MSFA 2014-78 (CVE-2014-1580) fixes another case of uninitialized memory disclosure in Firefox - this time, when rendering truncated GIF images on
<canvas>. The bug was reported on September 5 and fixed today. For a convenient test case, check out this page. Rough timeline:
- September 5: Initial, admittedly brief notification to vendor, including a simple PoC.
- September 5: Michael Wu confirms the exposure and pinpoints the root cause. Discussion of fixes ensues.
- September 9: Initial patch created.
- September 12: Patch approved and landed.
- October 2: Patch verified by QA.
- October 13: Fixes ship with Firefox 33.
MSRC case #19611cz (MS14-085) is a conceptually similar bug related to JPEG DHT parsing, seemingly leaking bits of stack information in Internet Explorer. This was reported to MSRC on July 2 and hasn't been fixed to date. Test case here. Rough timeline:
- July 2: Initial, admittedly brief notification to vendor, mentioning the disclosure of uninitialized memory and including a simple PoC.
- July 3: MSRC request to provide "steps and necessary files to reproduce".
- July 3: My response, pointing back to the original test case.
- July 3: MSRC response, stating that they are "unable to determine the nature of what I am reporting".
- July 3: My response, reiterating the suspected exposure in a more verbose way.
- July 4: MSRC response from an analyst, confirming that they could reproduce, but also wondering if "his webserver is not loading up a different jpeg just to troll us".
- July 4: My response stating that I'm not trolling MSRC.
- July 4: MSRC opens case #19611cz.
- July 29: MSRC response stating that they are "unable identify a way in which an attacker would be able to propagate the leaked stack data back to themselves".
- July 29: My response pointing the existence of the canvas.toDataURL() API in Internet Explorer, and providing a new PoC that demonstrates the ability to read back data.
- September 24: A notification from MSRC stating that the case has been transferred to a new case manager.
- October 7: My response noting that we've crossed the 90-day mark with no apparent progress made, and that I plan to disclose the bug within a week.
- October 9: Acknowledgment from MSRC.
October 14, 2014
To add several more trophies to afl's pile of image parsing memory disclosure vulnerabilities: