One bug to rule them all - IE, Firefox, Safari, Opera, Konqueror,Seamonkey, Wii, PS3, iPhone, iPod,

Discussion in 'NZ Computing' started by Max Burke, Jul 16, 2009.

  1. Max Burke

    Max Burke Guest

    One bug to rule them all - IE, Firefox, Safari, Opera, Konqueror,
    Seamonkey, Wii, PS3, iPhone, iPod, Nokia, Siemens.... and more.

    Reference : [GSEC-TZO-26-2009] - One bug to rule them all
    CVE : CVE-2009-1692 (created by Apple, this bug has same root cause)
    Credit: Thierry Zoller

    Affected products :
    Internet Explorer 5, 6, 7, 8 (all versions)
    Chrome (limited)
    Opera
    Seamonkey
    Midbrowser
    Netscape 6 & 8 (9 years ago)
    Konqueror (all versions)
    Apple iPhone + iPod
    Apple Safari
    Thunderbird
    Nokia Phones : Nokia N95 (Symbian OS v.9.2),Nokia N82, Nokia N810
    Internet Tablet
    Aigo P8860 (Browser hangs and cannot be restarted)
    Siemens phones
    Google T-Mobile G1 TC4-RC30
    Ubuntu (Operating system sometimes reboots, memory management failure)
    possibly more devices and products that support Javascript,

    Patch availability :
    Mozilla : Fixed in Firefox 3.0.5 and 2.0.0.19
    https://bugzilla.mozilla.org/show_bug.cgi?id=460713
    Thunderbird (unknown)
    IE : No fix for IE5,IE6,IE7,IE8 until IE9
    Konqueror : unknown (did not respond)
    Apple iPhone&iPod : patched
    Nokia : unknown, opened a case but never came back
    Aigo P8860 : unknown
    Siemens : unknown
    Chrome : unknown, but patch not really required (only tab is affected)
    Webkit : fixed in r41741 - https://bugs.webkit.org/show_bug.cgi?id=23319
    Opera : after version 9.64
    Others ? Find out by visiting the POC at
    http://crashthisthing.com/select.html

    I. Background
    Quoting Wikipedia "ECMAScript is a scripting language, standardized by
    Ecma International in the ECMA-262 specification and ISO/IEC 16262. The
    language is widely used on the web, especially in the form of its three
    best-known dialects, JavaScript, ActionScript, and JScript."

    II. Description
    Calling the select() method with a large integer, results in continuous
    allocation of x+n bytes of memory exhausting memory after a while.

    The impact varies from null pointer dereference (no more memory,hence
    crashing the browser) to the reboot of the complete Operation System
    (Konqueror&Ubuntu).

    There had never been a limit specified as to how many html elements the
    select call should handle, after the report of this Bug, vendors
    apparently agreed to a limit of 10.000 elements : "Talked to some Apple
    and Opera guys at the WHATWG social, and we decided this was a good number"

    III. Impact
    The impact varies from browser to browser and sometimes from OS to OS

    Konqueror (Ubuntu)- allocates 2GB of memory then either crashes the
    Browser or (most often) the OS reboots. Ubuntu's memory management
    system is configured as to NOT stop the process that consumes too much
    memory, but a random process. This sometimes leads to processes that are
    vital for the OS to be killed, hence the reboot. I am not kidding.
    Thanks to 'FX' for the memory management hint.

    Chrome : allocates 2GB of memory then crashes tab with a null pointer

    Firefox : allocates 2GB of memory then the Browser crashes

    IE5,6,7,8 : allocates 2GB of memory then the Browser crashes

    Opera : Allocated and commits as much memory as available, will not
    crash but other applications will become unstable
    Nintento WII (Opera) : Console hangs, needs hard reset
    Video: http://vimeo.com/2937101

    Sony PS3 - Console hangs, needs hard reset
    Video: http://vimeo.com/2937101

    iPhone - iPhone hangs and needs hard reset
    Video: http://vimeo.com/2873339

    Aigo P8860 (Browser hangs and cannot be restarted)

    V. Disclosure timeline
    Nothing particular to note.

    http://www.g-sec.lu/one-bug-to-rule-them-all.html

    IV? POC :(

    Thanks to SBS Diva and MS MVP Susan Bradley for the above.
    Published Wed, Jul 15 2009 20:45 by donna

    http://msmvps.com/blogs/donna/default.aspx

    --

    Replace the obvious with paradise.net to email me
    Found Images
    http://homepages.paradise.net.nz/~mlvburke
     
    Max Burke, Jul 16, 2009
    #1
    1. Advertising

  2. Max Burke

    Alan Guest

    Re: One bug to rule them all - IE, Firefox, Safari, Opera, Konqueror, Seamonkey, Wii, PS3, iPhone, iPod, Nokia, Siemens, Ubuntu.... and more.

    That's an impressive coverage of newsgroups across servers that you
    managed to post to in a short period of time!

    Alan.

    --

    The views expressed are my own, not those of my employer or others.
    My unmunged email is: (valid for 30 days
    min probably much longer).
     
    Alan, Jul 16, 2009
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Abhishek
    Replies:
    0
    Views:
    589
    Abhishek
    Apr 24, 2007
  2. Abhishek

    FREE PS3,XBOX 360, PSP,IPOD,WII, MOBILE PHONES !!!!

    Abhishek, Apr 24, 2007, in forum: Digital Photography
    Replies:
    0
    Views:
    322
    Abhishek
    Apr 24, 2007
  3. Abhishek
    Replies:
    1
    Views:
    396
    Paul Heslop
    May 12, 2007
  4. Replies:
    0
    Views:
    912
  5. maysefooters
    Replies:
    0
    Views:
    1,111
    maysefooters
    Dec 29, 2007
Loading...

Share This Page