[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000901c999fb$9d86ada0$0100a9c0@ml>
Date: Sun, 1 Mar 2009 01:23:08 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <bugtraq@...urityfocus.com>
Subject: Re: Nokia N95-8 browser denial of service
Hello Thierry!
About your message concerning crash in Firefox 3.0.6
(http://securityvulns.ru/Vdocument307.html). Which has similar DoS
vulnerability as Nokia N95-8 browser.
Some time ago I read your message and also checked Firefox 3.0.6 and
confirmed the crash in it. What I can tell you about this hole.
In the beginning of September 2008 I already wrote about such DoS
vulnerability in Mozilla Firefox (http://websecurity.com.ua/2421/). Which
leads to that after running of the exploit the browser begun taking 100% of
CPU resources and freezes.
The attack was based on using nested marquee tags (this hole was already
found in Firefox 1.0 and 1.5). Vulnerable were Mozilla Firefox 3.0.1 and
previous versions. This vulnerability was first publicly disclosed DoS in
Firefox 3. My exploit don't use JavaScript (as Juan's exploit), just only
use HTML. For attacking purposes it's better to use plain HTML exploit,
which allows to bypass such protections as turning off JavaScript or using
addons like NoScript.
I informed Mozilla about this hole (on email) and published it at Bugzilla
(https://bugzilla.mozilla.org/show_bug.cgi?id=454434). But Mozilla
completely ignored it (as all other vulnerabilities, which I informed them
about in 2007, 2008 and 2009 years). For example last hole in Firefox 3,
which I disclosed 13.02.2009 (and informed Mozilla) was Charset Inheritance
vulnerability in Mozilla Firefox 3 (http://websecurity.com.ua/2879/) - and
they even didn't answered me yet about it. For example, when I informed
Google about Charset Inheritance vulnerability in Google Chrome
(http://websecurity.com.ua/2844/), they quickly answered me - that they
decided to not fix it (but still not ignored letter like Mozilla).
In September 2009 DoS vulnerability in SeaMonkey was found
(http://websecurity.com.ua/2820/), which uses the same attack (on
marquee-vulnerability which was ignored by Mozilla). But unlike FF,
SeaMonkey crashes - this is already another type of DoS vulnerabilities in
browser (http://websecurity.com.ua/2550/). And in February you found that
last version of Firefox also crashes.
So Mozilla not only didn't fix the vulnerability, which I found in Firefox
3.0.1 (and which was known yet in FF1), but even strengthened it in last
versions of the browser. They altered it from resources consumption DoS to
crashing DoS. This situation similar to Charset Inheritance vulnerability in
Mozilla Firefox 3, which wasn't in Firefox 3.0.1 and previous versions
(after fix in 2007), but which Mozilla "added" in Firefox from version
3.0.2.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
Powered by blists - more mailing lists