Full Disclosure mailing list archives
Re: Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)
From: Michal Zalewski <lcamtuf () dione ids pl>
Date: Sun, 25 Feb 2007 23:40:53 +0100 (CET)
On Sun, 25 Feb 2007, Stan Bubrouski wrote:
http://lcamtuf.coredump.cx/ietrap/testme.htmlThis bug was fixed in 2.0.0.2, released Friday Feb 23.No it most certainly wasn't, do your homework next time.
Actually, the story is kinda funny, but yeah, it seems that it's fixed now. The story: I reported the problem a day before 2.0.0.2 was to be released. Mozilla dev team looked into this, but - if I understand correctly - decided to go on with 2.0.0.2 as planned, without a fix for this vuln, then follow up with a quick release of 2.0.0.3 to address the problem. This seemed like a sane decision - 2.0.0.2 had been postponed previously, so there seemed to be no point in holding back. When 2.0.0.2 went live, some devs noticed that it doesn't crash with my testcase, though it still crashes trunk builds. After a brief moment of confusion, they determined that a fix for an unrelated, obscure non-security bug 364692 had altered the behavior this vulnerability depended on, accidentally rendering 2.0.0.2 not vulnerable to the attack. This was then fixed on trunk, and voila. I can't really comment on whether this fixes the problem once and for all, because I haven't really examined the changes implemented for 364692, but yeah, my example no longer crashes the browser for me. /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr) Michal Zalewski (Feb 22)
- Re: Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr) Daniel Veditz (Feb 25)
- Re: Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr) Stan Bubrouski (Feb 25)
- Re: Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr) Ismail Dönmez (Feb 25)
- Re: Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr) Stan Bubrouski (Feb 25)
- Re: Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr) Ismail Dönmez (Feb 25)
- Re: Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr) Stan Bubrouski (Feb 25)
- Re: Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr) Ismail Dönmez (Feb 25)
- Re: Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr) Paul Schmehl (Feb 25)
- Re: Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr) Stan Bubrouski (Feb 25)
- Re: Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr) Daniel Veditz (Feb 25)
- Re: Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr) Michal Zalewski (Feb 25)
- Re: Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr) Richard Moore (Feb 27)
- Re: Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr) Richard Moore (Feb 27)
- Re: Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr) Michal Zalewski (Feb 27)