Forwarded from: security curmudgeon <jericho@private> http://osvdb.org/blog/?p=127 : http://news.com.com/Security+expert+dubs+July+the+Month+of+browser+bugs/2100-1002_3-6090959.html : : By Greg Sandoval : Staff Writer, CNET News.com : July 5, 2006 : : Each day this month, a prominent security expert will highlight a new : vulnerability found in one of the major Internet browsers. : : HD Moore, the creator of Metasploit Framework, a tool that helps test : whether a system is safe from intrusion, has dubbed July the Month of : Browser Bugs. Already, the security researcher has featured five : security flaws, three for Microsoft's Internet Explorer and one apiece : for Mozilla's Firefox and Apple Computer's Safari. Thirty one days later, MoBB is done! By far one of the more interesting vulnerability disclosure projects we've seen this year. I have a strong feeling that the real ramifications won't be realized until months later, but until someone does a more thorough analysis.. my random thoughts. First, HDM and I chatted almost every single day during the month, mostly to coordinate the pre-assignment of OSVDB IDs for each bug. Due to the schedule I keep, it was usually easy to check the blog around midnight every night, and for 30 of the 31 days, he was right on time releasing the next bug. Only on the 31st day did he finally fall behind by a whole two hours (jeez, what a slacker!) in releasing the final bug. Ok ok, it wasn't due to slacking, he had been working for hours trying to isolate the exact details to fully understand and document the bug he had found in Safari. 31 browser bugs, what's the final breakdown? MSIE: 25 Apple Safari: 2 Mozilla: 2 Opera: 1 Konqueror: 1 I'll let you make any conclusions you want. If I hadn't posted this, we'd no doubt see at least one article saying how much more insecure MSIE is than X and this is just proof of that. Hopefully the fact I posted that last line might actually make a journalist stop and think, "why, is it something else?!" GLAD YOU ASKED! Ok not really, but there is more to it than W bugs in X browser vs Y bugs in Z browser so W must be more insecure than Y!@$#! If you can't think of any such reasons, quit your job and go to art school. What if he had... a) followed 'accepted' vulnerability disclosure guidelines? (the project would have been dubbed the YoBB?) b) sold his findings to the shops like ZDI or iDefense that pay for such information? (he'd be rich?!) c) sold his findings to a russian spam syndicate? (he'd be able to buy a new iPod?!) d) never posted a single bug in any fashion? (he and a dozen others would all be sitting on this information) e) provided even more easy point-and-drool exploitation? (we'd be reading another CNET article about the latest spyware/adware that exploited..) Want another month of browser bugs? Yes, he could continue on into August without a problem. The amount of browser bugs is stupid. Apparently, the idea of writing a basic fuzzer is still lost on the authors. The good news, HDM will be releasing the fuzzer he used to find all these to the public. Will an insane rush of browser bugs follow? We can hope! Want another month of browser bugs? Then do it yourself. While it may sound easy, researching each one to the degree HDM did is not easy and it isn't fast. If you can devote between 15 minutes and 3 hours a day for 31 days, then go for it! Until then, as my friend major says, "never lick a gift whore in the mouse." The bugs: OSVDB ID OSVDB Title 27534 Apple Safari KHTMLParser::popOneBlock Code Execution 27532 Microsoft IE ADODB.Recordset SysFreeString Invalid Length 27533 Microsoft IE Orphan Object Property Access NULL Dereference 27530 Microsoft IE NDFXArtEffects Multiple Property Stack Overflow 27559 Mozilla Multiple Product Window Navigator Object Arbitrary Code Execution 27373 Microsoft IE Native Function Iteration NULL Dereference 27374 Opera CSS Background Property HTTPS Memory Corruption 27232 Microsoft IE NMSA.ASFSourceMediaDescription dispValue Overflow 27372 Microsoft IE Forms Multiple Object ListWidth Property Overflow 27231 Microsoft IE HTML Help COM Object Click Method NULL Dereference 27230 Microsoft IE CEnroll SysAllocStringLen Invalid Length 27111 Microsoft IE OWC11.DataSourceControl getDataMemberName Method Overflow 27112 Microsoft IE OVCtl NewDefaultItem Method NULL Dereference 27109 Microsoft IE DXImageTransform.Microsoft.Gradient Multiple Property 27110 Microsoft IE WebViewFolderIcon setSlice Overflow 27108 Microsoft IE MHTMLFile Multiple Property NULL Dereference 27059 Microsoft IE FolderItem Object NULL Dereference 27058 KDE Konqueror replaceChild() NULL Dereference 27057 Microsoft IE DXImageTransform.Microsoft.RevealTrans Transition Property 27056 Microsoft IE TriEditDocument URL Property NULL Dereference 27055 Microsoft IE HtmlDlgSafeHelper fonts Property NULL Dereference 27014 Microsoft IE Object.Microsoft.DXTFilter Enabled Property NULL Dereference 27013 Microsoft IE DirectAnimation.DAUserData Data Property NULL Dereference 26955 Microsoft IE RDS.DataControl SysAllocStringLen Invalid Length Issue 26837 Microsoft IE Frameset inside Table NULL Dereference 26839 Microsoft IE DirectAnimation.StructuredGraphicsControl SourceURL NULL 26838 Apple Safari DHTML setAttributeNode() NULL Dereference 26836 Microsoft IE OutlookExpress.AddressBook COM Object NULL Dereference 26835 Microsoft IE HTML Help COM Object Image Property Heap Overflow 26834 Microsoft IE ADODB.Recordset COM Object Filter Property NULL Dereference 24967 Mozilla Firefox iframe.contentWindow.focus() Overflow _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Tue Aug 01 2006 - 01:55:30 PDT