lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CALx_OUALVpO=Df8fk0bvij8O18CU2ik0zE7_Dio+6K+dsPBXAw@mail.gmail.com>
Date: Thu, 22 Dec 2011 13:01:58 -0800
From: Michal Zalewski <lcamtuf@...edump.cx>
To: Charles Morris <cmorris@...odu.edu>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: OT: Firefox question / poll

> Do you think that the Firefox "warning: unresponsive script" is meant
> as a security feature or a usability feature?

More seriously, though, it's a bit of an oddly-phrased question. Only
the author of the code knows the true intent; you can look up the
mention of this text in the code, and see what the text accompanying
that change was, or contact whoever made it.

What I can tell you is that there is no concerted effort by any of the
browser vendors to make DoS attacks on the browser difficult; and that
this particular prompt is trivially bypassable, too. Moreover, some of
the previously introduced CPU and memory restrictions on the
JavaScript engine have been removed in the past few years, and many of
the new APIs (such as history.pushState, window.postMessage, or
Worker) are specified and implemented with no particular DoS
mitigations.

And no, it's very unlikely for this prompt to reliably prevent any
practical attempts to exploit non-DoS vulnerabilities in the browser.

/mz

PS. The usual plug: If you are curious, I have a whole chapter on this
and other perhaps more interesting issues related to malicious scripts
in "The Tangled Web".

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