[GSEC-TZO-44-2009] One bug to rule them all - Firefox, IE, Safari,Opera, Chrome,Seamonkey,iPhone,iPod,Wii,PS3....

________________________________________________________________________

                     One bug to rule them all
       IE5,IE6,IE7,IE8,Netscape,Firefox,Safari,Opera,Konqueror,
       Seamonkey,Wii,PS3,iPhone,iPod,Nokia,Siemens.... and more.
               Dont wet your pants - its DoS only
________________________________________________________________________

Release mode: Tried hard to coordinate - gave up
Reference   : [GSEC-TZO-26-2009] - One bug to rule them all
WWW         : http://www.g-sec.lu/one-bug-to-rule-them-all.html
Vendors         : 
http://www.firefox.com   
http://www.apple.com
http://www.opera.com
http://www.sony.com
http://www.nintendo.com
http://www.nokia.com
http://www.siemens.com
others..
Status      : Varies
CVE         : CVE-2009-1692 (created by apple same root cause)
Credit      : Except Apple - nobody

Affected products : 
~~~~~~~~~~~~~~~~~~~
- Internet Explorer 5, 6, 7, 8 (all versions)
- Chrome (limited)
- Opera 
- Seamonkey
- Midbrowser
- Netscape 6 & 8 (9 years ago)
- Konqueror (all versions)
- Apple iPhone + iPod 
- Apple Safari
- Thunderbird
- Nokia Phones : Nokia N95 (Symbian OS v.9.2),Nokia N82, Nokia N810 Internet Tablet
- Aigo P8860 (Browser hangs and cannot be restarted)  
- Siemens phones
- Google T-Mobile G1 TC4-RC30
- Ubuntu (Operating system sometimes reboots, memory management failure)
- possibly more devices and products that support Javascript,
try it yourselves. POC here : http://www.crashthisthing.com/select.html

Patch availability :
~~~~~~~~~~~~~~~~~~~~
- Mozilla : Fixed in Firefox 3.0.5 and 2.0.0.19 
https://bugzilla.mozilla.org/show_bug.cgi?id=460713
- Apple iPhone&iPod : patched
- IE : No patch for IE5, IE6, IE7, IE8 until IE9
- Webkit : Patched in r41741 - https://bugs.webkit.org/show_bug.cgi?id=23319
- Chrome : Patched, unknown which version)
- Opera : Patched after version 9.64
- Thunderbird (unknown)
- Konqueror : unknown (did not respond)
- Nokia : unknown, opened a case but never came back
- Aigo P8860 : unknown
- Siemens : unknown
- Others ? Find out by visiting the POC at
http://crashthisthing.com/select.html


I. Background
~~~~~~~~~~~~~
Quoting Wikipedia "ECMAScript is a scripting language, standardized by Ecma 
International in the ECMA-262 specification and ISO/IEC 16262. The language 
is widely used on the web, especially in the form of its three best-known 
dialects, JavaScript, ActionScript, and JScript."


II. Description
~~~~~~~~~~~~~~~
Calling the select() method with a large integer, results in continuos
allocation of x+n bytes of memory  exhausting memory after a while. 
The impact varies from null pointer dereference (no more memory,hence 
crashing the browser) to the reboot of the complete Operation System 
(Konqueror&Ubuntu)

There had never been a limit specified as to how many html elements the select
call should handle, after the report of this Bug, vendors apparently agreed to a 
limit of 10.000 elements : "Talked to some Apple and Opera guys at the 
WHATWG social, and we decided this was a good number"

III. Impact
~~~~~~~~~~~
The Impact varies from Browser to Browser and from OS to OS. 

Here is a small excerpt:
- Konqueror (Ubuntu)- allocates 2GB of memory then either crashes 
the Browser or (most often) the OS reboots. Ubuntus memory
management system appears to be configured as to NOT stop the process
that consumes too much memory, but a random process.
This sometimes leads to processes that are vital for the OS to
be killed, hence the reboot. I am not kidding. Thanks to
FX for Memory management hint.

- Chrome :  allocates 2GB of memory then crashes tab with a null pointer

- Firefox : allocates 2GB of memory then the Browser crashes

- IE5,6,7,8 : allocates 2GB of memory then the Browser crashes

- Opera : Allocated and commits as much memory as available, 
will not crash but other applications will become unstable 

- Nintento WII (Opera) : Console hangs, needs hard reset
Video: http://vimeo.com/2937101 (Thanks to David Raison)

- Sony PS3 - Console hangs, needs hard reset 
Video: http://vimeo.com/2937101 (Thanks to Chris Gates)

- iPhone - iPhone hangs and needs hard reset
Video: http://vimeo.com/2873339 (Thanks to g0tcha)

- Aigo P8860 (Browser hangs and cannot be restarted)  


IV. Proof of concept 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<script>
function poc(o) {
        e = document.createElement("select");
        e.length=2147483647;
}

function go() {
        poc(0);
}
</script>

URL: http://www.crashthisthing.com/select.html

Some have not understood what this code does, it does NOT loop as some vendors
claimed, it just calls select.lenght() ONCE with a huge integer. One might wonder
if over the 9 last years that this bug existed, nobody ever entered a large 
number in a select.lenght() call.

IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~~
Nothing particular to note, except the usual discussion about availability being
a security issue.

V. Thanks
~~~~~~~~~~~~~~~~~~~~~~~~~
Chris Gates, David Raison, Fahem Adam, a team of engineers that recognise themselves
and oCert for not helping coordinate this bug.







Replies to this exploit:

From: Thierry Zoller Thierry@zoller.lu
Sent: Wed 15. Jul 2009 22:18
Dear List,
To  all  those  sending in reports, thank you, *but* please read the patch
section.  It  is  normal  that  it doesnt work in Safari, Chrome, FF,
Opera any longer, they have been patched. Try IE for an example.

To stop the flood of mails, explaining that the POC doesnt work
on mozilla x.y, or safari x.y. Read the "PATCH" section. Please.


Regards,
Thierry





From: MustLive mustlive@websecurity.com.ua
Sent: Fri 17. Jul 2009 23:56
Hello Thierry!

About your "bug to rule them all" I can tell, that its interesting
vulnerability and interesting research itself. I have found DoS
vulnerabilities in multiple browsers many time, but I never tested in such
many browsers and systems. So you made a large research (with help of those
people who helped you with testing in different systems) - this DoS hole
exists (or existed) in so many systems: different desktop browsers, email
clients, browsers for mobile devices, game devices and possible other
devices with support of JavaScript.

Maybe some of DoS hole found by me can also work on multiple platforms, but
I didnt tested in such large scale of devices (just in different browsers
at my PC).

> Credit      : Except Apple - nobody

Its very common situation (with not serious relation of developers to
security professionals who found holes in their programs). Especially in
case of DoS vulnerabilities.

> IV. Disclosure timeline
> ~~~~~~~~~~~~~~~~~~~~~~~~~
> Nothing particular to note, except the usual discussion about availability
> being a security issue.

It is also very common for developers (browsers developers in particular) to
not put DoS in category of security issues (even if they officially said
that they acknowledge DoS as security issue). So nothing surprising :-) - I
heard many times such statements from browsers developers.

Thierry, I even planned to write here a large message on this subject (which
I planned in the beginning of this year), but I canceled it due lack of time
:-). In a short: the developers are not right and DoS is a security issue.

I tested your vulnerability (your PoC) in all my browsers: Mozilla, Firefox,
IE, Opera and Chrome. Here are results of my tests, which will be additional
stroke to your picture of vulnerable browsers and systems.

Mozilla 1.7.x is not vulnerable. And this is a reason why I like Mozilla
1.7.x, because it hasnt many of the holes which Mozilla added to new
versions of their Firefox ;-). You wrote that Firefox allocates 2 GB of
memory and then crashes. My Mozilla only allocates about 900 MB of memory
and then stops this process (and stops using of CPU). So it was just small
lag, without particular strain, so its not vulnerable.

Firefox 3.0.11 is not vulnerable (because was fixed in Firefox 3.0.5).

IE6 is vulnerable. But my IE6 is vulnerable in different way then other
browsers. You wrote that IE5,6,7,8 allocates 2 GB of memory and then
crashes. In my case, browser only take CPU resources (over 50% at my two
core processor, itll be 100% on single core processor) without taking of
memory.

Opera 9.52 is vulnerable (because was fixed in version after Opera 9.64).
You wrote that Opera allocated and commits as much memory as available and
will not crash. In my case Opera takes more that 2 GB (almost all memory
available) and then freezes.

Google Chrome 1.0.154.48 is not vulnerable. You wrote that Chrome allocates
2 GB of memory and then crashes tab with a null pointer. In my case Chrome
takes more than 2 GB of memory and then says its message about error at the
page and frees all the memory. So in result almost no memory or CPU
resources are used by the browser. You wrote that Chrome was patched
(unknown version). As we see at least version Chrome 1.0.154.48 is not
vulnerable.

