be significant. --Friday, May 28, 2010, 11:55:28 PM, you wrote to 3ap...@security.nnov.ru: JS> Point taken. But that'd be a non-issue on the browser's end as much as JS> site's that is allowing the rogue scripts (or malformed ads, as per your JS> example). JS> The fork of this mail thread clearly explains what I'm talking about. The JS> issue noted there is a simple DoS attack which every programming language JS> and platform is vulnerable too. Its called the "infinite loop". It is not a JS> 'security vulnerability' by itself and is completely agnostic of the uri JS> handler (try http or anything instead of nntp). JS> Here's the simplified JS version of it (lets call it the Universal DoS -- JS> yes, it'd work for every browser on the planet that can execute JS) - JS> JS> while(1)alert('hello world'); JS> JS> Done! JS> Workaround: JS> None very intuitive. Maybe allow the user to terminate the script at every JS> iteration? specific time period? etc... JS> -- JS> From: "Vladimir '3APA3A' Dubrovin" <3ap...@security.nnov.ru> JS> Sent: Friday, May 28, 2010 11:47 PM JS> To: "John Smith" JS> Cc: "MustLive" ; "Susan Bradley" JS> ; JS> Subject: Re[2]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, JS> Opera and other browsers >> Dear John Smith, >> >> Actually, browser DoS may be quite serious vulnerability, depending on >> nature of DoS. Think about e.g. banner or content exchange network, >> social networks, web boards, etc where browser vulnerability may be >> used against site or page because it will harm any visitors of this >> site or page. >> >> In case of this very vulnerability, most serious impact may be from >> e-mail vector. >> >> --Friday, May 28, 2010, 7:07:50 PM, you wrote to >> mustl...@websecurity.com.ua: >> >> JS> Just a few cents - DoS in webbrowsers doesn't fall under the category >> of >> JS> "vulnerabilities" rather more of "annoyances". Although I don't deny >> the >> JS> fact that certain DoS attacks *may lead* or *may serve as hints* to >> other >> JS> more serious exploits, but that's a different topic and with ASLR in >> the >> JS> scene, a very grey area of discussion. >> >> >> >> -- >> Skype: Vladimir.Dubrovin >> ~/ZARAZA http://securityvulns.com/ >> Стреляя во второй раз, он искалечил постороннего. Посторонним был я. >> (Твен) >> >> -- Skype: Vladimir.Dubrovin ~/ZARAZA http://securityvulns.com/ Машина оказалась способной к единственному действию, а именно умножению 2x2, да и то при этом ошибаясь. (Лем)
Re: Re[2]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers
Point taken. But that'd be a non-issue on the browser's end as much as site's that is allowing the rogue scripts (or malformed ads, as per your example). The fork of this mail thread clearly explains what I'm talking about. The issue noted there is a simple DoS attack which every programming language and platform is vulnerable too. Its called the "infinite loop". It is not a 'security vulnerability' by itself and is completely agnostic of the uri handler (try http or anything instead of nntp). Here's the simplified JS version of it (lets call it the Universal DoS -- yes, it'd work for every browser on the planet that can execute JS) - while(1)alert('hello world'); Done! Workaround: None very intuitive. Maybe allow the user to terminate the script at every iteration? specific time period? etc... -- From: "Vladimir '3APA3A' Dubrovin" <3ap...@security.nnov.ru> Sent: Friday, May 28, 2010 11:47 PM To: "John Smith" Cc: "MustLive" ; "Susan Bradley" ; Subject: Re[2]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers Dear John Smith, Actually, browser DoS may be quite serious vulnerability, depending on nature of DoS. Think about e.g. banner or content exchange network, social networks, web boards, etc where browser vulnerability may be used against site or page because it will harm any visitors of this site or page. In case of this very vulnerability, most serious impact may be from e-mail vector. --Friday, May 28, 2010, 7:07:50 PM, you wrote to mustl...@websecurity.com.ua: JS> Just a few cents - DoS in webbrowsers doesn't fall under the category of JS> "vulnerabilities" rather more of "annoyances". Although I don't deny the JS> fact that certain DoS attacks *may lead* or *may serve as hints* to other JS> more serious exploits, but that's a different topic and with ASLR in the JS> scene, a very grey area of discussion. -- Skype: Vladimir.Dubrovin ~/ZARAZA http://securityvulns.com/ Стреляя во второй раз, он искалечил постороннего. Посторонним был я. (Твен)
Re[2]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers
Dear John Smith, Actually, browser DoS may be quite serious vulnerability, depending on nature of DoS. Think about e.g. banner or content exchange network, social networks, web boards, etc where browser vulnerability may be used against site or page because it will harm any visitors of this site or page. In case of this very vulnerability, most serious impact may be from e-mail vector. --Friday, May 28, 2010, 7:07:50 PM, you wrote to mustl...@websecurity.com.ua: JS> Just a few cents - DoS in webbrowsers doesn't fall under the category of JS> "vulnerabilities" rather more of "annoyances". Although I don't deny the JS> fact that certain DoS attacks *may lead* or *may serve as hints* to other JS> more serious exploits, but that's a different topic and with ASLR in the JS> scene, a very grey area of discussion. -- Skype: Vladimir.Dubrovin ~/ZARAZA http://securityvulns.com/ Стреляя во второй раз, он искалечил постороннего. Посторонним был я. (Твен)
Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers
Just a few cents - DoS in webbrowsers doesn't fall under the category of "vulnerabilities" rather more of "annoyances". Although I don't deny the fact that certain DoS attacks *may lead* or *may serve as hints* to other more serious exploits, but that's a different topic and with ASLR in the scene, a very grey area of discussion. Case in point: XSS can be of various kinds and most of them (I'm talking of about 99.99%) can be attributed to the design of the web technologies/protocols specifications (http, ajax, etc etc...you name it) and the browsers can only do that much. Hence its not feasible for a webbrowser to 'prevent' them without tampering the protocol or annoying you with continuous messages about what it is doing (assuming all users have the knowledge of how web works as much as the people on this list). So unless you pinpoint the exact flaw (XSS or DoS) its very hard to assume whether the browser in question actually needs a fix for it. Best Regards, w -- From: "MustLive" Sent: Friday, May 28, 2010 2:23 AM To: "Susan Bradley" Cc: Subject: Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers Hello Susan! As I already wrote you and Adam earlier, every type of disclosure (including full disclosure and responsible full disclosure) can be good in appropriate situation. And I use that type of disclosure which is suitable for every particular case. Taking into account that 3 from 4 vendors answered me (except Microsoft) and Google had already non affected Chrome 4, and Mozilla and Opera promised to fix it (we'll see when and how they do it), then you can see that my approach works. And responsible full disclosure can force browser vendors to attend more at security of their software. Soon I'll write to security mailing lists about new vulnerabilities in different browsers. And you can not worry about that - in those advisories I'll use a littler different approach of informing browser vendors. You will like it ;-). Let's take one for example. Did you email sec...@microsoft.com? I have before and 100% of the time they respond. Yes, I did. I emailed Microsoft, like other browser vendors. I knew their emails, because I wrote to all of these four vendors a lot of times during 2007-2010, and all of them answered many times (who more, who less). But as I already wrote, in 99% cases they ignored to fix DoS holes (even if they answered and told, that they agreed that it was DoS and they'd think about fixing it). For example Microsoft one time even answered me twice (with thanks), when I informed them about XSS in IE6. But they didn't fix this vulnerability. It was Saved XSS (this type of XSS I created after I found this hole in IE), which was already posted at Bugtraq in 2007. And in 2008 I informed Microsoft (and posted to Bugtraq) about this vulnerability in IE7 - but MS ignored. And in 2009 MS released IE8 where this hole was fixed (as I checked it), without mentioning about this fact and without thanking me (just silently). Similarly to Mozilla's approach with one XSS in Firefox (which I informed them), which I already mentioned to Bugtraq in beginning of 2009. But about DoS holes they didn't answer in 99% of time. And Microsoft never fixed DoS holes in IE, which I informed them, but fix DoS hole in Outlook. And answered me twice: one time with thanks and latter when they fixed (MS was only one vendor who informed me that it fixed DoS hole in their software, from all of those few cases when browser vendors fixed DoS holes). So as it clear, browser vendors only answer when they want. Patches take time. The do not occur over night. Furthermore it may take a day for the vendor to respond to you. As I mentioned, 3 from 4 developers answered me (but it's not common for cases with DoS holes). But MS didn't answer me for more than 1,5 week. From which you can see their attitude to such issues. And on example of Google, which Chrome 4 was invulnerable to this hole (only Chrome 1.x), shows their attitude to such issues - that they are working to fix holes (including those which was in older versions of their browser) even before they will be found and disclosed by researchers. Should you have issues, would you consider emailing me first so I can introduce you to contacts? Thanks, I don't need help with informing browser vendors. They with no doubts received all my letters in 2007-2010 and would receive all future letters. But as said, I'll not be more informing them about DoS holes. This decision I made in August 2009 and it's final decision. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua - Original Message ----- From: "Susan Bradley" To: "MustLive"
Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers
Hello Susan! As I already wrote you and Adam earlier, every type of disclosure (including full disclosure and responsible full disclosure) can be good in appropriate situation. And I use that type of disclosure which is suitable for every particular case. Taking into account that 3 from 4 vendors answered me (except Microsoft) and Google had already non affected Chrome 4, and Mozilla and Opera promised to fix it (we'll see when and how they do it), then you can see that my approach works. And responsible full disclosure can force browser vendors to attend more at security of their software. Soon I'll write to security mailing lists about new vulnerabilities in different browsers. And you can not worry about that - in those advisories I'll use a littler different approach of informing browser vendors. You will like it ;-). Let's take one for example. Did you email sec...@microsoft.com? I have before and 100% of the time they respond. Yes, I did. I emailed Microsoft, like other browser vendors. I knew their emails, because I wrote to all of these four vendors a lot of times during 2007-2010, and all of them answered many times (who more, who less). But as I already wrote, in 99% cases they ignored to fix DoS holes (even if they answered and told, that they agreed that it was DoS and they'd think about fixing it). For example Microsoft one time even answered me twice (with thanks), when I informed them about XSS in IE6. But they didn't fix this vulnerability. It was Saved XSS (this type of XSS I created after I found this hole in IE), which was already posted at Bugtraq in 2007. And in 2008 I informed Microsoft (and posted to Bugtraq) about this vulnerability in IE7 - but MS ignored. And in 2009 MS released IE8 where this hole was fixed (as I checked it), without mentioning about this fact and without thanking me (just silently). Similarly to Mozilla's approach with one XSS in Firefox (which I informed them), which I already mentioned to Bugtraq in beginning of 2009. But about DoS holes they didn't answer in 99% of time. And Microsoft never fixed DoS holes in IE, which I informed them, but fix DoS hole in Outlook. And answered me twice: one time with thanks and latter when they fixed (MS was only one vendor who informed me that it fixed DoS hole in their software, from all of those few cases when browser vendors fixed DoS holes). So as it clear, browser vendors only answer when they want. Patches take time. The do not occur over night. Furthermore it may take a day for the vendor to respond to you. As I mentioned, 3 from 4 developers answered me (but it's not common for cases with DoS holes). But MS didn't answer me for more than 1,5 week. From which you can see their attitude to such issues. And on example of Google, which Chrome 4 was invulnerable to this hole (only Chrome 1.x), shows their attitude to such issues - that they are working to fix holes (including those which was in older versions of their browser) even before they will be found and disclosed by researchers. Should you have issues, would you consider emailing me first so I can introduce you to contacts? Thanks, I don't need help with informing browser vendors. They with no doubts received all my letters in 2007-2010 and would receive all future letters. But as said, I'll not be more informing them about DoS holes. This decision I made in August 2009 and it's final decision. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua - Original Message - From: "Susan Bradley" To: "MustLive" Cc: Sent: Thursday, May 20, 2010 2:58 AM Subject: Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers Let's take one for example. Did you email sec...@microsoft.com? I have before and 100% of the time they respond. Patches take time. The do not occur over night. Furthermore it may take a day for the vendor to respond to you. This isn't about past issues, this is about this issue. A single day did not pass between when you emailed these vendors and when you posted here. Have you considered giving these vendors time to respond? I do not find that 99% of them don't, rather I find that they do. Should you have issues, would you consider emailing me first so I can introduce you to contacts? MustLive wrote: Hello Susan! Granted I can denial of service a browser just by loading up a horrible add in or just using a browser DoS of the browser is already bad thing. And there are many risks for users from DoS holes in browsers, which I wrote about in 2008 in my articles Dangers of DoS attacks on browsers and Dangers of resources consumption DoS attacks. But mostly browser developers ignore to fix these issues. But in this case it's not only attack on browsers, but on the whole user's computer - because it's blocking of who
Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers
Let's take one for example. Did you email sec...@microsoft.com? I have before and 100% of the time they respond. Patches take time. The do not occur over night. Furthermore it may take a day for the vendor to respond to you. This isn't about past issues, this is about this issue. A single day did not pass between when you emailed these vendors and when you posted here. Have you considered giving these vendors time to respond? I do not find that 99% of them don't, rather I find that they do. Should you have issues, would you consider emailing me first so I can introduce you to contacts? MustLive wrote: Hello Susan! Granted I can denial of service a browser just by loading up a horrible add in or just using a browser DoS of the browser is already bad thing. And there are many risks for users from DoS holes in browsers, which I wrote about in 2008 in my articles Dangers of DoS attacks on browsers and Dangers of resources consumption DoS attacks. But mostly browser developers ignore to fix these issues. But in this case it's not only attack on browsers, but on the whole user's computer - because it's blocking of whole computer and full resource consumption. Which is working in many browsers, including their last versions. So browser developers with their neglect to this problem make possible attacks on the whole users' systems. It was one of leitmotifs of my advisory. can I respectfully ask that you give vendors time to respond before posting? This informing of vendors was an exclusion. During 2007-2009 I informed many browser developers about many vulnerabilities (as DoS, as others) and gave them a lot of time for fixing in many of that cases. But they almost always ignore to fix the holes (especially DoS holes, which were only fixed few times by Google and one time by Microsoft, and not in IE, but in Outlook, and 99% of cases were completely ignored). Taking that into account last year I decided from 2010 never inform browser vendors about DoS holes in their browsers. And this time it was an exclusion (just one). In any case due to full disclosure the Internet community will be knowing about the vulnerabilities in browsers which I found and will be knowing the real state of security of browsers. It was another leitmotif of my advisory. So this time I informed browser developers and users about these issues. And did I receive any thanks from Susan (especially taking into account that I did inform vendors) or any other user of browsers for this info? No :-). Did browser vendors answered me? No :-) (at first day) - which is normal for such cases, based on my experience. Only on second day Opera and Mozilla answered me and begun investigation of these cases (which is rare case when they responded on DoS hole, based on my experience), but not other vendors. These vendors do not ignore security issues and do respond As I already said, in 99% they do ignore and don't respond (and sometimes were such cases as responded but not fixed, and such case as not responded and not thanked me, but fixed). So taking into account my personal experience with finding vulnerabilities in browsers and informing vendors, I'm not informing them about DoS vulnerabilities in their browsers from this year (except this one case). From more then 5 years of my work here is TOP of different group of people, based on answering and fixing of vulnerabilities which I informed them about (the higher, the better): 1. Developers of Internet related software (such as web servers, ad blockers, etc.). 2. Developers of web applications. 3. Admins of web sites. 4. Developers of the browsers. Which must give you a ground for thoughts. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua - Original Message - From: "Susan Bradley" To: "MustLive" ; Sent: Tuesday, May 18, 2010 8:38 PM Subject: Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers 16.05.2010 - found vulnerability. 17.05.2010 - disclosed at my site. 18.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera. Found on the 16th Blogged on the 17th Told vendors on the 18th Posted here on the 18th Granted I can denial of service a browser just by loading up a horrible add in or just using a browser, but as a customer of each of these vendors, can I respectfully ask that you give vendors time to respond before posting? These vendors do not ignore security issues and do respond (unlike some of the web sites with the captcha issues) So why haven't you given them that opportunity? MustLive wrote: Hello Bugtraq! I want to warn you about security vulnerability in different browsers. --------- Advisory: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers - URL: http://websecu
Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers
Hello Susan! Granted I can denial of service a browser just by loading up a horrible add in or just using a browser DoS of the browser is already bad thing. And there are many risks for users from DoS holes in browsers, which I wrote about in 2008 in my articles Dangers of DoS attacks on browsers and Dangers of resources consumption DoS attacks. But mostly browser developers ignore to fix these issues. But in this case it's not only attack on browsers, but on the whole user's computer - because it's blocking of whole computer and full resource consumption. Which is working in many browsers, including their last versions. So browser developers with their neglect to this problem make possible attacks on the whole users' systems. It was one of leitmotifs of my advisory. can I respectfully ask that you give vendors time to respond before posting? This informing of vendors was an exclusion. During 2007-2009 I informed many browser developers about many vulnerabilities (as DoS, as others) and gave them a lot of time for fixing in many of that cases. But they almost always ignore to fix the holes (especially DoS holes, which were only fixed few times by Google and one time by Microsoft, and not in IE, but in Outlook, and 99% of cases were completely ignored). Taking that into account last year I decided from 2010 never inform browser vendors about DoS holes in their browsers. And this time it was an exclusion (just one). In any case due to full disclosure the Internet community will be knowing about the vulnerabilities in browsers which I found and will be knowing the real state of security of browsers. It was another leitmotif of my advisory. So this time I informed browser developers and users about these issues. And did I receive any thanks from Susan (especially taking into account that I did inform vendors) or any other user of browsers for this info? No :-). Did browser vendors answered me? No :-) (at first day) - which is normal for such cases, based on my experience. Only on second day Opera and Mozilla answered me and begun investigation of these cases (which is rare case when they responded on DoS hole, based on my experience), but not other vendors. These vendors do not ignore security issues and do respond As I already said, in 99% they do ignore and don't respond (and sometimes were such cases as responded but not fixed, and such case as not responded and not thanked me, but fixed). So taking into account my personal experience with finding vulnerabilities in browsers and informing vendors, I'm not informing them about DoS vulnerabilities in their browsers from this year (except this one case). From more then 5 years of my work here is TOP of different group of people, based on answering and fixing of vulnerabilities which I informed them about (the higher, the better): 1. Developers of Internet related software (such as web servers, ad blockers, etc.). 2. Developers of web applications. 3. Admins of web sites. 4. Developers of the browsers. Which must give you a ground for thoughts. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua - Original Message - From: "Susan Bradley" To: "MustLive" ; Sent: Tuesday, May 18, 2010 8:38 PM Subject: Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers 16.05.2010 - found vulnerability. 17.05.2010 - disclosed at my site. 18.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera. Found on the 16th Blogged on the 17th Told vendors on the 18th Posted here on the 18th Granted I can denial of service a browser just by loading up a horrible add in or just using a browser, but as a customer of each of these vendors, can I respectfully ask that you give vendors time to respond before posting? These vendors do not ignore security issues and do respond (unlike some of the web sites with the captcha issues) So why haven't you given them that opportunity? MustLive wrote: Hello Bugtraq! I want to warn you about security vulnerability in different browsers. ------------- Advisory: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers - URL: http://websecurity.com.ua/4206/ - Affected products: Mozilla Firefox, Internet Explorer 6, Internet Explorer 8, Google Chrome, Opera and other browsers. - Timeline: 16.05.2010 - found vulnerability. 17.05.2010 - disclosed at my site. 18.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera. - Details: At 30.02.2010 Mozilla fixed vulnerability (small one, which poses no security risk, as they said), found by Henry Sudhof - Mozilla Foundation Security Advisory 2010-23 (http://www.mozilla.org/security/announce/2010/mfsa2010-23.html) (Image src redirect to mailto: URL open
Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers
16.05.2010 - found vulnerability. 17.05.2010 - disclosed at my site. 18.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera. Found on the 16th Blogged on the 17th Told vendors on the 18th Posted here on the 18th Granted I can denial of service a browser just by loading up a horrible add in or just using a browser, but as a customer of each of these vendors, can I respectfully ask that you give vendors time to respond before posting? These vendors do not ignore security issues and do respond (unlike some of the web sites with the captcha issues) So why haven't you given them that opportunity? MustLive wrote: Hello Bugtraq! I want to warn you about security vulnerability in different browsers. - Advisory: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers - URL: http://websecurity.com.ua/4206/ - Affected products: Mozilla Firefox, Internet Explorer 6, Internet Explorer 8, Google Chrome, Opera and other browsers. - Timeline: 16.05.2010 - found vulnerability. 17.05.2010 - disclosed at my site. 18.