RE: Browser bugs [DoS] ... where will you draw a line?

["Drew Copley" <dcopley () eeye com>]

> -----Original Message-----
> From: Bipin Gautam [mailto:visitbipin () hotmail com] 
> Sent: Friday, April 09, 2004 8:07 AM
> To: bugtraq () securityfocus com
> Subject: Browser bugs [DoS] ... where will you draw a line?
>
>
>
> Browser bugs [DoS] ... where will you draw a line?
>
>
>
> Shouldn't developers [of Browsers] draw a line... between a 
> DoS bug and a "can be troublesome" feature in their 
> web-browsern and put necessary measures in their code to 
> protect form such nasty codes.  These days... I've been 
> seeing lot of stupid IE/Mozilla DoS exploits. They do get 
> patched. Should we need another "Bloodhound" technology in 
> brouser as well for such  but...... it's strange to see 
> neither neither a antivirus softwares nor IE / MOZILLA are 
> putting necessary efforts in their code to prevent such 
> hostile scripts.....? 

I think that is presumptive. 

They put a lot of work into their browsers. But, unlike most other
applications you are talking about a massive application here which is
designed to perform many major tasks which include being it's own
language parser for several languages.

DoS attacks are not a priority. This can be almost anything. They don't
run code. And, quite frankly, at least in IE, most DoS attacks are now
handled pretty well. You can actually just close the browser. Further,
it is not nearly so easy to get such attacks to work anymore because you
are so much more limited in how you can attack. It used to be you could
just send a newspost or email on any html post and get everyone. 



<snip>


> --------------------------------------
>
> I guess this bug has patch...
>
> --------------------------------------
>
> &lt;object id='wsh' 
> classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'>&lt;/object&gt;
>
> &lt;script&gt;
>
> wsh.Run("cmd.exe /k echo ...today is your lucky day!"); 
>
> &lt;/script&gt; 
>
> --------------------------------------


Running wsh within the browser does not work in internet zone. The
vulnerabilities that run code are very difficult to find. They may look
easy as a finished product, but a great deal of grueling work goes into
them. 

Running wsh within the browser if the file is on your desktop works, if
you click "Okay" to the security warning.

Web browsers are an essential technology. If you don't think they should
be able to run games or perform powerful tasks then just turn off their
ability to do so. Personally, even as someone that has found multiple
full compromise vulnerabilities in IE, I like the power of it. It is
cool to be able to have applications within a webpage. I like that
mozilla added IRC to their browser. I can only hope they add more
features.

More features do mean more bugs. 

I will fault Microsoft on their time to fix bugs. I have serious
problems with that. I don't blame the everyday person there, but I see
that as a larger, management incompetence issue. 


<snip>
> the solution shouldn't be to disable scripting...... etc!

Agreed there.

And Microsoft has gone with this "solution" on w2k3. 

But, dealing with language parsers is very difficult. You can do almost
anything in several different languages. There is so much to check. 

The same kind of issues remain for trying to firewall out SQL attacks or
Javascript attacks. There are so many different ways to "say" the same
thing. These are languages.



> so ??????
>
>
>
> ./hUNT3R
>
> -------------------------------------
>
> http://www.geocities.com/visitbipin
>
> http://www.01security.com