There is also one interesting thing.

You mentioned bug #460713 in Mozillas bugzilla. When yesterday I came via
this link I found that this entry is closed for viewing (even for logged in
users). So for some unknown reasons Mozilla closed access to bug #460713
(https://bugzilla.mozilla.org/show_bug.cgi?id=460713), even if its
resolved. As you wrote, this hole was fixed in Firefox 3.0.5. This version
was released at 16th of December 2008, so from that time and till now
Mozilla didnt open this bug. Why they did it? Do they have something to
hide from people :-).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


!DSPAM:4a60eeae164971070416737!




From: Thierry Zoller Thierry@zoller.lu
Sent: Wed 15. Jul 2009 22:18
Dear List,
To  all  those  sending in reports, thank you, *but* please read the patch
section.  It  is  normal  that  it doesnt work in Safari, Chrome, FF,
Opera any longer, they have been patched. Try IE for an example.

To stop the flood of mails, explaining that the POC doesnt work
on mozilla x.y, or safari x.y. Read the "PATCH" section. Please.


Regards,
Thierry





From: MustLive mustlive@websecurity.com.ua
Sent: Fri 17. Jul 2009 23:56
Hello Thierry!

About your "bug to rule them all" I can tell, that its interesting
vulnerability and interesting research itself. I have found DoS
vulnerabilities in multiple browsers many time, but I never tested in such
many browsers and systems. So you made a large research (with help of those
people who helped you with testing in different systems) - this DoS hole
exists (or existed) in so many systems: different desktop browsers, email
clients, browsers for mobile devices, game devices and possible other
devices with support of JavaScript.

Maybe some of DoS hole found by me can also work on multiple platforms, but
I didnt tested in such large scale of devices (just in different browsers
at my PC).

> Credit      : Except Apple - nobody

Its very common situation (with not serious relation of developers to
security professionals who found holes in their programs). Especially in
case of DoS vulnerabilities.

> IV. Disclosure timeline
> ~~~~~~~~~~~~~~~~~~~~~~~~~
> Nothing particular to note, except the usual discussion about availability
> being a security issue.

It is also very common for developers (browsers developers in particular) to
not put DoS in category of security issues (even if they officially said
that they acknowledge DoS as security issue). So nothing surprising :-) - I
heard many times such statements from browsers developers.

Thierry, I even planned to write here a large message on this subject (which
I planned in the beginning of this year), but I canceled it due lack of time
:-). In a short: the developers are not right and DoS is a security issue.

I tested your vulnerability (your PoC) in all my browsers: Mozilla, Firefox,
IE, Opera and Chrome. Here are results of my tests, which will be additional
stroke to your picture of vulnerable browsers and systems.

Mozilla 1.7.x is not vulnerable. And this is a reason why I like Mozilla
1.7.x, because it hasnt many of the holes which Mozilla added to new
versions of their Firefox ;-). You wrote that Firefox allocates 2 GB of
memory and then crashes. My Mozilla only allocates about 900 MB of memory
and then stops this process (and stops using of CPU). So it was just small
lag, without particular strain, so its not vulnerable.

Firefox 3.0.11 is not vulnerable (because was fixed in Firefox 3.0.5).

IE6 is vulnerable. But my IE6 is vulnerable in different way then other
browsers. You wrote that IE5,6,7,8 allocates 2 GB of memory and then
crashes. In my case, browser only take CPU resources (over 50% at my two
core processor, itll be 100% on single core processor) without taking of
memory.

Opera 9.52 is vulnerable (because was fixed in version after Opera 9.64).
You wrote that Opera allocated and commits as much memory as available and
will not crash. In my case Opera takes more that 2 GB (almost all memory
available) and then freezes.

Google Chrome 1.0.154.48 is not vulnerable. You wrote that Chrome allocates
2 GB of memory and then crashes tab with a null pointer. In my case Chrome
takes more than 2 GB of memory and then says its message about error at the
page and frees all the memory. So in result almost no memory or CPU
resources are used by the browser. You wrote that Chrome was patched
(unknown version). As we see at least version Chrome 1.0.154.48 is not
vulnerable.

There is also one interesting thing.

You mentioned bug #460713 in Mozillas bugzilla. When yesterday I came via
this link I found that this entry is closed for viewing (even for logged in
users). So for some unknown reasons Mozilla closed access to bug #460713
(https://bugzilla.mozilla.org/show_bug.cgi?id=460713), even if its
resolved. As you wrote, this hole was fixed in Firefox 3.0.5. This version
was released at 16th of December 2008, so from that time and till now
Mozilla didnt open this bug. Why they did it? Do they have something to
hide from people :-).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


!DSPAM:4a60eeae164971070416737!




From: Thierry Zoller Thierry@zoller.lu
Sent: Wed 15. Jul 2009 22:18
Dear List,
To  all  those  sending in reports, thank you, *but* please read the patch
section.  It  is  normal  that  it doesnt work in Safari, Chrome, FF,
Opera any longer, they have been patched. Try IE for an example.

To stop the flood of mails, explaining that the POC doesnt work
on mozilla x.y, or safari x.y. Read the "PATCH" section. Please.


Regards,
Thierry





From: MustLive mustlive@websecurity.com.ua
Sent: Fri 17. Jul 2009 23:56
Hello Thierry!

About your "bug to rule them all" I can tell, that its interesting
vulnerability and interesting research itself. I have found DoS
vulnerabilities in multiple browsers many time, but I never tested in such
many browsers and systems. So you made a large research (with help of those
people who helped you with testing in different systems) - this DoS hole
exists (or existed) in so many systems: different desktop browsers, email
clients, browsers for mobile devices, game devices and possible other
devices with support of JavaScript.

Maybe some of DoS hole found by me can also work on multiple platforms, but
I didnt tested in such large scale of devices (just in different browsers
at my PC).

> Credit      : Except Apple - nobody

Its very common situation (with not serious relation of developers to
security professionals who found holes in their programs). Especially in
case of DoS vulnerabilities.

> IV. Disclosure timeline
> ~~~~~~~~~~~~~~~~~~~~~~~~~
> Nothing particular to note, except the usual discussion about availability
> being a security issue.

It is also very common for developers (browsers developers in particular) to
not put DoS in category of security issues (even if they officially said
that they acknowledge DoS as security issue). So nothing surprising :-) - I
heard many times such statements from browsers developers.

Thierry, I even planned to write here a large message on this subject (which
I planned in the beginning of this year), but I canceled it due lack of time
:-). In a short: the developers are not right and DoS is a security issue.

I tested your vulnerability (your PoC) in all my browsers: Mozilla, Firefox,
IE, Opera and Chrome. Here are results of my tests, which will be additional
stroke to your picture of vulnerable browsers and systems.

Mozilla 1.7.x is not vulnerable. And this is a reason why I like Mozilla
1.7.x, because it hasnt many of the holes which Mozilla added to new
versions of their Firefox ;-). You wrote that Firefox allocates 2 GB of
memory and then crashes. My Mozilla only allocates about 900 MB of memory
and then stops this process (and stops using of CPU). So it was just small
lag, without particular strain, so its not vulnerable.

Firefox 3.0.11 is not vulnerable (because was fixed in Firefox 3.0.5).

IE6 is vulnerable. But my IE6 is vulnerable in different way then other
browsers. You wrote that IE5,6,7,8 allocates 2 GB of memory and then
crashes. In my case, browser only take CPU resources (over 50% at my two
core processor, itll be 100% on single core processor) without taking of
memory.

Opera 9.52 is vulnerable (because was fixed in version after Opera 9.64).
You wrote that Opera allocated and commits as much memory as available and
will not crash. In my case Opera takes more that 2 GB (almost all memory
available) and then freezes.

Google Chrome 1.0.154.48 is not vulnerable. You wrote that Chrome allocates
2 GB of memory and then crashes tab with a null pointer. In my case Chrome
takes more than 2 GB of memory and then says its message about error at the
page and frees all the memory. So in result almost no memory or CPU
resources are used by the browser. You wrote that Chrome was patched
(unknown version). As we see at least version Chrome 1.0.154.48 is not
vulnerable.

There is also one interesting thing.

You mentioned bug #460713 in Mozillas bugzilla. When yesterday I came via
this link I found that this entry is closed for viewing (even for logged in
users). So for some unknown reasons Mozilla closed access to bug #460713
(https://bugzilla.mozilla.org/show_bug.cgi?id=460713), even if its
resolved. As you wrote, this hole was fixed in Firefox 3.0.5. This version
was released at 16th of December 2008, so from that time and till now
Mozilla didnt open this bug. Why they did it? Do they have something to
hide from people :-).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


!DSPAM:4a60eeae164971070416737!




