If at first you don't succeed; call it version 1.0
Sunday, December 18, 2005

SkyLined has just released a new version of "Beta", a binary data encoding tool.
Go get it at Milw0rm.

 


Sunday, December 18, 2005 2:26:27 PM UTC | Comments [1] | Security#
Wednesday, December 14, 2005

After 5 months, Mozilla foundation have finally updated their advisory, and set the severity status to 'Critical'.

This small "victory" actually expose the hypocrisy of the Security Community. Many times before we have seen security experts bashing Microsoft for downplaying vulnerabilities (even patched ones). But, when it comes to Mozilla products, the silence of the community rumbles.

I hope this incident will set a red flag at Mozilla foundation, and they'll do better in the future with their vulnerabilities management. Just a reminder - they have yet to take back their claim of ZIPL0CK's DoS finding to be just a 'minor' issue.

I've also encountered some disturbing information regarding FireFox users who haven't upgraded their browser, and are still vulnerable to the InstallVersion.compareTo() vulnerability. I will publish this info soon.
If you are still using old version of FireFox please upgrade as soon as possible.

 


Wednesday, December 14, 2005 2:09:50 PM UTC | Comments [0] | Security#
Monday, December 12, 2005

What is wrong with the following screen shot?

firefox100_t.jpg


Monday, December 12, 2005 10:11:26 PM UTC | Comments [0] | Security#
Sunday, December 11, 2005

A few days ago, ZIPL0CK introduced a new Denial Of Service vulnerability in Firefox. By creating a huge web page title, which will fill the history.dat file with large content, Firefox will hang for some time (depending the content size and the user's system) on the next time the user will try to use the browser.

Today, Mozilla foundation published an advisory, claiming this issue is not so serious, and that the unresponsiveness of the browser is only "temporary". This is true for the Proof-of-Concept exploit, and for people with strong computers. But by modifying the PoC, an attacker can easily achieve a humongous history.dat file which will cause the Firefox to hang (with 100% CPU utilization) for a LONG LONG time. So long, that most users will not wait just to delete the history as suggested by Mozilla foundation in the advisory. The right workaround would be to delete the history.dat file. Moreover, Mozilla foundation should acknowledge this problem as more severe, and address it as soon as possible.

This reminds me the last time Mozilla underestimated a vulnerability. I've also posted this issue to Full-Disclosure, but yet to receive response from Mozilla. 

I think it's been enough time for people to upgrade from v1.0.4. of Firefox. So, here is the PoC exploit for the InstallVersion.compareTo() vulnerability. The PoC does nothing but returns (this can be easily replaced with shell code), and it uses SkyLined's InternetExploiter2 methodology to inject code to the heap.

[UPDATE:] Apparently, Mozilla team has removed the access to the InstallVersion.compareTo() bug report page. I hope this means they will finally set the severity of this security hole in the advisory to higher than just 'Moderate'.

[Another Update:] Packetstorm has removed the Denial-of-Service exploit page. This PoC can be found at milw0rm.

[Last Update? :] The InstallVersion.compareTo() bug report page is opened again. Unfortunately, the severity of the vulnerability in the advisory is still 'Moderate' :(.

[Last Update! :] Victory! Well, Sort Of..


Sunday, December 11, 2005 1:36:24 PM UTC | Comments [10] | Security#
Send me an Email
Follow me on Twitter
RSS Feeds
  
Blogroll
Archive
Admin Login
Sign In
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.