Forgot your password?
typodupeerror
This discussion has been archived. No new comments can be posted.

Security Researcher Finds Hundreds of Browser Bugs

Comments Filter:
  • by Anonymous Coward on Saturday January 01, 2011 @07:03PM (#34733256)

    Why just China? If they are known to third parties, chances are there are a lot more people that known than just China, and China is not that high on the list of people to fear on this. Why the emphasis here?

  • by Anonymous Coward

    FTFA: The design of the fuzzer makes it unexpectedly difficult to get clean,
    deterministic repros; to that effect, in the current versions of all the
    affected browsers, we are still seeing a collection of elusive problems when
    running the tool - and some not-so-elusive ones.

    This might help explain at least part of the difficult communication with Microsoft.

    • by Stratoukos (1446161) on Saturday January 01, 2011 @07:49PM (#34733558)

      This might help explain at least part of the difficult communication with Microsoft.

      But not Mozilla, the Webkit team and Opera?

      • by Rockoon (1252108) on Saturday January 01, 2011 @08:49PM (#34733924)
        Just to be fucking honest...

        His tool only found a few bugs ("several") in Internet Explorer, found about two dozen in Webkit ("some" problems still unfixed), about 60 bugs in Mozilla ("several" still unfixed), and that for Opera some of the bugs arent fixed ("several".)

        So what we see here is that of the browsers, Internet Explorer didnt have nearly as many problems identifiable by his tool as the others to begin with, and that it still doesnt have more than the other browsers now even after all parties had 6 months.

        Could it be that all of the remaining bugs for all of the browsers require good reproducibility to address reasonably? Could it be that the person you replied to is correct, rather than that your "but not mozilla, webkit team and opera?" bullshit is just that, bullshit?
        • by yuhong (1378501)

          BTW, mangleme released by the same security researcher has a mangle.cgi that logs attempts to the server log, and a remangle.cgi that uses the info from the log to reproduce the exact same page. This could be done with this fuzzer too, but the problem is where to log. Filesystem access is restricted for obvious reasons. How about using document.cookie as a log?

        • by hairyfeet (841228) <bassbeast1968 AT gmail DOT com> on Sunday January 02, 2011 @12:23AM (#34734922) Journal

          But there are a couple of BIG differences between IE and the others that mean they should always looked at with more suspicion and scorn, and I'm a Windows guy. 1.-Refusing to backport IE 9 to XP means you are gonna have hundreds of millions of IE installs running on old versions, 2.- Thanks to their idiotic "Hey lets all run as admin!" design of XP when combined with IE just increases the risk of nasty, and 3.- the webkit based browsers, such as Chrome, Dragon, Safari, SWIron, etc at least attempt to sandbox the browser, whereas MSFT to kill off competition buried IE deeply into the system making IE the more dangerous choice.

          Finally since you read TFA you would see that while the others kept working with the writer MSFT closed the ticket and cut off communication right up to when he said he would release even though the writer was able to replicate the bugs with the July tool and so was MSFT. Then when he was ready to release did they begin talking about "PR nightmare" instead of actually seeming concerned with the security of their browser. Lets be honest folks, IE was nothing but a tool to kill Netscape and once it had accomplished its goal it was left to rot. You had millions infected thanks to their lax treatment of security via IE 6, and they are just now trying to get to where everyone else was a year ago. Considering your browser is the closest your OS gets to being "bare metal" with the wild and woolly Internet trusting your machine to a browser that is only updated on patch Tuesday unless something completely embarrassing hits is more than a little nuts.

          One of the nice things we have today is plenty of free choices is that department and thanks to the scourge of "This site requires IE" being all but a distant memory getting folks away from IE has never been easier. Just send them to Ninite [ninite.com] and tell them which box to check. It is really just that easy. But trusting the weakest part of your security to a browser that always seems to be a day late, a dollar short, and has the biggest bullseye painted on it? There is a good reason to always assume the worst when it comes to IE, it is because that has been time and time again what you got.

          • by yuhong (1378501)

            browser that is only updated on patch Tuesday

            browsers that is updated every two patch Tuesdays

        • by jesser (77961)

          Don't read too much into the number of bugs found so far in each browser.

          * Michal Zalewski (who created crossfuzz) works for Google, so of course he focused his own efforts on Webkit.

          * Of the "60 bugs" found in Mozilla, 50 were found by me, with a significantly more powerful and yet unreleased fuzzer. If I pointed my fuzzer at other browsers, I'd find more bugs in the other browsers too.

          * The low numbers for IE are from very brief testing.

  • Why is ANYONE with half a brain still using Microsoft browsers?

    It has only been about a decade now of bad bugs being dribbled out and gradually fixed.

    Why do companies still use MS Explorer?

    • > Why is ANYONE with half a brain still using Microsoft browsers?

      Why is anyone with half a brain still using any Microsoft software at all?

      • by fuzzyfuzzyfungus (1223518) on Saturday January 01, 2011 @07:22PM (#34733382) Journal
        Home users, no idea. Ignorance and apathy I suppose.

        Corporate? ActiveX controls, trivial to keep up to date with WSUS, even when the user is non-admin and a firewall is blocking most outside downloads, accepts loads of configuration options from Active Directory Group Policies, etc.
        • by Anonymous Coward

          Home users, no idea. Ignorance and apathy I suppose.
           

          Ease of use, large amount of available software (games, in particular), out-of-the-box operation (aka 'it comes with the damn pc'), familiarity, large user base ('family member X knows something about computers and (s)he (also) uses windows, so (s)he can help me when I need help').

        • by jon3k (691256)
          This is pretty much spot on. Installed by default and easy to manage centrally. If I could manage Firefox as easily as I can manage IE (WSUS updates, group policies to force proxies and homepages, etc) then we'd already be using it. Compatibility isn't a terrible concern these days, and if I had an ADM for it I could force IE tab for sites that weren't compatible.
      • by MobileTatsu-NJG (946591) on Saturday January 01, 2011 @07:44PM (#34733528)

        > Why is ANYONE with half a brain still using Microsoft browsers?

        Why is anyone with half a brain still using any Microsoft software at all?

        People with half a brain should be using Linux instead?

      • by thegarbz (1787294)

        Why is anyone with half a brain still using any Microsoft software at all?

        Because some of Microsoft's software is incredibly stable, compatible with all modern hardware, easy to use, has UI design that is consistent and makes sense, and will run nearly all software on the planet.

        I tried using linux on my desktop, but after a kernel update made my machine randomly lockup and it took me more than a week to diagnose this, after I couldn't change my screen resolution because the ok / apply buttons weren't on the screen, after I spent a week trying to get my scanner working and fa

        • by Cili (687222)

          In Gnome and KDE you don't need the top bar with the minimize/maximize/close buttons to move a window around. You can hold Alt and drag the window with the mouse from anywhere.

    • by Xtense (1075847) <xtense.o2@pl> on Saturday January 01, 2011 @07:09PM (#34733308) Homepage

      It comes preinstalled with the OS, it doesn't need any configuring (or, if needed, it syncs automatically with settings on a domain controller) and, for tasks actually needed in an office setting, it works.

      No, it isn't "good" by any stretch of the word, but switching to a different browser is definitely not high up on the list of needed IT changes.

    • by dgatwood (11270) on Saturday January 01, 2011 @07:14PM (#34733338) Journal

      Why do companies still use MS [Internet] Explorer?

      Momentum. A browser in operation tends to stay in operation unless acted upon by an outside IT consultant.

