Re: DoS vulnerabilities in Firefox, Internet Explorer and Opera

["MustLive" <mustlive () websecurity com ua>]

Hello Valdis!

> Anybody want to guess how many cores are on his test box? :)

It's too simple puzzle :-). The most interesting in these results it's
crashes and freezes.

Of course I know about this dependence of CPU consuming from the number of
CPU cores (just after I've upgraded first time from 1 core to 2 cores CPU in
March 2009). During this testing I've checked this exploit (in Firefox) on
one notebook - the only computer with single core CPU at my home - and
results was 88% CPU consumption.

I decided to not mention about these differences, because it's not so
interesting comparing to crashes and freezes, and people should be aware
about this dependence. Nowadays multicore CPUs are very widespread, so
these results will be close to common modern computers - more resources
consumption and more risk will be for single core CPU computers, such as
older PCs and different modern gadgets.

Note, guys, that this type of exploits for browsers, which consume only 50%
CPU on multicore CPU, are widespread, but I published a lot of exploits,
which consume more resources on multicore CPU computers. Particularly
exploits from series of multiple DoS exploits for different browsers, which
I published in 2010. As I've just tested few of them, they consumed up to
76% CPU on my new PC (which I've assembled in March), and on my old PC with
two cores CPU they were consuming even more resources.

> Depends how many browsers instances he launched to make the DoS more
> effective : o )

Boddin, I'm always testing exploits with one browser instance at a time.
With crashes and freezes of the browsers the effectiveness of DoS is
sufficient enough ;-).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: <Valdis.Kletnieks () vt edu>
To: "MustLive" <mustlive () websecurity com ua>
Cc: <submissions () packetstormsecurity org>;
<full-disclosure () lists grok org uk>
Sent: Monday, April 30, 2012 4:37 PM
Subject: Re: [Full-disclosure] DoS vulnerabilities in Firefox, Internet
Explorer and Opera

On Mon, 30 Apr 2012 15:37:08 +0300, "MustLive" said:

> * Mozilla Firefox 3.0.19 consumes resources (50% CPU and a lot of RAM) and
> crashes.
> * Mozilla Firefox 3.5.11 consumes resources (50% CPU and a lot of RAM) and
> crashes.
> * Mozilla Firefox 3.6.8 consumes resources (50% CPU and a lot of RAM) and
> crashes.
> * Mozilla Firefox 4.0 beta 2 freezes and consumes resources (50% CPU and a
> lot of RAM).
> * Mozilla Firefox 11.0 freezes and consumes resources (50% CPU and a lot
> of RAM).
> * Internet Explorer 6 freezes and consumes resources (50% CPU and a lot of
> RAM).
> * Internet Explorer 7 freezes and consumes resources (50% CPU and a lot of
> RAM).
> * Internet Explorer 8 only consumes resources (50% CPU and a lot of RAM).
> I.e. in IE8 the problem was partly fixed by Microsoft.
> * Opera 10.62 freezes and consumes resources (50% CPU and a lot of RAM).

Anybody want to guess how many cores are on his test box? :)


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/