Full Disclosure mailing list archives
Re: Browser bugs [DoS] ... where will you draw a line?
From: bipin gautam <visitbipin () yahoo com>
Date: Fri, 9 Apr 2004 21:46:03 -0700 (PDT)
--- Heikki Toivonen <hjtoi () comcast net> wrote:
bipin gautam wrote:Browser bugs [DoS] ... where will you draw a line?Browser DoS bugs don't get high priority because they are so easy to avoid. For example, if you go to a website that crashes your browser, hangs it, or launches 10,000 popup windows you can simply kill the browser and never go to that site again. Annoying, yes, but that's about it. DoS bugs that cause permanent damage are treated differently, of course. For example, I could imagine a bug that would corrupt some critical file and the browser would no longer start. Those bugs would be fixed fast, like traditional security vulnerabilities. -- Heikki Toivonen
<snip> ------------ <body onload="hUNT()"> <script language="JavaScript"><!-- var szhUNT="...its a jungle out there!" function hUNT() {szhUNT=szhUNT + szhUNT window.status="String Length is: "+szhUNT.length window.setTimeout('hUNT()',1);} // --></script> ------------- </snip> the soution here isn't to upgrade everytime..... try running this script in a older version of windows and in a minute you will flush your RAM, the only solution to run your PC in normal speed would be to RESTART! the point here is... users should* be in COMPLETE control of what they view in their browser. Zone alarm pro does have a good feature of handling scripts and other fancy stuffs on the website basis put in 'a click and go' manner. Sometimes even a full-screen pop Up is a pain when you find the only way of closing it is to kill the process tree! WHY should a web-content laded in "INTERNET ZONE" be ever given the privilege to access/use local drive paths??? It's really stupid to discover many IE bugs use this basic principle, -------------- copy evil in c:\xyz execute evil -------------- This wouldn't have happened if the content viewed in "internet zone" was never given the privilege to access any of the registry keys, local path's, [c:\?] etc... at all* or use a different way to access them! Many IE exploits would have never succeed. It's still strange to see executables being executed from "Temporary internet files" [folder] .......well, that's where software 'execution restriction' policy of windows kicks in, right? After all, we are loading plain scripts in our browser. ONLY when the dazzling features of OS is completely restricted to be used/access via web browsers exploits won't slow to pour down. ./hUNT3R ------------------------------------- http://www.geocities.com/visitbipin http://www.01security.com __________________________________ Do you Yahoo!? Yahoo! Tax Center - File online by April 15th http://taxes.yahoo.com/filing.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Browser bugs [DoS] ... where will you draw a line? bipin gautam (Apr 09)
- Re: Browser bugs [DoS] ... where will you draw a line? Heikki Toivonen (Apr 09)
- Re: Browser bugs [DoS] ... where will you draw a line? bipin gautam (Apr 09)
- Browser bugs [DoS] - Do they bite? morning_wood (Apr 11)
- Re: Browser bugs [DoS] ... where will you draw a line? Heikki Toivonen (Apr 09)