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera. - Details: At 30.02.2010 Mozilla fixed vulnerability (small one, which poses no security risk, as they said), found by Henry Sudhof - Mozilla Foundation Security Advisory 2010-23 (http://www.mozilla.org/security/announce/2010/mfsa2010-23.html) (Image src redirect to mailto: URL opens email editor). Which allow to open email client at user's computer via redirector, which redirecting to mailto: URL. But this vulnerability was fixed only in Firefox 3.5.9, Firefox 3.6.2 and SeaMonkey 2.0.4, but not in Firefox 3.0.x. After I recently read this advisory, I decided to check different browsers. And as I checked at 16.05.2010, to this vulnerability are vulnerable web browsers Firefox 3.0.19 and Opera 9.52. And I created exploit for conducting of DoS attack on Firefox. Also I found possibility to open email client via iframe with mailto: URL. Which works in browsers Firefox 3.0.19, IE6, IE8 and Chrome. And I created exploit for conducting of attack on all browsers, which I called DoS via email. This attack can be conducted as with using JS, as without it (via creating of page with large quantity of iframes). If attack via images at a page (which open email client) is only discomfort, then attack via images or iframes with using my exploits is Denial of Service vulnerability. It belongs to type (http://websecurity.com.ua/2550/) blocking DoS and resources consumption DoS. These exploits are very dangerous - at their starting, if to not stop attack in time, they can lead to full consumption of computer's resources (potentially even to freezing of the system). DoS: http://websecurity.com.ua/uploads/2010/Firefox%20DoS%20Exploit.html This exploit works in Mozilla Firefox (Firefox <= 3.0.19, Firefox < 3.5.9, Firefox < 3.6.2) and SeaMonkey < 2.0.4. http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Opera%20DoS%20Exploit.html This exploit works in Mozilla Firefox (besides 3.0.x and previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6 (6.0.2900.2180), Internet Explorer 8 (8.0.7600.16385), Google Chrome 1.0.154.48 and Opera 9.52. At that in Opera the exploit don't open email client, so DoS attack is going without blocking, only resources consumption (more slowly then in other browsers). And also this exploit must work in SeaMonkey, Internet Explorer 7 and other browsers. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers
Hello Bugtraq! I want to warn you about security vulnerability in different browsers. - Advisory: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers - URL: http://websecurity.com.ua/4206/ - Affected products: Mozilla Firefox, Internet Explorer 6, Internet Explorer 8, Google Chrome, Opera and other browsers. - Timeline: 16.05.2010 - found vulnerability. 17.05.2010 - disclosed at my site. 18.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera. - Details: At 30.02.2010 Mozilla fixed vulnerability (small one, which poses no security risk, as they said), found by Henry Sudhof - Mozilla Foundation Security Advisory 2010-23 (http://www.mozilla.org/security/announce/2010/mfsa2010-23.html) (Image src redirect to mailto: URL opens email editor). Which allow to open email client at user's computer via redirector, which redirecting to mailto: URL. But this vulnerability was fixed only in Firefox 3.5.9, Firefox 3.6.2 and SeaMonkey 2.0.4, but not in Firefox 3.0.x. After I recently read this advisory, I decided to check different browsers. And as I checked at 16.05.2010, to this vulnerability are vulnerable web browsers Firefox 3.0.19 and Opera 9.52. And I created exploit for conducting of DoS attack on Firefox. Also I found possibility to open email client via iframe with mailto: URL. Which works in browsers Firefox 3.0.19, IE6, IE8 and Chrome. And I created exploit for conducting of attack on all browsers, which I called DoS via email. This attack can be conducted as with using JS, as without it (via creating of page with large quantity of iframes). If attack via images at a page (which open email client) is only discomfort, then attack via images or iframes with using my exploits is Denial of Service vulnerability. It belongs to type (http://websecurity.com.ua/2550/) blocking DoS and resources consumption DoS. These exploits are very dangerous - at their starting, if to not stop attack in time, they can lead to full consumption of computer's resources (potentially even to freezing of the system). DoS: http://websecurity.com.ua/uploads/2010/Firefox%20DoS%20Exploit.html This exploit works in Mozilla Firefox (Firefox <= 3.0.19, Firefox < 3.5.9, Firefox < 3.6.2) and SeaMonkey < 2.0.4. http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Opera%20DoS%20Exploit.html This exploit works in Mozilla Firefox (besides 3.0.x and previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6 (6.0.2900.2180), Internet Explorer 8 (8.0.7600.16385), Google Chrome 1.0.154.48 and Opera 9.52. At that in Opera the exploit don't open email client, so DoS attack is going without blocking, only resources consumption (more slowly then in other browsers). And also this exploit must work in SeaMonkey, Internet Explorer 7 and other browsers. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua