[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Update: Web browsers - a mini-farce (MSIE gives in)

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxx, vulnwatch@xxxxxxxxxxxxx
Subject: Update: Web browsers - a mini-farce (MSIE gives in)
From: Michal Zalewski <lcamtuf@xxxxxxxxxxx>
Date: Sat, 23 Oct 2004 01:28:37 +0200 (CEST)

Firstly, a brief update on the status of reported sample vulnerabilities:

  - mozilla_die1.html: confirmed, fixed in snapshots (DoS most of the time)
  - mozilla_die2.html: confirmed, being worked on (likely exploitable)
  - opera_die1.html: confirmed, being worked on (likely exploitable)
  - lynx_die1.html: confirmed, independent fixes from OpenBSD team (DoS)
  - links_die1.html: no official confirmation, no data (DoS)

I have no data on whether any of the vendors bothered to run my scripts to
find any further problems that are bound to surface.

I have also received reports of crashes caused by mangeme.cgi with the
following browsers:

  - Safari / Konqueror (KHTML engine)
  - elvis
  - elinks (links engine)
  - w3m

Last but not least, MSIE gives in:

>   Only MSIE appears to be able to consistently handle [*] malformed
>   input well, suggesting this is the only program that underwent
>   rudimentary security QA testing with a similar fuzz utility.

To all those who considered my original post to be a great propaganda
ammunition for praising MSIE, bad news - although it did take a longer
while for it to give up - three hours - (impressive by comparison to
competitors), it eventually did:

  http://lcamtuf.coredump.cx/mangleme/gallery/ie_die1.html

Tested on 6.0.2800.1106, dies in mshtml.dll. This is a NULL pointer
dereference, so merely a DoS condition, but still an evident flaw in
basic HTML parsing.

******************************************************************
* This means that VIRTUALLY EVERY BROWSER IN USE TODAY is unable *
* to securely render HTML. Keeping in mind that not only web     *
* browsing, but also integrated e-mail is at risk, it is a grim  *
* thought.                                                       *
******************************************************************

Because I did not ask CERT or NIPC for patronage, did not get 20 CVE
numbers for each variant of each of the issues, nor do I have a
black-on-white webpage with stock graphics, this will likely not generate
any media splash, but I for one consider my findings to be far more
chilling that a wave of tabbed browsing URL spoofing flaws and similar
recent browser issues.

For those interested in doing some of my homework, I've updated the tool,
incorporating several minor changes to its semantics to make it somewhat
more powerful: download http://lcamtuf.coredump.cx/soft/mangleme.tgz for
version 1.2.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2004-10-23 00:11 --

   http://lcamtuf.coredump.cx/photo/current/

Follow-Ups:
- Re: [Full-Disclosure] Update: Web browsers - a mini-farce (MSIE gives in)
  - From: Daniel Veditz

References:
- Web browsers - a mini-farce
  - From: Michal Zalewski

Prev by Date: rssh: pizzacode security alert
Next by Date: Re: Google Script Insertion Exploit
Previous by thread: Web browsers - a mini-farce
Next by thread: Re: [Full-Disclosure] Update: Web browsers - a mini-farce (MSIE gives in)
Index(es):
- Date
- Thread