The recent release of Firefox 32 fixes another interesting image
parsing issue found by afl [1]: following a refactoring of memory
management code, the past few versions of the browser ended up using
uninitialized memory for certain types of truncated images, which is
easily measurable with a simple <canvas> + toDataURL() harness that
examines all the fuzzer-generated test cases.
Depending on a variety of factors, problems like that may leak secrets
across web origins, or more prosaically, may help attackers bypass
security measures such as ASLR. Here's a short proof-of-concept that
should work if you haven't updated to 32 yet:
http://lcamtuf.coredump.cx/
This is tracked as CVE-2014-1564, Mozilla bug 1045977, MFSA 2014-69.
[1] http://code.google.com/p/
PS. Mildly interesting:
http://www.chromium.org/Home/
Authored by Michal Zalewski
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
parsing issue found by afl [1]: following a refactoring of memory
management code, the past few versions of the browser ended up using
uninitialized memory for certain types of truncated images, which is
easily measurable with a simple <canvas> + toDataURL() harness that
examines all the fuzzer-generated test cases.
Depending on a variety of factors, problems like that may leak secrets
across web origins, or more prosaically, may help attackers bypass
security measures such as ASLR. Here's a short proof-of-concept that
should work if you haven't updated to 32 yet:
http://lcamtuf.coredump.cx/
This is tracked as CVE-2014-1564, Mozilla bug 1045977, MFSA 2014-69.
[1] http://code.google.com/p/
PS. Mildly interesting:
http://www.chromium.org/Home/
Authored by Michal Zalewski
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information