lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <be950f350710011027g2887f68i3e3f54bee36afafe@mail.gmail.com>
Date: Mon, 1 Oct 2007 13:27:59 -0400
From: wac <waldoalvarez00@...il.com>
To: "Andrew Farmer" <andfarm@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Firefox 2.0.0.7 has a very serious
	calculation bug

Hello:

On 9/29/07, Andrew Farmer <andfarm@...il.com > wrote:
>
>
> If your bank is doing financial calculations using Javascript in a
> standard web browser, you have bigger things to worry about than
> roundoff errors.


 Ok let's explain this with more details because I realize that you got
something else (and might be the case of others). I was not refering to
banks performing all of the calculations on the
browser. That would be insane because users would be manipulating that for
sure changing a couple of web pages. A bank would not last a single day on
the internet in such case. I was commenting you about some calculations done
in your browser so you don't have to make them in your head, your operating
system calculator or a pocket calculator. Taxes and other kind of financial
calculations for example. Hey I could add a financial calculator on one
side of a page so you don't have to pick one. I don't
know wich calculus you could do I'm not a banker (not yet. I tell you by
then). The browser can do that kind of things better than
you. I don't know an exact
example but it could be the case. Remeber there are a zillion websites
out there. All
the bank needs to be sure is that all of the movements you do does not
exceeds your balance. If you (or your browser) intentionally or not performs
the calculation
wrong... Well... that is your problem. You won't steal money with that to
the bank. And that kind of things are very likely to be putted into the
browser more and more with AJAX, SilverLight and all of them just to prevent
mistakes in the first place. Is the trend. So a rounding
bug in javascript (in such case) could be really serious.

 Also notice
that if there is really a problem in FF javascript engine it goes
beyond the browser. You
could run Tamarin, Spidermonkey or Rhino on the server side and perform some
processing there with javascript.

http://developer.mozilla.org/en/docs/About_JavaScript

"Another common application for JavaScript is as a (web) server side
scripting language. A JavaScript web server would expose host objects
representing a HTTP request and response objects, which could then be
manipulated by a JavaScript program to dynamically generate web pages."


I based my previous comments on comments from some other persons but not on
my tests. I tried this code and is giving me the same result (
5.1000000000000005) in IE 6, FF 2.0.0.7 and Opera  9.23:

<html>
<script type="text/javascript">
a=5.2;
b=0.1;
alert(a-b);
</script>
</html>

This one is giving me the same numbers too in every browser:

<html>
<a href="javascript:alert(5.2-0.1)">arrf</a>
</html>


 So seems to me that IE is actually performing those
calculations with higher precision only when used as a calculator (directly
in the address box) but not in javascript code
(fortunately). However let me know if you find something. I'm interested and
would like to be aware of it.

 As a side comment I wanted to tell you that what is out
there on the internet is not a standart. Is what IE dictates. IE rules the
internet whether you like or not. It comes from a big one and also comes
preinstalled. That's why it holds a big share of the market. It imperates
and has a lot of pressure on the content published on the
internet. As IE adapts to the web, the web also adapts to IE.

As another side comment about the FP math. Well don't worry I already did
that some time
ago. While I'm not the expert in numeric math that was the first part
of the first
course of numeric math on my
second year. As a curiority and also a very usual mistake is that in
FP math a +
b + c is not always equal to a + c +
b. You must sort the numbers before doing that and do the calculus from
lower to higher if you want the most accurate
results. Yes FP math is tricky sometimes and a lot of care must be taken
with it since is not real math but approximations. For example sometimes you
need to make transformations to equations or use Taylor.
It might look boring at first sight but when you look closer you
realize that is very important
and catches your eye.

Regards
Waldo Alvarez

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