Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Nokia N95-8 browser denial of service

From: "MustLive" <mustlive () websecurity com ua>
Date: Sun, 1 Mar 2009 01:23:08 +0200
Hello Thierry!
About your message concerning crash in Firefox 3.0.6 (http://securityvulns.ru/Vdocument307.html). Which has similar DoS vulnerability as Nokia N95-8 browser.
Some time ago I read your message and also checked Firefox 3.0.6 and confirmed the crash in it. What I can tell you about this hole.
In the beginning of September 2008 I already wrote about such DoS vulnerability in Mozilla Firefox (http://websecurity.com.ua/2421/). Which leads to that after running of the exploit the browser begun taking 100% of CPU resources and freezes.
The attack was based on using nested marquee tags (this hole was already found in Firefox 1.0 and 1.5). Vulnerable were Mozilla Firefox 3.0.1 and previous versions. This vulnerability was first publicly disclosed DoS in Firefox 3. My exploit don't use JavaScript (as Juan's exploit), just only use HTML. For attacking purposes it's better to use plain HTML exploit, which allows to bypass such protections as turning off JavaScript or using addons like NoScript.
I informed Mozilla about this hole (on email) and published it at Bugzilla (https://bugzilla.mozilla.org/show_bug.cgi?id=454434). But Mozilla completely ignored it (as all other vulnerabilities, which I informed them about in 2007, 2008 and 2009 years). For example last hole in Firefox 3, which I disclosed 13.02.2009 (and informed Mozilla) was Charset Inheritance vulnerability in Mozilla Firefox 3 (http://websecurity.com.ua/2879/) - and they even didn't answered me yet about it. For example, when I informed Google about Charset Inheritance vulnerability in Google Chrome (http://websecurity.com.ua/2844/), they quickly answered me - that they decided to not fix it (but still not ignored letter like Mozilla).
In September 2009 DoS vulnerability in SeaMonkey was found (http://websecurity.com.ua/2820/), which uses the same attack (on marquee-vulnerability which was ignored by Mozilla). But unlike FF, SeaMonkey crashes - this is already another type of DoS vulnerabilities in browser (http://websecurity.com.ua/2550/). And in February you found that last version of Firefox also crashes.
So Mozilla not only didn't fix the vulnerability, which I found in Firefox 3.0.1 (and which was known yet in FF1), but even strengthened it in last versions of the browser. They altered it from resources consumption DoS to crashing DoS. This situation similar to Charset Inheritance vulnerability in Mozilla Firefox 3, which wasn't in Firefox 3.0.1 and previous versions (after fix in 2007), but which Mozilla "added" in Firefox from version 3.0.2. 

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
Previous By Date Next
Previous By Thread Next

Current thread: