Re: [ISN] Security expert dubs July the 'Month of browser bugs'

From: InfoSec News (alerts@private)
Date: Tue Aug 01 2006 - 01:28:20 PDT


Forwarded from: security curmudgeon <jericho@private>

http://osvdb.org/blog/?p=127

: http://news.com.com/Security+expert+dubs+July+the+Month+of+browser+bugs/2100-1002_3-6090959.html
: 
: By Greg Sandoval 
: Staff Writer, CNET News.com
: July 5, 2006
: 
: Each day this month, a prominent security expert will highlight a new 
: vulnerability found in one of the major Internet browsers.
: 
: HD Moore, the creator of Metasploit Framework, a tool that helps test 
: whether a system is safe from intrusion, has dubbed July the Month of 
: Browser Bugs. Already, the security researcher has featured five 
: security flaws, three for Microsoft's Internet Explorer and one apiece 
: for Mozilla's Firefox and Apple Computer's Safari.

Thirty one days later, MoBB is done! By far one of the more interesting 
vulnerability disclosure projects we've seen this year. I have a strong 
feeling that the real ramifications won't be realized until months later, 
but until someone does a more thorough analysis.. my random thoughts.

First, HDM and I chatted almost every single day during the month, mostly 
to coordinate the pre-assignment of OSVDB IDs for each bug. Due to the 
schedule I keep, it was usually easy to check the blog around midnight 
every night, and for 30 of the 31 days, he was right on time releasing the 
next bug. Only on the 31st day did he finally fall behind by a whole two 
hours (jeez, what a slacker!) in releasing the final bug. Ok ok, it wasn't 
due to slacking, he had been working for hours trying to isolate the exact 
details to fully understand and document the bug he had found in Safari.

31 browser bugs, what's the final breakdown? 

MSIE:		25
Apple Safari:	2
Mozilla:	2
Opera:		1
Konqueror:	1

I'll let you make any conclusions you want. If I hadn't posted this, we'd 
no doubt see at least one article saying how much more insecure MSIE is 
than X and this is just proof of that. Hopefully the fact I posted that 
last line might actually make a journalist stop and think, "why, is it 
something else?!" GLAD YOU ASKED! Ok not really, but there is more to it 
than W bugs in X browser vs Y bugs in Z browser so W must be more insecure 
than Y!@$#! If you can't think of any such reasons, quit your job and go 
to art school.

What if he had...

a) followed 'accepted' vulnerability disclosure guidelines? (the project 
   would have been dubbed the YoBB?)

b) sold his findings to the shops like ZDI or iDefense that pay for such 
   information? (he'd be rich?!)

c) sold his findings to a russian spam syndicate? (he'd be able to buy a 
   new iPod?!)

d) never posted a single bug in any fashion? (he and a dozen others would 
   all be sitting on this information)

e) provided even more easy point-and-drool exploitation? (we'd be reading 
   another CNET article about the latest spyware/adware that exploited..)

Want another month of browser bugs? Yes, he could continue on into August 
without a problem. The amount of browser bugs is stupid. Apparently, the 
idea of writing a basic fuzzer is still lost on the authors. The good 
news, HDM will be releasing the fuzzer he used to find all these to the 
public. Will an insane rush of browser bugs follow? We can hope!

Want another month of browser bugs? Then do it yourself. While it may 
sound easy, researching each one to the degree HDM did is not easy and it 
isn't fast. If you can devote between 15 minutes and 3 hours a day for 31 
days, then go for it! Until then, as my friend major says, "never lick a 
gift whore in the mouse."

The bugs:

OSVDB ID	OSVDB Title
27534		Apple Safari KHTMLParser::popOneBlock Code Execution
27532		Microsoft IE ADODB.Recordset SysFreeString Invalid Length
27533		Microsoft IE Orphan Object Property Access NULL Dereference
27530		Microsoft IE NDFXArtEffects Multiple Property Stack Overflow
27559		Mozilla Multiple Product Window Navigator Object Arbitrary Code Execution
27373		Microsoft IE Native Function Iteration NULL Dereference
27374		Opera CSS Background Property HTTPS Memory Corruption
27232		Microsoft IE NMSA.ASFSourceMediaDescription dispValue Overflow
27372		Microsoft IE Forms Multiple Object ListWidth Property Overflow
27231		Microsoft IE HTML Help COM Object Click Method NULL Dereference
27230		Microsoft IE CEnroll SysAllocStringLen Invalid Length
27111		Microsoft IE OWC11.DataSourceControl getDataMemberName Method Overflow
27112		Microsoft IE OVCtl NewDefaultItem Method NULL Dereference
27109		Microsoft IE DXImageTransform.Microsoft.Gradient Multiple Property 
27110		Microsoft IE WebViewFolderIcon setSlice Overflow
27108		Microsoft IE MHTMLFile Multiple Property NULL Dereference
27059		Microsoft IE FolderItem Object NULL Dereference
27058		KDE Konqueror replaceChild() NULL Dereference
27057		Microsoft IE DXImageTransform.Microsoft.RevealTrans Transition Property 
27056		Microsoft IE TriEditDocument URL Property NULL Dereference
27055		Microsoft IE HtmlDlgSafeHelper fonts Property NULL Dereference
27014		Microsoft IE Object.Microsoft.DXTFilter Enabled Property NULL Dereference
27013		Microsoft IE DirectAnimation.DAUserData Data Property NULL Dereference
26955		Microsoft IE RDS.DataControl SysAllocStringLen Invalid Length Issue
26837		Microsoft IE Frameset inside Table NULL Dereference
26839		Microsoft IE DirectAnimation.StructuredGraphicsControl SourceURL NULL 
26838		Apple Safari DHTML setAttributeNode() NULL Dereference
26836		Microsoft IE OutlookExpress.AddressBook COM Object NULL Dereference
26835		Microsoft IE HTML Help COM Object Image Property Heap Overflow
26834		Microsoft IE ADODB.Recordset COM Object Filter Property NULL Dereference
24967		Mozilla Firefox iframe.contentWindow.focus() Overflow


_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com



This archive was generated by hypermail 2.1.3 : Tue Aug 01 2006 - 01:55:30 PDT