From: Thierry Zoller Thierry@zoller.lu
Sent: Wed 15. Jul 2009 22:18
Dear List,
To  all  those  sending in reports, thank you, *but* please read the patch
section.  It  is  normal  that  it doesnt work in Safari, Chrome, FF,
Opera any longer, they have been patched. Try IE for an example.

To stop the flood of mails, explaining that the POC doesnt work
on mozilla x.y, or safari x.y. Read the "PATCH" section. Please.


Regards,
Thierry





From: MustLive mustlive@websecurity.com.ua
Sent: Fri 17. Jul 2009 23:56
Hello Thierry!

About your "bug to rule them all" I can tell, that its interesting
vulnerability and interesting research itself. I have found DoS
vulnerabilities in multiple browsers many time, but I never tested in such
many browsers and systems. So you made a large research (with help of those
people who helped you with testing in different systems) - this DoS hole
exists (or existed) in so many systems: different desktop browsers, email
clients, browsers for mobile devices, game devices and possible other
devices with support of JavaScript.

Maybe some of DoS hole found by me can also work on multiple platforms, but
I didnt tested in such large scale of devices (just in different browsers
at my PC).

> Credit      : Except Apple - nobody

Its very common situation (with not serious relation of developers to
security professionals who found holes in their programs). Especially in
case of DoS vulnerabilities.

> IV. Disclosure timeline
> ~~~~~~~~~~~~~~~~~~~~~~~~~
> Nothing particular to note, except the usual discussion about availability
> being a security issue.

It is also very common for developers (browsers developers in particular) to
not put DoS in category of security issues (even if they officially said
that they acknowledge DoS as security issue). So nothing surprising :-) - I
heard many times such statements from browsers developers.

Thierry, I even planned to write here a large message on this subject (which
I planned in the beginning of this year), but I canceled it due lack of time
:-). In a short: the developers are not right and DoS is a security issue.

I tested your vulnerability (your PoC) in all my browsers: Mozilla, Firefox,
IE, Opera and Chrome. Here are results of my tests, which will be additional
stroke to your picture of vulnerable browsers and systems.

Mozilla 1.7.x is not vulnerable. And this is a reason why I like Mozilla
1.7.x, because it hasnt many of the holes which Mozilla added to new
versions of their Firefox ;-). You wrote that Firefox allocates 2 GB of
memory and then crashes. My Mozilla only allocates about 900 MB of memory
and then stops this process (and stops using of CPU). So it was just small
lag, without particular strain, so its not vulnerable.

Firefox 3.0.11 is not vulnerable (because was fixed in Firefox 3.0.5).

IE6 is vulnerable. But my IE6 is vulnerable in different way then other
browsers. You wrote that IE5,6,7,8 allocates 2 GB of memory and then
crashes. In my case, browser only take CPU resources (over 50% at my two
core processor, itll be 100% on single core processor) without taking of
memory.

Opera 9.52 is vulnerable (because was fixed in version after Opera 9.64).
You wrote that Opera allocated and commits as much memory as available and
will not crash. In my case Opera takes more that 2 GB (almost all memory
available) and then freezes.

Google Chrome 1.0.154.48 is not vulnerable. You wrote that Chrome allocates
2 GB of memory and then crashes tab with a null pointer. In my case Chrome
takes more than 2 GB of memory and then says its message about error at the
page and frees all the memory. So in result almost no memory or CPU
resources are used by the browser. You wrote that Chrome was patched
(unknown version). As we see at least version Chrome 1.0.154.48 is not
vulnerable.

There is also one interesting thing.

You mentioned bug #460713 in Mozillas bugzilla. When yesterday I came via
this link I found that this entry is closed for viewing (even for logged in
users). So for some unknown reasons Mozilla closed access to bug #460713
(https://bugzilla.mozilla.org/show_bug.cgi?id=460713), even if its
resolved. As you wrote, this hole was fixed in Firefox 3.0.5. This version
was released at 16th of December 2008, so from that time and till now
Mozilla didnt open this bug. Why they did it? Do they have something to
hide from people :-).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


!DSPAM:4a60eeae164971070416737!




From: Thierry Zoller Thierry@zoller.lu
Sent: Wed 15. Jul 2009 22:18
Dear List,
To  all  those  sending in reports, thank you, *but* please read the patch
section.  It  is  normal  that  it doesnt work in Safari, Chrome, FF,
Opera any longer, they have been patched. Try IE for an example.

To stop the flood of mails, explaining that the POC doesnt work
on mozilla x.y, or safari x.y. Read the "PATCH" section. Please.


Regards,
Thierry





From: MustLive mustlive@websecurity.com.ua
Sent: Fri 17. Jul 2009 23:56
Hello Thierry!

About your "bug to rule them all" I can tell, that its interesting
vulnerability and interesting research itself. I have found DoS
vulnerabilities in multiple browsers many time, but I never tested in such
many browsers and systems. So you made a large research (with help of those
people who helped you with testing in different systems) - this DoS hole
exists (or existed) in so many systems: different desktop browsers, email
clients, browsers for mobile devices, game devices and possible other
devices with support of JavaScript.

Maybe some of DoS hole found by me can also work on multiple platforms, but
I didnt tested in such large scale of devices (just in different browsers
at my PC).

> Credit      : Except Apple - nobody

Its very common situation (with not serious relation of developers to
security professionals who found holes in their programs). Especially in
case of DoS vulnerabilities.

> IV. Disclosure timeline
> ~~~~~~~~~~~~~~~~~~~~~~~~~
> Nothing particular to note, except the usual discussion about availability
> being a security issue.

It is also very common for developers (browsers developers in particular) to
not put DoS in category of security issues (even if they officially said
that they acknowledge DoS as security issue). So nothing surprising :-) - I
heard many times such statements from browsers developers.

Thierry, I even planned to write here a large message on this subject (which
I planned in the beginning of this year), but I canceled it due lack of time
:-). In a short: the developers are not right and DoS is a security issue.

I tested your vulnerability (your PoC) in all my browsers: Mozilla, Firefox,
IE, Opera and Chrome. Here are results of my tests, which will be additional
stroke to your picture of vulnerable browsers and systems.

Mozilla 1.7.x is not vulnerable. And this is a reason why I like Mozilla
1.7.x, because it hasnt many of the holes which Mozilla added to new
versions of their Firefox ;-). You wrote that Firefox allocates 2 GB of
memory and then crashes. My Mozilla only allocates about 900 MB of memory
and then stops this process (and stops using of CPU). So it was just small
lag, without particular strain, so its not vulnerable.

Firefox 3.0.11 is not vulnerable (because was fixed in Firefox 3.0.5).

IE6 is vulnerable. But my IE6 is vulnerable in different way then other
browsers. You wrote that IE5,6,7,8 allocates 2 GB of memory and then
crashes. In my case, browser only take CPU resources (over 50% at my two
core processor, itll be 100% on single core processor) without taking of
memory.

Opera 9.52 is vulnerable (because was fixed in version after Opera 9.64).
You wrote that Opera allocated and commits as much memory as available and
will not crash. In my case Opera takes more that 2 GB (almost all memory
available) and then freezes.

Google Chrome 1.0.154.48 is not vulnerable. You wrote that Chrome allocates
2 GB of memory and then crashes tab with a null pointer. In my case Chrome
takes more than 2 GB of memory and then says its message about error at the
page and frees all the memory. So in result almost no memory or CPU
resources are used by the browser. You wrote that Chrome was patched
(unknown version). As we see at least version Chrome 1.0.154.48 is not
vulnerable.

There is also one interesting thing.

You mentioned bug #460713 in Mozillas bugzilla. When yesterday I came via
this link I found that this entry is closed for viewing (even for logged in
users). So for some unknown reasons Mozilla closed access to bug #460713
(https://bugzilla.mozilla.org/show_bug.cgi?id=460713), even if its
resolved. As you wrote, this hole was fixed in Firefox 3.0.5. This version
was released at 16th of December 2008, so from that time and till now
Mozilla didnt open this bug. Why they did it? Do they have something to
hide from people :-).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


!DSPAM:4a60eeae164971070416737!




From: Thierry Zoller Thierry@zoller.lu
Sent: Wed 15. Jul 2009 22:18
Dear List,
To  all  those  sending in reports, thank you, *but* please read the patch
section.  It  is  normal  that  it doesnt work in Safari, Chrome, FF,
Opera any longer, they have been patched. Try IE for an example.

To stop the flood of mails, explaining that the POC doesnt work
on mozilla x.y, or safari x.y. Read the "PATCH" section. Please.


Regards,
Thierry





From: MustLive mustlive@websecurity.com.ua
Sent: Fri 17. Jul 2009 23:56
Hello Thierry!

