lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 28 Sep 2007 22:25:51 -0400
From: wac <waldoalvarez00@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Firefox 2.0.0.7 has a very serious
	calculation bug

Hello:

On 9/28/07, Jimby Sharp <jimbysharp@...il.com> wrote:
>
> How is this serious and is it related to security in any manner? If
> not, please do not spam. :-(


 Many bugs are security related (I would say all). How it is security
related? Think. What happens if your bank calculates something wrong and
puts the lower in your account and the higher in another account? Yes It
might be little but what about a little many
times? That could be done with javascript too. Then... you are not safe
anymore. Specially today with the invasion of AJAX. One of the browsers is
broken for sure (several?). They should do the same even in such small
things. Should at least be very carefully documented. However just
documenting it is only going to bring trouble since many programmers won't
be aware of that. They would not even be making mistakes in the code but
triggering somebodie's else errors. This kind of stuff happens many times.
For instance a couple of days ago I hitted a problem in wich both Opera and
Firefox behaved differently to IE (some parameters in the form where not
sent to the server). Was with a <table><form></form></table>  instead of
<form><table></table><form> (or the other way around can't remember right
was the workaround).

 Yes, every bug is security related. A database that is out of synch. An
improperly rounded number. Remember why Arianne blowed up on the air because
of this? Remember the mars landrover locked because of a priority inversion
bug? Would you call it a security bug? I really doubt many of you would.
However millions were lost. Wasn't security related? Think. What about if
someday the computers that handle the nuclear plant nearby make a wrong
rouding and one of the parameters go out of rank? Computers handle that,
handle your car, all of your communications, your heart beat and even your
foot steps (heard about those smart Adidas with a chip?).

 What if an airplane computer miss one of the parameters? It *is* a security
bug even if it is not a stack/heap overflow, an integer overflow and all of
the rest you all know about. I consider if not all of the bugs, at least the
vast majority as security bugs. For your very own good start thinking that
way too. Because someday you could even die just because somebody's else
made a mistake in one of those control systems. Worst yet... because someone
thought that it wasn't a security bug and was not important to fix it.

Regards
Waldo Alvarez

PD: Now you have another way to verify (fingerprint) wich browser is used to
browse a website even with spoofed User-Agent headers if javascript is
turned on.

And go and learn some floating point maths.
>
> On 9/28/07, carl hardwick <hardwick.carl@...il.com> wrote:
> > There's a flaw in Firefox 2.0.0.7 allows javascript to execute wrong
> > subtractions.
> >
> > PoC concept here:
> > javascript:5.2-0.1
> > (copy this code into address bar)
> >
> > Firefox 2.0.0.7 result: 5.1000000000000005 (WRONG!)
> > Internet Explorer 7 result: 5.1 (OK)
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