[Full-Disclosure] MSIE & FIREFOX flaws: "detailed" advisory and comments that you probably don't want to read anyway
skylined at edup.tudelft.nl
Fri Nov 26 02:09:16 GMT 2004
Skip to the "-- Advisory --" part if you are not interested in reading about disclosure but you are interested in non-technical details about the array sort "vulnerability" I released.
----- Original Message -----
From: "Dragos Ruiu" <dr at kyx.net>
> He didn't have to release it... he could have sold it or any number of
> other things including just exploiting it quietly. We should stop
> shooting the messenger and say thanks to people who do other's
> debugging for free and for all our own good.
> my 2c,
Exactly. And since none of the vulnerable vendors have put out an advisory as far as I know, I'll let you all know the impact of this bug myself. For free because I don't want you to lose any sleep over a lame crash:
-- Advisory ------------------------------
Both MSIE and firefox have the same problem handling this. Since a lot of people did not understand me when I told you in 1337 h4x0r15h, I'll put it in n00b English:
The code I posted makes both browsers use up (stack)memory again and again untill there is no more left. This causes an exception which can not be handled by both programs so both of them will be terminated: nothing to worry about, there is no exploit for this, it just crashes the program.
-- End advisory --------------------------
So... it was all a big piece of FUD, which was exactly what I needed to get my point across. I do not kid myself that I can convince everybody, but at least I got a lot of people thinking and hopefully even more convinced that a lot of vendors do not acknowledge indepedent security researchers for their true value and (even more important to a lot of you) do not act upon bugs as fast as is needed nowadays.
What if I was without integrity, as some people would have it, and would write a worm exploiting some (or all) of the bugs I had found over the years ? Think about it... I could have sold a worm like that for good money to less scrupulous people but instead I chose to disclose all that information responsible.
People that do not agree I disclosed the information on the IFRAME vulnerability responsible are people that could not have gathered the information for themselves from the earlier post by ned. Everybody that could exploit it (it wasn't that difficult) allready knew what I told you and probably was exploiting it without you knowing.
I truely am sorry for the people who do not understand my motives or think I did wrong. I am even more sorry for people that got hit with InternetExploiter and it's derivatives. Both should keep in mind that if I had not disclosed this, AV/IDS/etc vendors would not have known about/acted upon the problem and a patch would have been even lower priority than it seems to be now. Saying that there was no problem before I released the exploit code for the IFRAME vulnerability is a load of dingo's kidneys. I believe a lot more people could have been affected and in much worse ways then they have been now if this had remained undergound.
PS. Note to self: stop wasting time on useless discussions on the internet.
Full-Disclosure is hosted and sponsored by Secunia.