About your "bug to rule them all" I can tell, that its interesting
vulnerability and interesting research itself. I have found DoS
vulnerabilities in multiple browsers many time, but I never tested in such
many browsers and systems. So you made a large research (with help of those
people who helped you with testing in different systems) - this DoS hole
exists (or existed) in so many systems: different desktop browsers, email
clients, browsers for mobile devices, game devices and possible other
devices with support of JavaScript.

Maybe some of DoS hole found by me can also work on multiple platforms, but
I didnt tested in such large scale of devices (just in different browsers
at my PC).

> Credit      : Except Apple - nobody

Its very common situation (with not serious relation of developers to
security professionals who found holes in their programs). Especially in
case of DoS vulnerabilities.

> IV. Disclosure timeline
> ~~~~~~~~~~~~~~~~~~~~~~~~~
> Nothing particular to note, except the usual discussion about availability
> being a security issue.

It is also very common for developers (browsers developers in particular) to
not put DoS in category of security issues (even if they officially said
that they acknowledge DoS as security issue). So nothing surprising :-) - I
heard many times such statements from browsers developers.

Thierry, I even planned to write here a large message on this subject (which
I planned in the beginning of this year), but I canceled it due lack of time
:-). In a short: the developers are not right and DoS is a security issue.

I tested your vulnerability (your PoC) in all my browsers: Mozilla, Firefox,
IE, Opera and Chrome. Here are results of my tests, which will be additional
stroke to your picture of vulnerable browsers and systems.

Mozilla 1.7.x is not vulnerable. And this is a reason why I like Mozilla
1.7.x, because it hasnt many of the holes which Mozilla added to new
versions of their Firefox ;-). You wrote that Firefox allocates 2 GB of
memory and then crashes. My Mozilla only allocates about 900 MB of memory
and then stops this process (and stops using of CPU). So it was just small
lag, without particular strain, so its not vulnerable.

Firefox 3.0.11 is not vulnerable (because was fixed in Firefox 3.0.5).

IE6 is vulnerable. But my IE6 is vulnerable in different way then other
browsers. You wrote that IE5,6,7,8 allocates 2 GB of memory and then
crashes. In my case, browser only take CPU resources (over 50% at my two
core processor, itll be 100% on single core processor) without taking of
memory.

Opera 9.52 is vulnerable (because was fixed in version after Opera 9.64).
You wrote that Opera allocated and commits as much memory as available and
will not crash. In my case Opera takes more that 2 GB (almost all memory
available) and then freezes.

Google Chrome 1.0.154.48 is not vulnerable. You wrote that Chrome allocates
2 GB of memory and then crashes tab with a null pointer. In my case Chrome
takes more than 2 GB of memory and then says its message about error at the
page and frees all the memory. So in result almost no memory or CPU
resources are used by the browser. You wrote that Chrome was patched
(unknown version). As we see at least version Chrome 1.0.154.48 is not
vulnerable.

There is also one interesting thing.

You mentioned bug #460713 in Mozillas bugzilla. When yesterday I came via
this link I found that this entry is closed for viewing (even for logged in
users). So for some unknown reasons Mozilla closed access to bug #460713
(https://bugzilla.mozilla.org/show_bug.cgi?id=460713), even if its
resolved. As you wrote, this hole was fixed in Firefox 3.0.5. This version
was released at 16th of December 2008, so from that time and till now
Mozilla didnt open this bug. Why they did it? Do they have something to
hide from people :-).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


!DSPAM:4a60eeae164971070416737!




From: Thierry Zoller Thierry@zoller.lu
Sent: Wed 15. Jul 2009 22:18
Dear List,
To  all  those  sending in reports, thank you, *but* please read the patch
section.  It  is  normal  that  it doesnt work in Safari, Chrome, FF,
Opera any longer, they have been patched. Try IE for an example.

To stop the flood of mails, explaining that the POC doesnt work
on mozilla x.y, or safari x.y. Read the "PATCH" section. Please.


Regards,
Thierry





From: MustLive mustlive@websecurity.com.ua
Sent: Fri 17. Jul 2009 23:56
Hello Thierry!

About your "bug to rule them all" I can tell, that its interesting
vulnerability and interesting research itself. I have found DoS
vulnerabilities in multiple browsers many time, but I never tested in such
many browsers and systems. So you made a large research (with help of those
people who helped you with testing in different systems) - this DoS hole
exists (or existed) in so many systems: different desktop browsers, email
clients, browsers for mobile devices, game devices and possible other
devices with support of JavaScript.

Maybe some of DoS hole found by me can also work on multiple platforms, but
I didnt tested in such large scale of devices (just in different browsers
at my PC).

> Credit      : Except Apple - nobody

Its very common situation (with not serious relation of developers to
security professionals who found holes in their programs). Especially in
case of DoS vulnerabilities.

> IV. Disclosure timeline
> ~~~~~~~~~~~~~~~~~~~~~~~~~
> Nothing particular to note, except the usual discussion about availability
> being a security issue.

It is also very common for developers (browsers developers in particular) to
not put DoS in category of security issues (even if they officially said
that they acknowledge DoS as security issue). So nothing surprising :-) - I
heard many times such statements from browsers developers.

Thierry, I even planned to write here a large message on this subject (which
I planned in the beginning of this year), but I canceled it due lack of time
:-). In a short: the developers are not right and DoS is a security issue.

I tested your vulnerability (your PoC) in all my browsers: Mozilla, Firefox,
IE, Opera and Chrome. Here are results of my tests, which will be additional
stroke to your picture of vulnerable browsers and systems.

Mozilla 1.7.x is not vulnerable. And this is a reason why I like Mozilla
1.7.x, because it hasnt many of the holes which Mozilla added to new
versions of their Firefox ;-). You wrote that Firefox allocates 2 GB of
memory and then crashes. My Mozilla only allocates about 900 MB of memory
and then stops this process (and stops using of CPU). So it was just small
lag, without particular strain, so its not vulnerable.

Firefox 3.0.11 is not vulnerable (because was fixed in Firefox 3.0.5).

IE6 is vulnerable. But my IE6 is vulnerable in different way then other
browsers. You wrote that IE5,6,7,8 allocates 2 GB of memory and then
crashes. In my case, browser only take CPU resources (over 50% at my two
core processor, itll be 100% on single core processor) without taking of
memory.

Opera 9.52 is vulnerable (because was fixed in version after Opera 9.64).
You wrote that Opera allocated and commits as much memory as available and
will not crash. In my case Opera takes more that 2 GB (almost all memory
available) and then freezes.

Google Chrome 1.0.154.48 is not vulnerable. You wrote that Chrome allocates
2 GB of memory and then crashes tab with a null pointer. In my case Chrome
takes more than 2 GB of memory and then says its message about error at the
page and frees all the memory. So in result almost no memory or CPU
resources are used by the browser. You wrote that Chrome was patched
(unknown version). As we see at least version Chrome 1.0.154.48 is not
vulnerable.

There is also one interesting thing.

You mentioned bug #460713 in Mozillas bugzilla. When yesterday I came via
this link I found that this entry is closed for viewing (even for logged in
users). So for some unknown reasons Mozilla closed access to bug #460713
(https://bugzilla.mozilla.org/show_bug.cgi?id=460713), even if its
resolved. As you wrote, this hole was fixed in Firefox 3.0.5. This version
was released at 16th of December 2008, so from that time and till now
Mozilla didnt open this bug. Why they did it? Do they have something to
hide from people :-).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


!DSPAM:4a60eeae164971070416737!




From: Thierry Zoller Thierry@zoller.lu
Sent: Wed 15. Jul 2009 22:18
Dear List,
To  all  those  sending in reports, thank you, *but* please read the patch
section.  It  is  normal  that  it doesnt work in Safari, Chrome, FF,
Opera any longer, they have been patched. Try IE for an example.

To stop the flood of mails, explaining that the POC doesnt work
on mozilla x.y, or safari x.y. Read the "PATCH" section. Please.


Regards,
Thierry





From: MustLive mustlive@websecurity.com.ua
Sent: Fri 17. Jul 2009 23:56
Hello Thierry!

About your "bug to rule them all" I can tell, that its interesting
vulnerability and interesting research itself. I have found DoS
vulnerabilities in multiple browsers many time, but I never tested in such
many browsers and systems. So you made a large research (with help of those
people who helped you with testing in different systems) - this DoS hole
exists (or existed) in so many systems: different desktop browsers, email
clients, browsers for mobile devices, game devices and possible other
devices with support of JavaScript.

Maybe some of DoS hole found by me can also work on multiple platforms, but
I didnt tested in such large scale of devices (just in different browsers
at my PC).

> Credit      : Except Apple - nobody

Its very common situation (with not serious relation of developers to
security professionals who found holes in their programs). Especially in
case of DoS vulnerabilities.

> IV. Disclosure timeline
> ~~~~~~~~~~~~~~~~~~~~~~~~~
> Nothing particular to note, except the usual discussion about availability
> being a security issue.

It is also very common for developers (browsers developers in particular) to
not put DoS in category of security issues (even if they officially said
that they acknowledge DoS as security issue). So nothing surprising :-) - I
heard many times such statements from browsers developers.

Thierry, I even planned to write here a large message on this subject (which
I planned in the beginning of this year), but I canceled it due lack of time
:-). In a short: the developers are not right and DoS is a security issue.

I tested your vulnerability (your PoC) in all my browsers: Mozilla, Firefox,
IE, Opera and Chrome. Here are results of my tests, which will be additional
stroke to your picture of vulnerable browsers and systems.

Mozilla 1.7.x is not vulnerable. And this is a reason why I like Mozilla
1.7.x, because it hasnt many of the holes which Mozilla added to new
versions of their Firefox ;-). You wrote that Firefox allocates 2 GB of
memory and then crashes. My Mozilla only allocates about 900 MB of memory
and then stops this process (and stops using of CPU). So it was just small
lag, without particular strain, so its not vulnerable.

Firefox 3.0.11 is not vulnerable (because was fixed in Firefox 3.0.5).

IE6 is vulnerable. But my IE6 is vulnerable in different way then other
browsers. You wrote that IE5,6,7,8 allocates 2 GB of memory and then
crashes. In my case, browser only take CPU resources (over 50% at my two
core processor, itll be 100% on single core processor) without taking of
memory.

Opera 9.52 is vulnerable (because was fixed in version after Opera 9.64).
You wrote that Opera allocated and commits as much memory as available and
will not crash. In my case Opera takes more that 2 GB (almost all memory
available) and then freezes.

Google Chrome 1.0.154.48 is not vulnerable. You wrote that Chrome allocates
2 GB of memory and then crashes tab with a null pointer. In my case Chrome
takes more than 2 GB of memory and then says its message about error at the
page and frees all the memory. So in result almost no memory or CPU
resources are used by the browser. You wrote that Chrome was patched
(unknown version). As we see at least version Chrome 1.0.154.48 is not
vulnerable.

There is also one interesting thing.

You mentioned bug #460713 in Mozillas bugzilla. When yesterday I came via
this link I found that this entry is closed for viewing (even for logged in
users). So for some unknown reasons Mozilla closed access to bug #460713
(https://bugzilla.mozilla.org/show_bug.cgi?id=460713), even if its
resolved. As you wrote, this hole was fixed in Firefox 3.0.5. This version
was released at 16th of December 2008, so from that time and till now
Mozilla didnt open this bug. Why they did it? Do they have something to
hide from people :-).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


!DSPAM:4a60eeae164971070416737!




From: Thierry Zoller Thierry@zoller.lu
Sent: Wed 15. Jul 2009 22:18
Dear List,
To  all  those  sending in reports, thank you, *but* please read the patch
section.  It  is  normal  that  it doesnt work in Safari, Chrome, FF,
Opera any longer, they have been patched. Try IE for an example.

To stop the flood of mails, explaining that the POC doesnt work
on mozilla x.y, or safari x.y. Read the "PATCH" section. Please.


Regards,
Thierry





From: MustLive mustlive@websecurity.com.ua
Sent: Fri 17. Jul 2009 23:56
Hello Thierry!

About your "bug to rule them all" I can tell, that its interesting
vulnerability and interesting research itself. I have found DoS
vulnerabilities in multiple browsers many time, but I never tested in such
many browsers and systems. So you made a large research (with help of those
people who helped you with testing in different systems) - this DoS hole
exists (or existed) in so many systems: different desktop browsers, email
clients, browsers for mobile devices, game devices and possible other
devices with support of JavaScript.

Maybe some of DoS hole found by me can also work on multiple platforms, but
I didnt tested in such large scale of devices (just in different browsers
at my PC).

> Credit      : Except Apple - nobody

Its very common situation (with not serious relation of developers to
security professionals who found holes in their programs). Especially in
case of DoS vulnerabilities.

> IV. Disclosure timeline
> ~~~~~~~~~~~~~~~~~~~~~~~~~
> Nothing particular to note, except the usual discussion about availability
> being a security issue.

It is also very common for developers (browsers developers in particular) to
not put DoS in category of security issues (even if they officially said
that they acknowledge DoS as security issue). So nothing surprising :-) - I
heard many times such statements from browsers developers.

Thierry, I even planned to write here a large message on this subject (which
I planned in the beginning of this year), but I canceled it due lack of time
:-). In a short: the developers are not right and DoS is a security issue.

I tested your vulnerability (your PoC) in all my browsers: Mozilla, Firefox,
IE, Opera and Chrome. Here are results of my tests, which will be additional
stroke to your picture of vulnerable browsers and systems.

Mozilla 1.7.x is not vulnerable. And this is a reason why I like Mozilla
1.7.x, because it hasnt many of the holes which Mozilla added to new
versions of their Firefox ;-). You wrote that Firefox allocates 2 GB of
memory and then crashes. My Mozilla only allocates about 900 MB of memory
and then stops this process (and stops using of CPU). So it was just small
lag, without particular strain, so its not vulnerable.

Firefox 3.0.11 is not vulnerable (because was fixed in Firefox 3.0.5).

IE6 is vulnerable. But my IE6 is vulnerable in different way then other
browsers. You wrote that IE5,6,7,8 allocates 2 GB of memory and then
crashes. In my case, browser only take CPU resources (over 50% at my two
core processor, itll be 100% on single core processor) without taking of
memory.

Opera 9.52 is vulnerable (because was fixed in version after Opera 9.64).
You wrote that Opera allocated and commits as much memory as available and
will not crash. In my case Opera takes more that 2 GB (almost all memory
available) and then freezes.

Google Chrome 1.0.154.48 is not vulnerable. You wrote that Chrome allocates
2 GB of memory and then crashes tab with a null pointer. In my case Chrome
takes more than 2 GB of memory and then says its message about error at the
page and frees all the memory. So in result almost no memory or CPU
resources are used by the browser. You wrote that Chrome was patched
(unknown version). As we see at least version Chrome 1.0.154.48 is not
vulnerable.

There is also one interesting thing.

You mentioned bug #460713 in Mozillas bugzilla. When yesterday I came via
this link I found that this entry is closed for viewing (even for logged in
users). So for some unknown reasons Mozilla closed access to bug #460713
(https://bugzilla.mozilla.org/show_bug.cgi?id=460713), even if its
resolved. As you wrote, this hole was fixed in Firefox 3.0.5. This version
was released at 16th of December 2008, so from that time and till now
Mozilla didnt open this bug. Why they did it? Do they have something to
hide from people :-).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


!DSPAM:4a60eeae164971070416737!




From: Thierry Zoller Thierry@zoller.lu
Sent: Wed 15. Jul 2009 22:18
Dear List,
To  all  those  sending in reports, thank you, *but* please read the patch
section.  It  is  normal  that  it doesnt work in Safari, Chrome, FF,
Opera any longer, they have been patched. Try IE for an example.

To stop the flood of mails, explaining that the POC doesnt work
on mozilla x.y, or safari x.y. Read the "PATCH" section. Please.


Regards,
Thierry





From: MustLive mustlive@websecurity.com.ua
Sent: Fri 17. Jul 2009 23:56
Hello Thierry!

About your "bug to rule them all" I can tell, that its interesting
vulnerability and interesting research itself. I have found DoS
vulnerabilities in multiple browsers many time, but I never tested in such
many browsers and systems. So you made a large research (with help of those
people who helped you with testing in different systems) - this DoS hole
exists (or existed) in so many systems: different desktop browsers, email
clients, browsers for mobile devices, game devices and possible other
devices with support of JavaScript.

Maybe some of DoS hole found by me can also work on multiple platforms, but
I didnt tested in such large scale of devices (just in different browsers
at my PC).

> Credit      : Except Apple - nobody

Its very common situation (with not serious relation of developers to
security professionals who found holes in their programs). Especially in
case of DoS vulnerabilities.

> IV. Disclosure timeline
> ~~~~~~~~~~~~~~~~~~~~~~~~~
> Nothing particular to note, except the usual discussion about availability
> being a security issue.

It is also very common for developers (browsers developers in particular) to
not put DoS in category of security issues (even if they officially said
that they acknowledge DoS as security issue). So nothing surprising :-) - I
heard many times such statements from browsers developers.

Thierry, I even planned to write here a large message on this subject (which
I planned in the beginning of this year), but I canceled it due lack of time
:-). In a short: the developers are not right and DoS is a security issue.

I tested your vulnerability (your PoC) in all my browsers: Mozilla, Firefox,
IE, Opera and Chrome. Here are results of my tests, which will be additional
stroke to your picture of vulnerable browsers and systems.

