Two more browser memory disclosure bugs (CVE-2014-1580 and #19611cz)

To add several more trophies to afl's pile of image parsing memory disclosure vulnerabilities:

• 
  
  MSFA 2014-78 (CVE-2014-1580) fixes another case of uninitialized memory disclosure in Firefox - this time, when rendering truncated GIF images on <canvas>. The bug was reported on September 5 and fixed today. For a convenient test case, check out this page. Rough timeline:
  
  
  
  
  
  
  
  • September 5: Initial, admittedly brief notification to vendor, including a simple PoC.
    
  • September 5: Michael Wu confirms the exposure and pinpoints the root cause. Discussion of fixes ensues.
    
  • September 9: Initial patch created.
    
  • September 12: Patch approved and landed.
    
  • October 2: Patch verified by QA.
    
  • October 13: Fixes ship with Firefox 33.
    
  
  
  
  
  
  
• 
  
  MSRC case #19611cz (MS14-085) is a conceptually similar bug related to JPEG DHT parsing, seemingly leaking bits of stack information in Internet Explorer. This was reported to MSRC on July 2 and hasn't been fixed to date. Test case here. Rough timeline:
  
  
  
  
  
  
  • July 2: Initial, admittedly brief notification to vendor, mentioning the disclosure of uninitialized memory and including a simple PoC.
    
  • July 3: MSRC request to provide "steps and necessary files to reproduce".
    
  • July 3: My response, pointing back to the original test case.
    
  • July 3: MSRC response, stating that they are "unable to determine the nature of what I am reporting".
    
  • July 3: My response, reiterating the suspected exposure in a more verbose way.
    
  • July 4: MSRC response from an analyst, confirming that they could reproduce, but also wondering if "his webserver is not loading up a different jpeg just to troll us".
    
  • July 4: My response stating that I'm not trolling MSRC.
    
  • July 4: MSRC opens case #19611cz.
    
  • July 29: MSRC response stating that they are "unable identify a way in which an attacker would be able to propagate the leaked stack data back to themselves".
    
  • July 29: My response pointing the existence of the canvas.toDataURL() API in Internet Explorer, and providing a new PoC that demonstrates the ability to read back data.
    
  • September 24: A notification from MSRC stating that the case has been transferred to a new case manager.
    
  • October 7: My response noting that we've crossed the 90-day mark with no apparent progress made, and that I plan to disclose the bug within a week.
    
  • October 9: Acknowledgment from MSRC.
    
    
  
  

Well, that's it. Enjoy!