Home page logo

fulldisclosure logo Full Disclosure mailing list archives

MSIE & FIREFOX flaws: "detailed" advisory and comments that you probably don't want to read anyway
From: "Berend-Jan Wever" <skylined () edup tudelft nl>
Date: Fri, 26 Nov 2004 03:09:16 +0100

Skip to the "-- Advisory --" part if you are not interested in reading about disclosure but you are interested in 
non-technical details about the array sort "vulnerability" I released.

----- Original Message ----- 
From: "Dragos Ruiu" <dr () kyx net>
He didn't have to release it... he could have sold it or any number of 
other things including just exploiting it quietly.  We should stop 
shooting the messenger and say thanks to people who do other's 
debugging for free and for all our own good.

my 2c,
Exactly. And since none of the vulnerable vendors have put out an advisory as far as I know, I'll let you all know the 
impact of this bug myself. For free because I don't want you to lose any sleep over a lame crash:

-- Advisory ------------------------------
Both MSIE and firefox have the same problem handling this. Since a lot of people did not understand me when I told you 
in 1337 h4x0r15h, I'll put it in n00b English:

The code I posted makes both browsers use up (stack)memory again and again untill there is no more left. This causes an 
exception which can not be handled by both programs so both of them will be terminated: nothing to worry about, there 
is no exploit for this, it just crashes the program.
-- End advisory --------------------------

So... it was all a big piece of FUD, which was exactly what I needed to get my point across. I do not kid myself that I 
can convince everybody, but at least I got a lot of people thinking and hopefully even more convinced that a lot of 
vendors do not acknowledge indepedent security researchers for their true value and (even more important to a lot of 
you) do not act upon bugs as fast as is needed nowadays.

What if I was without integrity, as some people would have it, and would write a worm exploiting some (or all) of the 
bugs I had found over the years ? Think about it... I could have sold a worm like that for good money to less 
scrupulous people but instead I chose to disclose all that information responsible.

People that do not agree I disclosed the information on the IFRAME vulnerability responsible are people that could not 
have gathered the information for themselves from the earlier post by ned. Everybody that could exploit it (it wasn't 
that difficult) allready knew what I told you and probably was exploiting it without you knowing.

I truely am sorry for the people who do not understand my motives or think I did wrong. I am even more sorry for people 
that got hit with InternetExploiter and it's derivatives. Both should keep in mind that if I had not disclosed this, 
AV/IDS/etc vendors would not have known about/acted upon the problem and a patch would have been even lower priority 
than it seems to be now. Saying that there was no problem before I released the exploit code for the IFRAME 
vulnerability is a load of dingo's kidneys. I believe a lot more people could have been affected and in much worse ways 
then they have been now if this had remained undergound.


PS. Note to self: stop wasting time on useless discussions on the internet.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]