Mozilla 1.7.x is not vulnerable. And this is a reason why I like Mozilla
1.7.x, because it hasnt many of the holes which Mozilla added to new
versions of their Firefox ;-). You wrote that Firefox allocates 2 GB of
memory and then crashes. My Mozilla only allocates about 900 MB of memory
and then stops this process (and stops using of CPU). So it was just small
lag, without particular strain, so its not vulnerable.

Firefox 3.0.11 is not vulnerable (because was fixed in Firefox 3.0.5).

IE6 is vulnerable. But my IE6 is vulnerable in different way then other
browsers. You wrote that IE5,6,7,8 allocates 2 GB of memory and then
crashes. In my case, browser only take CPU resources (over 50% at my two
core processor, itll be 100% on single core processor) without taking of
memory.

Opera 9.52 is vulnerable (because was fixed in version after Opera 9.64).
You wrote that Opera allocated and commits as much memory as available and
will not crash. In my case Opera takes more that 2 GB (almost all memory
available) and then freezes.

Google Chrome 1.0.154.48 is not vulnerable. You wrote that Chrome allocates
2 GB of memory and then crashes tab with a null pointer. In my case Chrome
takes more than 2 GB of memory and then says its message about error at the
page and frees all the memory. So in result almost no memory or CPU
resources are used by the browser. You wrote that Chrome was patched
(unknown version). As we see at least version Chrome 1.0.154.48 is not
vulnerable.

There is also one interesting thing.

You mentioned bug #460713 in Mozillas bugzilla. When yesterday I came via
this link I found that this entry is closed for viewing (even for logged in
users). So for some unknown reasons Mozilla closed access to bug #460713
(https://bugzilla.mozilla.org/show_bug.cgi?id=460713), even if its
resolved. As you wrote, this hole was fixed in Firefox 3.0.5. This version
was released at 16th of December 2008, so from that time and till now
Mozilla didnt open this bug. Why they did it? Do they have something to
hide from people :-).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


!DSPAM:4a60eeae164971070416737!




From: Thierry Zoller Thierry@zoller.lu
Sent: Wed 15. Jul 2009 22:18
Dear List,
To  all  those  sending in reports, thank you, *but* please read the patch
section.  It  is  normal  that  it doesnt work in Safari, Chrome, FF,
Opera any longer, they have been patched. Try IE for an example.

To stop the flood of mails, explaining that the POC doesnt work
on mozilla x.y, or safari x.y. Read the "PATCH" section. Please.


Regards,
Thierry





From: MustLive mustlive@websecurity.com.ua
Sent: Fri 17. Jul 2009 23:56
Hello Thierry!

About your "bug to rule them all" I can tell, that its interesting
vulnerability and interesting research itself. I have found DoS
vulnerabilities in multiple browsers many time, but I never tested in such
many browsers and systems. So you made a large research (with help of those
people who helped you with testing in different systems) - this DoS hole
exists (or existed) in so many systems: different desktop browsers, email
clients, browsers for mobile devices, game devices and possible other
devices with support of JavaScript.

Maybe some of DoS hole found by me can also work on multiple platforms, but
I didnt tested in such large scale of devices (just in different browsers
at my PC).

> Credit      : Except Apple - nobody

Its very common situation (with not serious relation of developers to
security professionals who found holes in their programs). Especially in
case of DoS vulnerabilities.

> IV. Disclosure timeline
> ~~~~~~~~~~~~~~~~~~~~~~~~~
> Nothing particular to note, except the usual discussion about availability
> being a security issue.

It is also very common for developers (browsers developers in particular) to
not put DoS in category of security issues (even if they officially said
that they acknowledge DoS as security issue). So nothing surprising :-) - I
heard many times such statements from browsers developers.

Thierry, I even planned to write here a large message on this subject (which
I planned in the beginning of this year), but I canceled it due lack of time
:-). In a short: the developers are not right and DoS is a security issue.

I tested your vulnerability (your PoC) in all my browsers: Mozilla, Firefox,
IE, Opera and Chrome. Here are results of my tests, which will be additional
stroke to your picture of vulnerable browsers and systems.

Mozilla 1.7.x is not vulnerable. And this is a reason why I like Mozilla
1.7.x, because it hasnt many of the holes which Mozilla added to new
versions of their Firefox ;-). You wrote that Firefox allocates 2 GB of
memory and then crashes. My Mozilla only allocates about 900 MB of memory
and then stops this process (and stops using of CPU). So it was just small
lag, without particular strain, so its not vulnerable.

Firefox 3.0.11 is not vulnerable (because was fixed in Firefox 3.0.5).

IE6 is vulnerable. But my IE6 is vulnerable in different way then other
browsers. You wrote that IE5,6,7,8 allocates 2 GB of memory and then
crashes. In my case, browser only take CPU resources (over 50% at my two
core processor, itll be 100% on single core processor) without taking of
memory.

Opera 9.52 is vulnerable (because was fixed in version after Opera 9.64).
You wrote that Opera allocated and commits as much memory as available and
will not crash. In my case Opera takes more that 2 GB (almost all memory
available) and then freezes.

Google Chrome 1.0.154.48 is not vulnerable. You wrote that Chrome allocates
2 GB of memory and then crashes tab with a null pointer. In my case Chrome
takes more than 2 GB of memory and then says its message about error at the
page and frees all the memory. So in result almost no memory or CPU
resources are used by the browser. You wrote that Chrome was patched
(unknown version). As we see at least version Chrome 1.0.154.48 is not
vulnerable.

There is also one interesting thing.

You mentioned bug #460713 in Mozillas bugzilla. When yesterday I came via
this link I found that this entry is closed for viewing (even for logged in
users). So for some unknown reasons Mozilla closed access to bug #460713
(https://bugzilla.mozilla.org/show_bug.cgi?id=460713), even if its
resolved. As you wrote, this hole was fixed in Firefox 3.0.5. This version
was released at 16th of December 2008, so from that time and till now
Mozilla didnt open this bug. Why they did it? Do they have something to
hide from people :-).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


!DSPAM:4a60eeae164971070416737!




From: Thierry Zoller Thierry@zoller.lu
Sent: Wed 15. Jul 2009 22:18
Dear List,
To  all  those  sending in reports, thank you, *but* please read the patch
section.  It  is  normal  that  it doesnt work in Safari, Chrome, FF,
Opera any longer, they have been patched. Try IE for an example.

To stop the flood of mails, explaining that the POC doesnt work
on mozilla x.y, or safari x.y. Read the "PATCH" section. Please.


Regards,
Thierry





From: MustLive mustlive@websecurity.com.ua
Sent: Fri 17. Jul 2009 23:56
Hello Thierry!

About your "bug to rule them all" I can tell, that its interesting
vulnerability and interesting research itself. I have found DoS
vulnerabilities in multiple browsers many time, but I never tested in such
many browsers and systems. So you made a large research (with help of those
people who helped you with testing in different systems) - this DoS hole
exists (or existed) in so many systems: different desktop browsers, email
clients, browsers for mobile devices, game devices and possible other
devices with support of JavaScript.

Maybe some of DoS hole found by me can also work on multiple platforms, but
I didnt tested in such large scale of devices (just in different browsers
at my PC).

> Credit      : Except Apple - nobody

Its very common situation (with not serious relation of developers to
security professionals who found holes in their programs). Especially in
case of DoS vulnerabilities.

> IV. Disclosure timeline
> ~~~~~~~~~~~~~~~~~~~~~~~~~
> Nothing particular to note, except the usual discussion about availability
> being a security issue.

It is also very common for developers (browsers developers in particular) to
not put DoS in category of security issues (even if they officially said
that they acknowledge DoS as security issue). So nothing surprising :-) - I
heard many times such statements from browsers developers.

Thierry, I even planned to write here a large message on this subject (which
I planned in the beginning of this year), but I canceled it due lack of time
:-). In a short: the developers are not right and DoS is a security issue.

I tested your vulnerability (your PoC) in all my browsers: Mozilla, Firefox,
IE, Opera and Chrome. Here are results of my tests, which will be additional
stroke to your picture of vulnerable browsers and systems.

Mozilla 1.7.x is not vulnerable. And this is a reason why I like Mozilla
1.7.x, because it hasnt many of the holes which Mozilla added to new
versions of their Firefox ;-). You wrote that Firefox allocates 2 GB of
memory and then crashes. My Mozilla only allocates about 900 MB of memory
and then stops this process (and stops using of CPU). So it was just small
lag, without particular strain, so its not vulnerable.

Firefox 3.0.11 is not vulnerable (because was fixed in Firefox 3.0.5).

