Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers

["John Smith" <at-x () live com>]

Just a few cents - DoS in webbrowsers doesn't fall under the category of 
"vulnerabilities" rather more of "annoyances". Although I don't deny the 
fact that certain DoS attacks *may lead* or *may serve as hints* to other 
more serious exploits, but that's a different topic and with ASLR in the 
scene, a very grey area of discussion.

Case in point: XSS can be of various kinds and most of them (I'm talking of 
about 99.99%) can be attributed to the design of the web 
technologies/protocols specifications (http, ajax, etc etc...you name it) 
and the browsers can only do that much. Hence its not feasible for a 
webbrowser to 'prevent' them without tampering the protocol or annoying you 
with continuous messages about what it is doing (assuming all users have the 
knowledge of how web works as much as the people on this list). So unless 
you pinpoint the exact flaw (XSS or DoS) its very hard to assume whether the 
browser in question actually needs a fix for it.

Best Regards,
w

--------------------------------------------------
From: "MustLive" <mustlive () websecurity com ua>
Sent: Friday, May 28, 2010 2:23 AM
To: "Susan Bradley" <sbradcpa () pacbell net>
Cc: <bugtraq () securityfocus com>
Subject: Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, 
Opera and other browsers

> Hello Susan!
>
> As I already wrote you and Adam earlier, every type of disclosure 
> (including
> full disclosure and responsible full disclosure) can be good in 
> appropriate
> situation. And I use that type of disclosure which is suitable for every
> particular case.
>
> Taking into account that 3 from 4 vendors answered me (except Microsoft) 
> and
> Google had already non affected Chrome 4, and Mozilla and Opera promised 
> to
> fix it (we'll see when and how they do it), then you can see that my
> approach works. And responsible full disclosure can force browser vendors 
> to
> attend more at security of their software.
>
> Soon I'll write to security mailing lists about new vulnerabilities in
> different browsers. And you can not worry about that - in those advisories
> I'll use a littler different approach of informing browser vendors. You 
> will
> like it ;-).
>
> > Let's take one for example.  Did you email secure () microsoft com? I have
> > before and 100% of the time they respond.
>
> Yes, I did. I emailed Microsoft, like other browser vendors. I knew their
> emails, because I wrote to all of these four vendors a lot of times during
> 2007-2010, and all of them answered many times (who more, who less). But 
> as
> I already wrote, in 99% cases they ignored to fix DoS holes (even if they
> answered and told, that they agreed that it was DoS and they'd think about
> fixing it).
>
> For example Microsoft one time even answered me twice (with thanks), when 
> I
> informed them about XSS in IE6. But they didn't fix this vulnerability. It
> was Saved XSS (this type of XSS I created after I found this hole in IE),
> which was already posted at Bugtraq in 2007. And in 2008 I informed
> Microsoft (and posted to Bugtraq) about this vulnerability in IE7 - but MS
> ignored. And in 2009 MS released IE8 where this hole was fixed (as I 
> checked
> it), without mentioning about this fact and without thanking me (just
> silently). Similarly to Mozilla's approach with one XSS in Firefox (which 
> I
> informed them), which I already mentioned to Bugtraq in beginning of 2009.
>
> But about DoS holes they didn't answer in 99% of time. And Microsoft never
> fixed DoS holes in IE, which I informed them, but fix DoS hole in Outlook.
> And answered me twice: one time with thanks and latter when they fixed (MS
> was only one vendor who informed me that it fixed DoS hole in their
> software, from all of those few cases when browser vendors fixed DoS 
> holes).
>
> So as it clear, browser vendors only answer when they want.
>
> > Patches take time.  The do not occur over night.  Furthermore it may take
> > a day for the vendor to respond to you.
>
> As I mentioned, 3 from 4 developers answered me (but it's not common for
> cases with DoS holes). But MS didn't answer me for more than 1,5 week. 
> From
> which you can see their attitude to such issues. And on example of Google,
> which Chrome 4 was invulnerable to this hole (only Chrome 1.x), shows 
> their
> attitude to such issues - that they are working to fix holes (including
> those which was in older versions of their browser) even before they will 
> be
> found and disclosed by researchers.
>
> > Should you have issues, would you consider emailing me first so I can
> > introduce you to contacts?
>
> Thanks, I don't need help with informing browser vendors. They with no
> doubts received all my letters in 2007-2010 and would receive all future
> letters. But as said, I'll not be more informing them about DoS holes. 
> This
> decision I made in August 2009 and it's final decision.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> ----- Original Message ----- 
> From: "Susan Bradley" <sbradcpa () pacbell net>
> To: "MustLive" <mustlive () websecurity com ua>
> Cc: <bugtraq () securityfocus com>
> Sent: Thursday, May 20, 2010 2:58 AM
> Subject: Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome,
> Opera and other browsers
>
>
> > Let's take one for example.  Did you email secure () microsoft com? I have
> > before and 100% of the time they respond.
> >
> > Patches take time.  The do not occur over night.  Furthermore it may take
> > a day for the vendor to respond to you.
> > This isn't about past issues, this is about this issue. A single day did
> > not pass between when you emailed these vendors and when you posted here.
> > Have you considered giving these vendors time to respond?  I do not find
> > that 99% of them don't, rather I find that they do.  Should you have
> > issues, would you consider emailing me first so I can introduce you to
> > contacts?
> >
> > MustLive wrote:
> > > Hello Susan!
> > >
> > > > Granted I can denial of service a browser just by loading up a horrible
> > > > add in or just using a browser
> > >
> > > DoS of the browser is already bad thing. And there are many risks for
> > > users
> > > from DoS holes in browsers, which I wrote about in 2008 in my articles
> > > Dangers of DoS attacks on browsers and Dangers of resources consumption
> > > DoS
> > > attacks. But mostly browser developers ignore to fix these issues.
> > >
> > > But in this case it's not only attack on browsers, but on the whole
> > > user's
> > > computer - because it's blocking of whole computer and full resource
> > > consumption. Which is working in many browsers, including their last
> > > versions. So browser developers with their neglect to this problem make
> > > possible attacks on the whole users' systems. It was one of leitmotifs 
> > > of
> > > my
> > > advisory.
> > >
> > > > can I respectfully ask that you give vendors time to respond before
> > > > posting?
> > >
> > > This informing of vendors was an exclusion. During 2007-2009 I informed
> > > many
> > > browser developers about many vulnerabilities (as DoS, as others) and
> > > gave
> > > them a lot of time for fixing in many of that cases. But they almost
> > > always
> > > ignore to fix the holes (especially DoS holes, which were only fixed few
> > > times by Google and one time by Microsoft, and not in IE, but in 
> > > Outlook,
> > > and 99% of cases were completely ignored). Taking that into account last
> > > year I decided from 2010 never inform browser vendors about DoS holes in
> > > their browsers. And this time it was an exclusion (just one). In any 
> > > case
> > > due to full disclosure the Internet community will be knowing about the
> > > vulnerabilities in browsers which I found and will be knowing the real
> > > state
> > > of security of browsers. It was another leitmotif of my advisory.
> > >
> > > So this time I informed browser developers and users about these issues.
> > > And
> > > did I receive any thanks from Susan (especially taking into account that
> > > I
> > > did inform vendors) or any other user of browsers for this info? No :-).
> > > Did
> > > browser vendors answered me? No :-) (at first day) - which is normal for
> > > such cases, based on my experience. Only on second day Opera and Mozilla
> > > answered me and begun investigation of these cases (which is rare case
> > > when
> > > they responded on DoS hole, based on my experience), but not other
> > > vendors.
> > >
> > > > These vendors do not ignore security issues and do respond
> > >
> > > As I already said, in 99% they do ignore and don't respond (and 
> > > sometimes
> > > were such cases as responded but not fixed, and such case as not
> > > responded
> > > and not thanked me, but fixed). So taking into account my personal
> > > experience with finding vulnerabilities in browsers and informing
> > > vendors,
> > > I'm not informing them about DoS vulnerabilities in their browsers from
> > > this
> > > year (except this one case).
> > >
> > > > From more then 5 years of my work here is TOP of different group of
> > > > people,
> > > based on answering and fixing of vulnerabilities which I informed them
> > > about
> > > (the higher, the better):
> > >
> > > 1. Developers of Internet related software (such as web servers, ad
> > > blockers, etc.).
> > > 2. Developers of web applications.
> > > 3. Admins of web sites.
> > > 4. Developers of the browsers.
> > >
> > > Which must give you a ground for thoughts.
> > >
> > > Best wishes & regards,
> > > MustLive
> > > Administrator of Websecurity web site
> > > http://websecurity.com.ua