Bugtraq mailing list archives
Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers
From: Susan Bradley <sbradcpa () pacbell net>
Date: Wed, 19 May 2010 16:58:43 -0700
Let's take one for example. Did you email secure () microsoft com? I have before and 100% of the time they respond.
Patches take time. The do not occur over night. Furthermore it may take a day for the vendor to respond to you. This isn't about past issues, this is about this issue. A single day did not pass between when you emailed these vendors and when you posted here. Have you considered giving these vendors time to respond? I do not find that 99% of them don't, rather I find that they do. Should you have issues, would you consider emailing me first so I can introduce you to contacts?
MustLive wrote:
Hello Susan!Granted I can denial of service a browser just by loading up a horrible add in or just using a browserDoS of the browser is already bad thing. And there are many risks for usersfrom DoS holes in browsers, which I wrote about in 2008 in my articlesDangers of DoS attacks on browsers and Dangers of resources consumption DoSattacks. But mostly browser developers ignore to fix these issues.But in this case it's not only attack on browsers, but on the whole user'scomputer - because it's blocking of whole computer and full resource consumption. Which is working in many browsers, including their last versions. So browser developers with their neglect to this problem makepossible attacks on the whole users' systems. It was one of leitmotifs of myadvisory.can I respectfully ask that you give vendors time to respond before posting?This informing of vendors was an exclusion. During 2007-2009 I informed many browser developers about many vulnerabilities (as DoS, as others) and gave them a lot of time for fixing in many of that cases. But they almost alwaysignore to fix the holes (especially DoS holes, which were only fixed few times by Google and one time by Microsoft, and not in IE, but in Outlook, and 99% of cases were completely ignored). Taking that into account last year I decided from 2010 never inform browser vendors about DoS holes in their browsers. And this time it was an exclusion (just one). In any case due to full disclosure the Internet community will be knowing about thevulnerabilities in browsers which I found and will be knowing the real stateof security of browsers. It was another leitmotif of my advisory.So this time I informed browser developers and users about these issues. And did I receive any thanks from Susan (especially taking into account that I did inform vendors) or any other user of browsers for this info? No :-). Didbrowser vendors answered me? No :-) (at first day) - which is normal for such cases, based on my experience. Only on second day Opera and Mozillaanswered me and begun investigation of these cases (which is rare case when they responded on DoS hole, based on my experience), but not other vendors.These vendors do not ignore security issues and do respondAs I already said, in 99% they do ignore and don't respond (and sometimeswere such cases as responded but not fixed, and such case as not respondedand not thanked me, but fixed). So taking into account my personalexperience with finding vulnerabilities in browsers and informing vendors, I'm not informing them about DoS vulnerabilities in their browsers from thisyear (except this one case).From more then 5 years of my work here is TOP of different group of people,based on answering and fixing of vulnerabilities which I informed them about(the higher, the better): 1. Developers of Internet related software (such as web servers, ad blockers, etc.). 2. Developers of web applications. 3. Admins of web sites. 4. Developers of the browsers. Which must give you a ground for thoughts. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ----- Original Message ----- From: "Susan Bradley" <sbradcpa () pacbell net> To: "MustLive" <mustlive () websecurity com ua>; <bugtraq () securityfocus com> Sent: Tuesday, May 18, 2010 8:38 PM Subject: Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers16.05.2010 - found vulnerability. 17.05.2010 - disclosed at my site. 18.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera. Found on the 16th Blogged on the 17th Told vendors on the 18th Posted here on the 18th Granted I can denial of service a browser just by loading up a horrible add in or just using a browser, but as a customer of each of these vendors, can I respectfully ask that you give vendors time to respond before posting? These vendors do not ignore security issues and do respond (unlike some of the web sites with the captcha issues) So why haven't you given them that opportunity? MustLive wrote:Hello Bugtraq! I want to warn you about security vulnerability in different browsers. ----------------------------- Advisory: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers ----------------------------- URL: http://websecurity.com.ua/4206/ ----------------------------- Affected products: Mozilla Firefox, Internet Explorer 6, Internet Explorer 8, Google Chrome, Opera and other browsers. ----------------------------- Timeline: 16.05.2010 - found vulnerability. 17.05.2010 - disclosed at my site. 18.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera. ----------------------------- Details: At 30.02.2010 Mozilla fixed vulnerability (small one, which poses nosecurity risk, as they said), found by Henry Sudhof - Mozilla FoundationSecurity Advisory 2010-23 (http://www.mozilla.org/security/announce/2010/mfsa2010-23.html) (Image src redirect to mailto: URL opens email editor). Which allow to open email client at user's computer via redirector, which redirecting to mailto: URL.But this vulnerability was fixed only in Firefox 3.5.9, Firefox 3.6.2 andSeaMonkey 2.0.4, but not in Firefox 3.0.x. After I recently read this advisory, I decided to check different browsers.And as I checked at 16.05.2010, to this vulnerability are vulnerable webbrowsers Firefox 3.0.19 and Opera 9.52. And I created exploit for conducting of DoS attack on Firefox. Also I found possibility to open email client via iframe with mailto: URL. Which works in browsers Firefox 3.0.19, IE6, IE8 and Chrome. And I createdexploit for conducting of attack on all browsers, which I called DoS via email. This attack can be conducted as with using JS, as without it (viacreating of page with large quantity of iframes). If attack via images at a page (which open email client) is only discomfort, then attack via images or iframes with using my exploits is Denial of Service vulnerability. It belongs to type (http://websecurity.com.ua/2550/) blocking DoS and resources consumption DoS. These exploits are very dangerous - at their starting, if to not stop attack in time, they can leadto full consumption of computer's resources (potentially even to freezingof the system). DoS: http://websecurity.com.ua/uploads/2010/Firefox%20DoS%20Exploit.html This exploit works in Mozilla Firefox (Firefox <= 3.0.19, Firefox < 3.5.9, Firefox < 3.6.2) and SeaMonkey < 2.0.4.http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Opera%20DoS%20Exploit.htmlThis exploit works in Mozilla Firefox (besides 3.0.x and previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6 (6.0.2900.2180),Internet Explorer 8 (8.0.7600.16385), Google Chrome 1.0.154.48 and Opera 9.52. At that in Opera the exploit don't open email client, so DoS attackis going without blocking, only resources consumption (more slowly then in other browsers). And also this exploit must work in SeaMonkey, Internet Explorer 7 and other browsers. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua
Current thread:
- DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers MustLive (May 18)
- Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers Susan Bradley (May 18)
- Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers MustLive (May 20)
- Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers Susan Bradley (May 20)
- Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers MustLive (May 28)
- Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers John Smith (May 28)
- Re[2]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers Vladimir '3APA3A' Dubrovin (May 28)
- Re: Re[2]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers John Smith (May 28)
- Re[4]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers Vladimir '3APA3A' Dubrovin (May 31)
- Re: Re[4]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers John Smith (May 31)
- Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers MustLive (May 20)
- Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers Susan Bradley (May 18)