lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 19 May 2010 16:58:43 -0700
From: Susan Bradley <sbradcpa@...bell.net>
To: MustLive <mustlive@...security.com.ua>
Cc: bugtraq@...urityfocus.com
Subject: Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera
 and other browsers

Let's take one for example.  Did you email secure@...rosoft.com? I have 
before and 100% of the time they respond.

Patches take time.  The do not occur over night.  Furthermore it may 
take a day for the vendor to respond to you. 

This isn't about past issues, this is about this issue. A single day did 
not pass between when you emailed these vendors and when you posted 
here.  Have you considered giving these vendors time to respond?  I do 
not find that 99% of them don't, rather I find that they do.  Should you 
have issues, would you consider emailing me first so I can introduce you 
to contacts?

MustLive wrote:
> Hello Susan!
>
>> Granted I can denial of service a browser just by loading up a horrible
>> add in or just using a browser
>
> DoS of the browser is already bad thing. And there are many risks for 
> users
> from DoS holes in browsers, which I wrote about in 2008 in my articles
> Dangers of DoS attacks on browsers and Dangers of resources 
> consumption DoS
> attacks. But mostly browser developers ignore to fix these issues.
>
> But in this case it's not only attack on browsers, but on the whole 
> user's
> computer - because it's blocking of whole computer and full resource
> consumption. Which is working in many browsers, including their last
> versions. So browser developers with their neglect to this problem make
> possible attacks on the whole users' systems. It was one of leitmotifs 
> of my
> advisory.
>
>> can I respectfully ask that you give vendors time to respond before
>> posting?
>
> This informing of vendors was an exclusion. During 2007-2009 I 
> informed many
> browser developers about many vulnerabilities (as DoS, as others) and 
> gave
> them a lot of time for fixing in many of that cases. But they almost 
> always
> ignore to fix the holes (especially DoS holes, which were only fixed few
> times by Google and one time by Microsoft, and not in IE, but in Outlook,
> and 99% of cases were completely ignored). Taking that into account last
> year I decided from 2010 never inform browser vendors about DoS holes in
> their browsers. And this time it was an exclusion (just one). In any case
> due to full disclosure the Internet community will be knowing about the
> vulnerabilities in browsers which I found and will be knowing the real 
> state
> of security of browsers. It was another leitmotif of my advisory.
>
> So this time I informed browser developers and users about these 
> issues. And
> did I receive any thanks from Susan (especially taking into account 
> that I
> did inform vendors) or any other user of browsers for this info? No 
> :-). Did
> browser vendors answered me? No :-) (at first day) - which is normal for
> such cases, based on my experience. Only on second day Opera and Mozilla
> answered me and begun investigation of these cases (which is rare case 
> when
> they responded on DoS hole, based on my experience), but not other 
> vendors.
>
>> These vendors do not ignore security issues and do respond
>
> As I already said, in 99% they do ignore and don't respond (and sometimes
> were such cases as responded but not fixed, and such case as not 
> responded
> and not thanked me, but fixed). So taking into account my personal
> experience with finding vulnerabilities in browsers and informing 
> vendors,
> I'm not informing them about DoS vulnerabilities in their browsers 
> from this
> year (except this one case).
>
>> From more then 5 years of my work here is TOP of different group of 
>> people,
> based on answering and fixing of vulnerabilities which I informed them 
> about
> (the higher, the better):
>
> 1. Developers of Internet related software (such as web servers, ad
> blockers, etc.).
> 2. Developers of web applications.
> 3. Admins of web sites.
> 4. Developers of the browsers.
>
> Which must give you a ground for thoughts.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> ----- Original Message ----- From: "Susan Bradley" <sbradcpa@...bell.net>
> To: "MustLive" <mustlive@...security.com.ua>; <bugtraq@...urityfocus.com>
