SecurityTracker Alert ID: 1014372|
SecurityTracker URL: http://securitytracker.com/id/1014372
(Links to External Site)
Updated: Jul 6 2008|
Original Entry Date: Jul 4 2005
Denial of service via network|
Exploit Included: Yes |
Juha-Matti Laurio reported a vulnerability in K-Meleon. A remote user can cause the browser to crash.|
A demonstration exploit is available at:
The vendor was notified on July 3, 2005.
This type of vulnerability was originally discovered by Paul Kurczaba, reported as affecting Mozilla products.
A remote user can cause the target user's browser to crash.|
No solution was available at the time of this entry.|
Vendor URL: kmeleon.sourceforge.net/ (Links to External Site)
|Underlying OS: Windows (Any)|
Source Message Contents
The newest K-Meleon Browser version 0.9 is confirmed as affected to new
Kurczaba.com PoC (Proof of Concept) test pages located at
http://www.kurczaba.com/html/security/0506241.htm (Manual and Automatic).
This can be possibly exploited by constructing a malicious Web page. If
an attacker has ways to persuade user to visit this Web site, this can
be used to crash user's browser. After a crash effect browser will
Some user interaction is needed to vulnerability take affect when
discussing PoC issue#1.
Issue #1: http://www.kurczaba.com/html/security/0506241_poc.htm
Button "Go" was clicked.
Browser crashed with the following information-like dialog box:
"K-Meleon Web Browser
K-Meleon Web Browser has encountered a problem and needs to close. We
are sorry for the inconvenience. For more information about this error,
Only 'Close' button was available. After clicking 'Close' button,
K-Meleon Browser was quitted.
Issue #2: http://www.kurczaba.com/html/security/0506241_poc2.htm
Browser crashed without any visual effect and/or warning after a delay
of few seconds. This delay was noticed after PoC page counter has
reached the "..will crash in '1' seconds" state.
Additionally, CPU usage was at 100% level.
- Technical details:
Menu setting Edit / Preferences / General / Enhancements: Enable
code used at PoC pages mentioned earlier.
>From the vendor:
"K-Meleon - The Browser You Control. K-Meleon is an extremely fast,
customizable, lightweight web browser for the win32 (Windows) platform
based on the Gecko layout engine (the rendering engine of Mozilla).
K-Meleon is free, open source software released under the GNU General
Public License. Powered by the same Gecko engine as the Firefox and
Mozilla browsers, K-Meleon provides users with a secure browsing
- Solution status:
No solution was available at the time of reporting.
K-Meleon Browser 0.x
(free for downloading)
- Affected versions:
The vulnerability has been reported in version 0.9. Other versions may
also be affected as well. The user agent string used was Mozilla/5.0
(Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041220
Vendor Home Page:
Product Home Page:
Project Home Page:
OS: Microsoft Windows
CVE reference: N/A
However, CVE candidate describing other Gecko-based browsers is assigned
Disable selection from Edit / Preferences / General / Enhancements:
Tools / Privacy / 'Block' function.
If this is not possible:
Do not browse untrusted web sites or click untrusted links in e-mail messages.
test results were included to the report.
This vulnerablity was earlier researched in the following Mozilla
products; (Mozilla) Firefox, Mozilla (Suite) and Camino by Paul
Kurczaba. I have confirnmed and reported this issue earlier in Netscape
Kurczaba Associates Security Advisories > Mozilla Multiple Product
>From the advisory:
crash the above named browsers. The script can be executed both with and
without user intervention."
28-06-2005 - Vulnerability researched and confirmed
03-07-2005 - Vendor contacted
04-07-2005 - Security companies and several CERT units contacted
Juha-Matti Laurio, Networksecurity.fi