Vulnerabilities that just won't die - Compression Bombs

Recently Cyberis has reviewed a number of next-generation firewalls and content inspection devices - a subset of the test cases we formed related to compression bombs - specifically delivered over HTTP. The research prompted us to take another look at how modern browsers handle such content given that the vulnerability (or perhaps more accurately, ‘common weakness’ - http://cwe.mitre.org/data/definitions/409.html) has been reported and well known for over ten years.