[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Nokia N95-8 browser denial of service
From:       "MustLive" <mustlive () websecurity ! com ! ua>
Date:       2009-02-28 23:23:08
Message-ID: 000901c999fb$9d86ada0$0100a9c0 () ml
[Download RAW message or body]

Hello Thierry!

About your message concerning crash in Firefox 3.0.6 
(http://securityvulns.ru/Vdocument307.html). Which has similar DoS 
vulnerability as Nokia N95-8 browser.

Some time ago I read your message and also checked Firefox 3.0.6 and 
confirmed the crash in it. What I can tell you about this hole.

In the beginning of September 2008 I already wrote about such DoS 
vulnerability in Mozilla Firefox (http://websecurity.com.ua/2421/). Which 
leads to that after running of the exploit the browser begun taking 100% of 
CPU resources and freezes.

The attack was based on using nested marquee tags (this hole was already 
found in Firefox 1.0 and 1.5). Vulnerable were Mozilla Firefox 3.0.1 and 
previous versions. This vulnerability was first publicly disclosed DoS in 
Firefox 3. My exploit don't use JavaScript (as Juan's exploit), just only 
use HTML. For attacking purposes it's better to use plain HTML exploit, 
which allows to bypass such protections as turning off JavaScript or using 
addons like NoScript.

I informed Mozilla about this hole (on email) and published it at Bugzilla 
(https://bugzilla.mozilla.org/show_bug.cgi?id=454434). But Mozilla 
completely ignored it (as all other vulnerabilities, which I informed them 
about in 2007, 2008 and 2009 years). For example last hole in Firefox 3, 
which I disclosed 13.02.2009 (and informed Mozilla) was Charset Inheritance 
vulnerability in Mozilla Firefox 3 (http://websecurity.com.ua/2879/) - and 
they even didn't answered me yet about it. For example, when I informed 
Google about Charset Inheritance vulnerability in Google Chrome 
(http://websecurity.com.ua/2844/), they quickly answered me - that they 
decided to not fix it (but still not ignored letter like Mozilla).

In September 2009 DoS vulnerability in SeaMonkey was found 
(http://websecurity.com.ua/2820/), which uses the same attack (on 
marquee-vulnerability which was ignored by Mozilla). But unlike FF, 
SeaMonkey crashes - this is already another type of DoS vulnerabilities in 
browser (http://websecurity.com.ua/2550/). And in February you found that 
last version of Firefox also crashes.

So Mozilla not only didn't fix the vulnerability, which I found in Firefox 
3.0.1 (and which was known yet in FF1), but even strengthened it in last 
versions of the browser. They altered it from resources consumption DoS to 
crashing DoS. This situation similar to Charset Inheritance vulnerability in 
Mozilla Firefox 3, which wasn't in Firefox 3.0.1 and previous versions 
(after fix in 2007), but which Mozilla "added" in Firefox from version 
3.0.2.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 

[prev in list] [next in list] [prev in thread] [next in thread]