> Sent: Tuesday, May 18, 2010 8:38 PM
> Subject: Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome,
> Opera and other browsers
>
>
>> 16.05.2010 - found vulnerability.
>> 17.05.2010 - disclosed at my site.
>> 18.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera.
>>
>>
>> Found on the 16th
>> Blogged on the 17th
>> Told vendors on the 18th
>> Posted here on the 18th
>>
>> Granted I can denial of service a browser just by loading up a horrible
>> add in or just using a browser, but as a customer of each of these
>> vendors, can I respectfully ask that you give vendors time to respond
>> before posting?  These vendors do not ignore security issues and do
>> respond (unlike some of the web sites with the captcha issues)  So why
>> haven't you given them that opportunity?
>>
>>
>> MustLive wrote:
>>> Hello Bugtraq!
>>>
>>> I want to warn you about security vulnerability in different browsers.
>>>
>>> -----------------------------
>>> Advisory: DoS vulnerabilities in Firefox, Internet Explorer, Chrome,
>>> Opera
>>> and other browsers
>>> -----------------------------
>>> URL: http://websecurity.com.ua/4206/
>>> -----------------------------
>>> Affected products: Mozilla Firefox, Internet Explorer 6, Internet
>>> Explorer
>>> 8, Google Chrome, Opera and other browsers.
>>> -----------------------------
>>> Timeline:
>>>
>>> 16.05.2010 - found vulnerability.
>>> 17.05.2010 - disclosed at my site.
>>> 18.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera.
>>> -----------------------------
>>> Details:
>>>
>>> At 30.02.2010 Mozilla fixed vulnerability (small one, which poses no
>>> security risk, as they said), found by Henry Sudhof - Mozilla 
>>> Foundation
>>> Security Advisory 2010-23
>>> (http://www.mozilla.org/security/announce/2010/mfsa2010-23.html) (Image
>>> src
>>> redirect to mailto: URL opens email editor). Which allow to open email
>>> client at user's computer via redirector, which redirecting to mailto:
>>> URL.
>>> But this vulnerability was fixed only in Firefox 3.5.9, Firefox 
>>> 3.6.2 and
>>> SeaMonkey 2.0.4, but not in Firefox 3.0.x.
>>>
>>> After I recently read this advisory, I decided to check different
>>> browsers.
>>> And as I checked at 16.05.2010, to this vulnerability are vulnerable 
>>> web
>>> browsers Firefox 3.0.19 and Opera 9.52. And I created exploit for
>>> conducting
>>> of DoS attack on Firefox.
>>>
>>> Also I found possibility to open email client via iframe with mailto:
>>> URL.
>>> Which works in browsers Firefox 3.0.19, IE6, IE8 and Chrome. And I
>>> created
>>> exploit for conducting of attack on all browsers, which I called DoS 
>>> via
>>> email. This attack can be conducted as with using JS, as without it 
>>> (via
>>> creating of page with large quantity of iframes).
>>>
>>> If attack via images at a page (which open email client) is only
>>> discomfort,
>>> then attack via images or iframes with using my exploits is Denial of
>>> Service vulnerability. It belongs to type
>>> (http://websecurity.com.ua/2550/)
>>> blocking DoS and resources consumption DoS. These exploits are very
>>> dangerous - at their starting, if to not stop attack in time, they can
>>> lead
>>> to full consumption of computer's resources (potentially even to 
>>> freezing
>>> of
>>> the system).
>>>
>>> DoS:
>>>
>>> http://websecurity.com.ua/uploads/2010/Firefox%20DoS%20Exploit.html
>>>
>>> This exploit works in Mozilla Firefox (Firefox <= 3.0.19, Firefox <
>>> 3.5.9,
>>> Firefox < 3.6.2) and SeaMonkey < 2.0.4.
>>>
>>> http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Opera%20DoS%20Exploit.html 
>>>
>>>
>>> This exploit works in Mozilla Firefox (besides 3.0.x and previous
>>> versions,
>>> it must work in 3.5.x and 3.6.x), Internet Explorer 6 (6.0.2900.2180),
>>> Internet Explorer 8 (8.0.7600.16385), Google Chrome 1.0.154.48 and 
>>> Opera
>>> 9.52. At that in Opera the exploit don't open email client, so DoS 
>>> attack
>>> is
>>> going without blocking, only resources consumption (more slowly then in
>>> other browsers). And also this exploit must work in SeaMonkey, Internet
>>> Explorer 7 and other browsers.
>>>
>>> Best wishes & regards,
>>> MustLive
>>> Administrator of Websecurity web site
>>> http://websecurity.com.ua
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