IE6 is vulnerable. But my IE6 is vulnerable in different way then other
browsers. You wrote that IE5,6,7,8 allocates 2 GB of memory and then
crashes. In my case, browser only take CPU resources (over 50% at my two
core processor, itll be 100% on single core processor) without taking of
memory.

Opera 9.52 is vulnerable (because was fixed in version after Opera 9.64).
You wrote that Opera allocated and commits as much memory as available and
will not crash. In my case Opera takes more that 2 GB (almost all memory
available) and then freezes.

Google Chrome 1.0.154.48 is not vulnerable. You wrote that Chrome allocates
2 GB of memory and then crashes tab with a null pointer. In my case Chrome
takes more than 2 GB of memory and then says its message about error at the
page and frees all the memory. So in result almost no memory or CPU
resources are used by the browser. You wrote that Chrome was patched
(unknown version). As we see at least version Chrome 1.0.154.48 is not
vulnerable.

There is also one interesting thing.

You mentioned bug #460713 in Mozillas bugzilla. When yesterday I came via
this link I found that this entry is closed for viewing (even for logged in
users). So for some unknown reasons Mozilla closed access to bug #460713
(https://bugzilla.mozilla.org/show_bug.cgi?id=460713), even if its
resolved. As you wrote, this hole was fixed in Firefox 3.0.5. This version
was released at 16th of December 2008, so from that time and till now
Mozilla didnt open this bug. Why they did it? Do they have something to
hide from people :-).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


!DSPAM:4a60eeae164971070416737!




From: Thierry Zoller Thierry@zoller.lu
Sent: Wed 15. Jul 2009 22:18
Dear List,
To  all  those  sending in reports, thank you, *but* please read the patch
section.  It  is  normal  that  it doesnt work in Safari, Chrome, FF,
Opera any longer, they have been patched. Try IE for an example.

To stop the flood of mails, explaining that the POC doesnt work
on mozilla x.y, or safari x.y. Read the "PATCH" section. Please.


Regards,
Thierry





From: MustLive mustlive@websecurity.com.ua
Sent: Fri 17. Jul 2009 23:56
Hello Thierry!

About your "bug to rule them all" I can tell, that its interesting
vulnerability and interesting research itself. I have found DoS
vulnerabilities in multiple browsers many time, but I never tested in such
many browsers and systems. So you made a large research (with help of those
people who helped you with testing in different systems) - this DoS hole
exists (or existed) in so many systems: different desktop browsers, email
clients, browsers for mobile devices, game devices and possible other
devices with support of JavaScript.

Maybe some of DoS hole found by me can also work on multiple platforms, but
I didnt tested in such large scale of devices (just in different browsers
at my PC).

> Credit      : Except Apple - nobody

Its very common situation (with not serious relation of developers to
security professionals who found holes in their programs). Especially in
case of DoS vulnerabilities.

> IV. Disclosure timeline
> ~~~~~~~~~~~~~~~~~~~~~~~~~
> Nothing particular to note, except the usual discussion about availability
> being a security issue.

It is also very common for developers (browsers developers in particular) to
not put DoS in category of security issues (even if they officially said
that they acknowledge DoS as security issue). So nothing surprising :-) - I
heard many times such statements from browsers developers.

Thierry, I even planned to write here a large message on this subject (which
I planned in the beginning of this year), but I canceled it due lack of time
:-). In a short: the developers are not right and DoS is a security issue.

I tested your vulnerability (your PoC) in all my browsers: Mozilla, Firefox,
IE, Opera and Chrome. Here are results of my tests, which will be additional
stroke to your picture of vulnerable browsers and systems.

Mozilla 1.7.x is not vulnerable. And this is a reason why I like Mozilla
1.7.x, because it hasnt many of the holes which Mozilla added to new
versions of their Firefox ;-). You wrote that Firefox allocates 2 GB of
memory and then crashes. My Mozilla only allocates about 900 MB of memory
and then stops this process (and stops using of CPU). So it was just small
lag, without particular strain, so its not vulnerable.

Firefox 3.0.11 is not vulnerable (because was fixed in Firefox 3.0.5).

IE6 is vulnerable. But my IE6 is vulnerable in different way then other
browsers. You wrote that IE5,6,7,8 allocates 2 GB of memory and then
crashes. In my case, browser only take CPU resources (over 50% at my two
core processor, itll be 100% on single core processor) without taking of
memory.

Opera 9.52 is vulnerable (because was fixed in version after Opera 9.64).
You wrote that Opera allocated and commits as much memory as available and
will not crash. In my case Opera takes more that 2 GB (almost all memory
available) and then freezes.

Google Chrome 1.0.154.48 is not vulnerable. You wrote that Chrome allocates
2 GB of memory and then crashes tab with a null pointer. In my case Chrome
takes more than 2 GB of memory and then says its message about error at the
page and frees all the memory. So in result almost no memory or CPU
resources are used by the browser. You wrote that Chrome was patched
(unknown version). As we see at least version Chrome 1.0.154.48 is not
vulnerable.

There is also one interesting thing.

You mentioned bug #460713 in Mozillas bugzilla. When yesterday I came via
this link I found that this entry is closed for viewing (even for logged in
users). So for some unknown reasons Mozilla closed access to bug #460713
(https://bugzilla.mozilla.org/show_bug.cgi?id=460713), even if its
resolved. As you wrote, this hole was fixed in Firefox 3.0.5. This version
was released at 16th of December 2008, so from that time and till now
Mozilla didnt open this bug. Why they did it? Do they have something to
hide from people :-).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


!DSPAM:4a60eeae164971070416737!




From: Thierry Zoller Thierry@zoller.lu
Sent: Wed 15. Jul 2009 22:18
Dear List,
To  all  those  sending in reports, thank you, *but* please read the patch
section.  It  is  normal  that  it doesnt work in Safari, Chrome, FF,
Opera any longer, they have been patched. Try IE for an example.

To stop the flood of mails, explaining that the POC doesnt work
on mozilla x.y, or safari x.y. Read the "PATCH" section. Please.


Regards,
Thierry





From: MustLive mustlive@websecurity.com.ua
Sent: Fri 17. Jul 2009 23:56
Hello Thierry!

About your "bug to rule them all" I can tell, that its interesting
vulnerability and interesting research itself. I have found DoS
vulnerabilities in multiple browsers many time, but I never tested in such
many browsers and systems. So you made a large research (with help of those
people who helped you with testing in different systems) - this DoS hole
exists (or existed) in so many systems: different desktop browsers, email
clients, browsers for mobile devices, game devices and possible other
devices with support of JavaScript.

Maybe some of DoS hole found by me can also work on multiple platforms, but
I didnt tested in such large scale of devices (just in different browsers
at my PC).

> Credit      : Except Apple - nobody

Its very common situation (with not serious relation of developers to
security professionals who found holes in their programs). Especially in
case of DoS vulnerabilities.

> IV. Disclosure timeline
> ~~~~~~~~~~~~~~~~~~~~~~~~~
> Nothing particular to note, except the usual discussion about availability
> being a security issue.

It is also very common for developers (browsers developers in particular) to
not put DoS in category of security issues (even if they officially said
that they acknowledge DoS as security issue). So nothing surprising :-) - I
heard many times such statements from browsers developers.

Thierry, I even planned to write here a large message on this subject (which
I planned in the beginning of this year), but I canceled it due lack of time
:-). In a short: the developers are not right and DoS is a security issue.

I tested your vulnerability (your PoC) in all my browsers: Mozilla, Firefox,
IE, Opera and Chrome. Here are results of my tests, which will be additional
stroke to your picture of vulnerable browsers and systems.

Mozilla 1.7.x is not vulnerable. And this is a reason why I like Mozilla
1.7.x, because it hasnt many of the holes which Mozilla added to new
versions of their Firefox ;-). You wrote that Firefox allocates 2 GB of
memory and then crashes. My Mozilla only allocates about 900 MB of memory
and then stops this process (and stops using of CPU). So it was just small
lag, without particular strain, so its not vulnerable.

Firefox 3.0.11 is not vulnerable (because was fixed in Firefox 3.0.5).

IE6 is vulnerable. But my IE6 is vulnerable in different way then other
browsers. You wrote that IE5,6,7,8 allocates 2 GB of memory and then
crashes. In my case, browser only take CPU resources (over 50% at my two
core processor, itll be 100% on single core processor) without taking of
memory.

Opera 9.52 is vulnerable (because was fixed in version after Opera 9.64).
You wrote that Opera allocated and commits as much memory as available and
will not crash. In my case Opera takes more that 2 GB (almost all memory
available) and then freezes.

Google Chrome 1.0.154.48 is not vulnerable. You wrote that Chrome allocates
2 GB of memory and then crashes tab with a null pointer. In my case Chrome
takes more than 2 GB of memory and then says its message about error at the
page and frees all the memory. So in result almost no memory or CPU
resources are used by the browser. You wrote that Chrome was patched
(unknown version). As we see at least version Chrome 1.0.154.48 is not
vulnerable.

