HTML vulnerabilities alert - Security

This is a discussion on HTML vulnerabilities alert - Security ; December 25, 2005 If you thought the security holes in Internet Explorer were large enough to push a G-class star through, then you haven't seen anything yet. A new report released by the prestigious firm of Internet Security Us, ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: HTML vulnerabilities alert

  1. HTML vulnerabilities alert

    December 25, 2005


    If you thought the security holes in Internet Explorer were large enough to
    push a G-class star through, then you haven't seen anything yet. A new
    report released by the prestigious firm of Internet Security Us, Inc.,
    warns that "organic-based holistic HTML parsing systems" (i.e. the human
    brain) pose the greatest threat to Internet security.

    Many geeks have tried to avoid the growing insecurity of mainstream Web
    browsers by rendering HTML pages directly in their heads. However, it
    appears this solution is actually worse than the disease.

    "Whether you access the Web through wget, telnet, avian carriers, or by
    whistling directly into an acoustic modem, you cannot escape from this
    vulnerability," said Wolf Kryir, spokesperson at Internet Security Us. "We
    have escalated the criticality of this problem from MODERATE to WE'RE ALL
    SCREWED."

    The exploit is made possibly by the fact that the entire brain runs under a
    'root' account that has full privileges. "As a result of this design flaw,
    once an attacker gains a foothold inside the brain's wetware, the entire
    body is then ready for their evil bidding."

    Potential examples of this vulnerability include:

    * Daniel Robbins agreeing to work for Microsoft
    * Eric S. Raymond choosing the BSD license over the GPL
    * Microsoft engineers embracing security (the jury is still out on this
    one)
    * Top executives at Novell dropping KDE support
    * Mac OS X developers embracing Intel hardware
    * Scott McNealy's erratic business decisions
    * Two words: Darl McBride

    One confirmed victim explained how his brain became rooted: "One minute I'm
    surfing a certain triple-X website for, ah, research purposes, and the next
    thing I know, I have this uncontrollable urge to rush out to a Claw-Mart
    Supercenter and buy 100 copies of a tabloid magazine with the headline
    'Elvis Spotted On Mars' splashed across the cover!"

    The researchers at Internet Security Us have been unable to determine the
    exact sequence of HTML tags that cause the vulnerability. They suspect that
    the exploit code looks something like:


    Convert your company into a publicly-traded lawsuit by filing bogus suits
    against your former partners.


    or:




    Join the Dark Side. Microsoft is where you want to go today.


    It's also possible that the offending code is more subtle, consisting of a
    certain combination of nested HTML tags or recursive JavaScript routines
    that leave the user's head spinning.

    While numerous people have apparently fallen victim to the attack, no
    examples have been spotted in the wild. "Until a patch is developed for this
    problem, we strongly advise against using brain-based parsing technologies
    for surfing the Web. At the very least, make sure you reconfigure your
    wetware to ignore all extraneous HTML comments, JavaScript code blocks, and
    Flash applets."


  2. Re: HTML vulnerabilities alert

    In comp.os.linux.security gregnoble :
    > December 25, 2005



    > If you thought the security holes in Internet Explorer were large enough to
    > push a G-class star through, then you haven't seen anything yet. A new


    And this has to do with Linux? The browser in question isn't even
    available for Linux and even if it was, highly doubt anyone with
    more then two brain cells would use it.

    [..]

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 147: Party-bug in the Aloha protocol.

  3. Re: HTML vulnerabilities alert

    On Sun, 25 Dec 2005 09:57:52 +0100, Michael Heiming wrote:

    >> If you thought the security holes in Internet Explorer were large enough to
    >> push a G-class star through, then you haven't seen anything yet. A new

    >
    > And this has to do with Linux? The browser in question isn't even
    > available for Linux and even if it was, highly doubt anyone with
    > more then two brain cells would use it.
    >
    > [..]


    no, this particular browser - a meta-browser, if you will - operates on
    _all_ operating systems. man, I do look forward to the patch! hope they do
    something about the other bugs too like memory leaks and the faulty
    inference engine.

    Felmon


  4. Re: HTML vulnerabilities alert

    But doesn't tinfoil cranial shielding get around the "organic-based
    holistic HTML parsing systems" exploit?



  5. Re: HTML vulnerabilities alert

    Michael Heiming wrote:

    > In comp.os.linux.security gregnoble :
    >> December 25, 2005

    >
    >
    >> If you thought the security holes in Internet Explorer were large enough
    >> to push a G-class star through, then you haven't seen anything yet. A
    >> new

    >
    > And this has to do with Linux? The browser in question isn't even
    > available for Linux and even if it was, highly doubt anyone with more then
    > two brain cells would use it.


    Actually, the browser the article was talking about runs on all platforms.

    And I think you just demonstrated a buffer underrun vulnerability.



    Go back and read the whole thing, I think you'll get the joke. Sorry it
    was at your expense, hope you take it in the good nature it was intended.

  6. Re: HTML vulnerabilities alert

    On Sun, 25 Dec 2005 19:33:20 +0000, Renegade wrote:

    > But doesn't tinfoil cranial shielding get around the "organic-based
    > holistic HTML parsing systems" exploit?


    Don't think so: it'd have to be a perfect Faraday Cage for the
    frequency(s) you're shielding (ie: the mesh most be smaller then 1/4
    labda) for that to work. Otherwise the tinfoil may even act as an
    amplifying reflector... One' neck being in the way - one'd have to wear a
    whole tinfoil *suit* - not just cranial shielding, but body shielding...
    And not to mension the near field. (Move away from the equipment.)

    But this is all assuming some king of RF or EMC is used for the exploit.
    And i didn't see that is the OP article. So it may still be a logic error
    in one of the routines utilized for HTML parsing...

    --
    -Menno.


+ Reply to Thread