Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera

["MustLive" <mustlive () websecurity com ua>]

Hello Susan and other readers, who replied to my previous advisory.

Earlier I've already answered Vladimir, now I'd answer Susan and soon I'd
answer John. But now one important note to every reader of the list,
including John Smith. Which I already wrote about 1,5 week ago (after
posting of a first advisory about DoS in browsers) to one reader of
Full-disclosure who inattentively read that advisory (he missed message
about attacking without JS) and also to Mozilla (who became discussing this
issue and only drew attention to attacking with JS vector). That, as I wrote
in both advisories, this attack via iframes can also be conducted without
JavaScript. So even turning JS off will not help.

Due to advantages of JS exploit for these vulnerabilities over non-JS
exploit, I wrote JavaScript exploits for these advisories and I'd write for
future advisories (but I'd be reminding about possibility of attacking
without JS). But soon I'll present one exploit also in "pure-iframe" version
(without JS) for Internet Explorer and other applications - in case when
small amount of iframes lead to crash.

> Thank you.  Now if you could wait for patches before disclosing I'd be
> even happier.

Susan, you are welcome.

I would be happy to wait for patches of browser vendors, but as already
told you in details, it's not possible due to behavior of browser vendors.
All they mostly ignore such holes, all they don't count DoS as
vulnerabilities, they called them "stability issues" and so don't attend to
them seriously (and not fixing or fixing slowly). I don't respect such
statement as "stability issues" for DoS holes, and during 2008-2010 I worked
hard to change vendors' mind on this issue, but they still ignore it.

Also, as I already told you, they never told if they fixed or not such holes
(especially taking into account that they almost always ignore my letters
with such holes or, as Opera did few times, answering with "it's stability
issues" statement). So I have no possibility to know from them if they fixed
it or not - and because they don't care about such issues (ignoring them or
calling them stability issues), they never mentioned about them in vendors 
advisories. Only one time Microsoft informed me about fixing DoS hole in 
Outlook - even they called it stability issue they informed me after they 
released a patch for it (which was serious approach, but not Microsoft for 
IE, nor other vendors use such approach for DoS holes in browsers).

But take into account that I informed (at 26.05.2010) all four browser
vendors about many vulnerabilities, which I'll disclose in the future. So
they are informed for long time in advance :-). And so you have no need to
worry, because with every day they become more and more "informed long time
ago" and have more and more days to fix these holes.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: "Susan Bradley" <sbradcpa () pacbell net>
To: "MustLive" <mustlive () websecurity com ua>
Cc: <bugtraq () securityfocus com>
Sent: Friday, May 28, 2010 7:06 PM
Subject: Re: [Suspected Spam]DoS vulnerabilities in Firefox, Internet
Explorer, Chrome and Opera


> Thank you.  Now if you could wait for patches before disclosing I'd be
> even happier.
>
> MustLive wrote:
> > Hello Bugtraq!
> >
> > I want to warn you about security vulnerability in different browsers.
> >
> > -----------------------------
> > Advisory: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and
> > Opera
> > -----------------------------
> > URL: http://websecurity.com.ua/4238/
> > -----------------------------
> > Affected products: Mozilla Firefox, Internet Explorer 6, Internet
> > Explorer
> > 8, Google Chrome, Opera.
> > -----------------------------
> > Timeline:
> >
> > 26.05.2010 - found vulnerabilities.
> > 26.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera.
> > Susan Bradley must be happy :-).
> > 27.05.2010 - disclosed at my site.
> > -----------------------------
> > Details:
> >
> > After publication of previous vulnerabilities in different browsers, I
> > continued my researches and found many new vulnerabilities in browsers,
> > which I called by general name DoS via protocol handlers, to which
> > belonged
> > and previous DoS attack via mailto handler.
> >
> > Now I'm informing about DoS in different browsers via protocols news and
> > nntp. These Denial of Service vulnerabilities belongs to type
> > (http://websecurity.com.ua/2550/) blocking DoS and resources consumption
> > DoS. These attacks can be conducted as with using JS, as without it (via
> > creating of page with large quantity of iframes).
> >
> > DoS:
> >
> > http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Opera%20DoS%20Exploit2.html
> >
> > This exploit for news protocol works in Mozilla Firefox 3.0.19 (and
> > besides
> > previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6
> > (6.0.2900.2180), Internet Explorer 8 (8.0.7600.16385), Google Chrome
> > 1.0.154.48 and Opera 9.52.
> >
> > In all mentioned browsers occurs blocking and overloading of the system
> > from
> > starting of Opera, which appeared as news-client at my computer, and IE8
> > crashes (at computer without Opera). And in Opera the attack is going
> > without blocking, only resources consumption (more slowly then in other
> > browsers).
> >
> > http://websecurity.com.ua/uploads/2010/Firefox,%20IE%20&%20Opera%20DoS%20Exploit.html
> >
> > This exploit for nntp protocol works in Mozilla Firefox 3.0.19 (and
> > besides
> > previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6
> > (6.0.2900.2180) and Opera 9.52.
> >
> > In all mentioned browsers occurs blocking and overloading of the system
> > from
> > starting of Opera, which appeared as nntp-client at my computer. In IE8
> > the
> > attack didn't work - possibly because that at that computer there was no
> > nntp-client, Opera in particular. And in Opera the attack is going
> > without
> > blocking, only resources consumption (more slowly then in other
> > browsers).
> >
> > Best wishes & regards,
> > MustLive
> > Administrator of Websecurity web site
> > http://websecurity.com.ua