There is also one interesting thing.

You mentioned bug #460713 in Mozillas bugzilla. When yesterday I came via
this link I found that this entry is closed for viewing (even for logged in
users). So for some unknown reasons Mozilla closed access to bug #460713
(https://bugzilla.mozilla.org/show_bug.cgi?id=460713), even if its
resolved. As you wrote, this hole was fixed in Firefox 3.0.5. This version
was released at 16th of December 2008, so from that time and till now
Mozilla didnt open this bug. Why they did it? Do they have something to
hide from people :-).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


!DSPAM:4a60eeae164971070416737!




From: Thierry Zoller Thierry@zoller.lu
Sent: Wed 15. Jul 2009 22:18
Dear List,
To  all  those  sending in reports, thank you, *but* please read the patch
section.  It  is  normal  that  it doesnt work in Safari, Chrome, FF,
Opera any longer, they have been patched. Try IE for an example.

To stop the flood of mails, explaining that the POC doesnt work
on mozilla x.y, or safari x.y. Read the "PATCH" section. Please.


Regards,
Thierry





From: MustLive mustlive@websecurity.com.ua
Sent: Fri 17. Jul 2009 23:56
Hello Thierry!

About your "bug to rule them all" I can tell, that its interesting
vulnerability and interesting research itself. I have found DoS
vulnerabilities in multiple browsers many time, but I never tested in such
many browsers and systems. So you made a large research (with help of those
people who helped you with testing in different systems) - this DoS hole
exists (or existed) in so many systems: different desktop browsers, email
clients, browsers for mobile devices, game devices and possible other
devices with support of JavaScript.

Maybe some of DoS hole found by me can also work on multiple platforms, but
I didnt tested in such large scale of devices (just in different browsers
at my PC).

> Credit      : Except Apple - nobody

Its very common situation (with not serious relation of developers to
security professionals who found holes in their programs). Especially in
case of DoS vulnerabilities.

> IV. Disclosure timeline
> ~~~~~~~~~~~~~~~~~~~~~~~~~
> Nothing particular to note, except the usual discussion about availability
> being a security issue.

It is also very common for developers (browsers developers in particular) to
not put DoS in category of security issues (even if they officially said
that they acknowledge DoS as security issue). So nothing surprising :-) - I
heard many times such statements from browsers developers.

Thierry, I even planned to write here a large message on this subject (which
I planned in the beginning of this year), but I canceled it due lack of time
:-). In a short: the developers are not right and DoS is a security issue.

I tested your vulnerability (your PoC) in all my browsers: Mozilla, Firefox,
IE, Opera and Chrome. Here are results of my tests, which will be additional
stroke to your picture of vulnerable browsers and systems.

Mozilla 1.7.x is not vulnerable. And this is a reason why I like Mozilla
1.7.x, because it hasnt many of the holes which Mozilla added to new
versions of their Firefox ;-). You wrote that Firefox allocates 2 GB of
memory and then crashes. My Mozilla only allocates about 900 MB of memory
and then stops this process (and stops using of CPU). So it was just small
lag, without particular strain, so its not vulnerable.

Firefox 3.0.11 is not vulnerable (because was fixed in Firefox 3.0.5).

IE6 is vulnerable. But my IE6 is vulnerable in different way then other
browsers. You wrote that IE5,6,7,8 allocates 2 GB of memory and then
crashes. In my case, browser only take CPU resources (over 50% at my two
core processor, itll be 100% on single core processor) without taking of
memory.

Opera 9.52 is vulnerable (because was fixed in version after Opera 9.64).
You wrote that Opera allocated and commits as much memory as available and
will not crash. In my case Opera takes more that 2 GB (almost all memory
available) and then freezes.

Google Chrome 1.0.154.48 is not vulnerable. You wrote that Chrome allocates
2 GB of memory and then crashes tab with a null pointer. In my case Chrome
takes more than 2 GB of memory and then says its message about error at the
page and frees all the memory. So in result almost no memory or CPU
resources are used by the browser. You wrote that Chrome was patched
(unknown version). As we see at least version Chrome 1.0.154.48 is not
vulnerable.

There is also one interesting thing.

You mentioned bug #460713 in Mozillas bugzilla. When yesterday I came via
this link I found that this entry is closed for viewing (even for logged in
users). So for some unknown reasons Mozilla closed access to bug #460713
(https://bugzilla.mozilla.org/show_bug.cgi?id=460713), even if its
resolved. As you wrote, this hole was fixed in Firefox 3.0.5. This version
was released at 16th of December 2008, so from that time and till now
Mozilla didnt open this bug. Why they did it? Do they have something to
hide from people :-).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


!DSPAM:4a60eeae164971070416737!




From: Thierry Zoller Thierry@zoller.lu
Sent: Wed 15. Jul 2009 22:18
Dear List,
To  all  those  sending in reports, thank you, *but* please read the patch
section.  It  is  normal  that  it doesnt work in Safari, Chrome, FF,
Opera any longer, they have been patched. Try IE for an example.

To stop the flood of mails, explaining that the POC doesnt work
on mozilla x.y, or safari x.y. Read the "PATCH" section. Please.


Regards,
Thierry





From: MustLive mustlive@websecurity.com.ua
Sent: Fri 17. Jul 2009 23:56
Hello Thierry!

About your "bug to rule them all" I can tell, that its interesting
vulnerability and interesting research itself. I have found DoS
vulnerabilities in multiple browsers many time, but I never tested in such
many browsers and systems. So you made a large research (with help of those
people who helped you with testing in different systems) - this DoS hole
exists (or existed) in so many systems: different desktop browsers, email
clients, browsers for mobile devices, game devices and possible other
devices with support of JavaScript.

Maybe some of DoS hole found by me can also work on multiple platforms, but
I didnt tested in such large scale of devices (just in different browsers
at my PC).

> Credit      : Except Apple - nobody

Its very common situation (with not serious relation of developers to
security professionals who found holes in their programs). Especially in
case of DoS vulnerabilities.

> IV. Disclosure timeline
> ~~~~~~~~~~~~~~~~~~~~~~~~~
> Nothing particular to note, except the usual discussion about availability
> being a security issue.

It is also very common for developers (browsers developers in particular) to
not put DoS in category of security issues (even if they officially said
that they acknowledge DoS as security issue). So nothing surprising :-) - I
heard many times such statements from browsers developers.

Thierry, I even planned to write here a large message on this subject (which
I planned in the beginning of this year), but I canceled it due lack of time
:-). In a short: the developers are not right and DoS is a security issue.

I tested your vulnerability (your PoC) in all my browsers: Mozilla, Firefox,
IE, Opera and Chrome. Here are results of my tests, which will be additional
stroke to your picture of vulnerable browsers and systems.

Mozilla 1.7.x is not vulnerable. And this is a reason why I like Mozilla
1.7.x, because it hasnt many of the holes which Mozilla added to new
versions of their Firefox ;-). You wrote that Firefox allocates 2 GB of
memory and then crashes. My Mozilla only allocates about 900 MB of memory
and then stops this process (and stops using of CPU). So it was just small
lag, without particular strain, so its not vulnerable.

Firefox 3.0.11 is not vulnerable (because was fixed in Firefox 3.0.5).

IE6 is vulnerable. But my IE6 is vulnerable in different way then other
browsers. You wrote that IE5,6,7,8 allocates 2 GB of memory and then
crashes. In my case, browser only take CPU resources (over 50% at my two
core processor, itll be 100% on single core processor) without taking of
memory.

Opera 9.52 is vulnerable (because was fixed in version after Opera 9.64).
You wrote that Opera allocated and commits as much memory as available and
will not crash. In my case Opera takes more that 2 GB (almost all memory
available) and then freezes.

Google Chrome 1.0.154.48 is not vulnerable. You wrote that Chrome allocates
2 GB of memory and then crashes tab with a null pointer. In my case Chrome
takes more than 2 GB of memory and then says its message about error at the
page and frees all the memory. So in result almost no memory or CPU
resources are used by the browser. You wrote that Chrome was patched
(unknown version). As we see at least version Chrome 1.0.154.48 is not
vulnerable.

There is also one interesting thing.

You mentioned bug #460713 in Mozillas bugzilla. When yesterday I came via
this link I found that this entry is closed for viewing (even for logged in
users). So for some unknown reasons Mozilla closed access to bug #460713
(https://bugzilla.mozilla.org/show_bug.cgi?id=460713), even if its
resolved. As you wrote, this hole was fixed in Firefox 3.0.5. This version
was released at 16th of December 2008, so from that time and till now
Mozilla didnt open this bug. Why they did it? Do they have something to
hide from people :-).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


!DSPAM:4a60eeae164971070416737!