      • by ScottMcD (1339445)
        Momentum? Maybe. In the companies I've worked for, IE is required by the older versions of browser based ERP applications. A lot of these were built using specific technologies built into IE. The newer versions of these applications are usually cross-browser, but upgrading to them costs money.
    • by Virtucon (127420) on Saturday January 01, 2011 @07:32PM (#34733442)

      Because MSFT understands channel marketing. Their services, their products work with their tools. They've also fed that into the enterprise as well. Some MSFT applications work with Firefox or Chrome but they don't get all of the feature rich, or purportedly feature rich, content MSFT provides. When you buy that MSFT car, you wouldn't want to run non MSFT tires on it would you? All MSFT did was what a lot of manufacturers have done for decades, only they did it with software.

      • by sjames (1099)

        Funny, I have never even seen Ford brand tires, gas, oil, air filters, etc. etc..

        • by Cinder6 (894572)

          I don't know about tires or gas, but oil and air filters? You bet. Ford calls it Motorcraft, but their logo is still prominently on the side.

        • by Virtucon (127420)

          Not maybe in your lifetime but... It was done by Henry Ford himself.

          http://www.time.com/time/magazine/article/0,9171,788057,00.html [time.com]

          I guess nobody reads history books anymore?

          • by sjames (1099)

            It WAS done, but that was before I was here to see it.

            Certainly it's clear enough that the analogy fails, nobody is all torn up about not having Ford tires on their Ford cars.

            • by Virtucon (127420)

              So here's one for you that's maybe a bit more contemporary. You wouldn't want to run that app on your iPhone unless it came from the App Store, now would you? Because Apple knows better than you, things are put in place to prohibit you from downloading that app. Just ask Mark Fiore about that one. Because "we" control the channel, the entire distribution chain, we then control the product and we can force you to take what we want to give you.

              All of this has been done before and to a much greater extent

              • by sjames (1099)

                Evidently there are enough people who DO want to run non-App Store apps on their iPhone that the necessary hack has been simplified down to "just click here" for the less technical users.

                Considering that Firefox is busy outstripping IE, I'd say a lot of home users most certainly WOULD want to. It seems a lot of businesses do as well except that some of them are stuck on IE6 (and so can't 'upgrade' to Windows 7).

                As for the rest, I can't really say. I run Linux except for a single old Dell named "Crash Test D

              • by Dogers (446369)

                Here's another one:

                Have you tried to run Outlook Web Express (Exchange) on Firefox? How about the same app on IE? Are they the same experience? hell no.

                On Exchange 2010, yes they are, actually. One of the many reasons I'm really looking forward to our upgrade!

        • by evilviper (135110)

          I don't know Ford's system, but for GM, all parts are "AC Delco" branded (tires not included), and all documentation recomends AC Delco replacements parts. So there's a good bit of truth to the statement...

          • by sjames (1099)

            Sure, but neither they (nor Ford's Motorcraft) sell gas or tires. Their share of the market for oil and air filters is modest. It's far away from

            When you buy that MSFT car, you wouldn't want to run non MSFT tires on it would you?

            • by fleebait (1432569)

              Ford previously was an all Firestone purchaser.
              Then Firestone was bought out by (foreign owned Bridgestone)

              Currently the 3 top suppliers to Ford are: Goodyear, Michelin, Continental.

    • by Anonymous Coward

      If you RTFA, you'll notice why this isn't looking as bad as the Slashdot summary reports it.

      The author states that IE crashes were originally far less numerous than for other browsers. And most of them were not exploitable.

      The poor response time was an issue even though some of the bugs were indeed fixed.

      I'm sure the poor response time and the failure to acknowledge some of them is very frustrating for security researchers, but from a user perspective, I don't see IE being clearly more insecure as it was mo

      • by hedwards (940851)
        Of course not. You don't typically see the insecurity unless the cracker has fouled up. A compromised machine often times looks exactly like a typical one, albeit somewhat slower and with more use of the network.
    • by thegarbz (1787294)
      Integration.

      When a Fortune 50 company decides to upgrade their global intranet which was previously compatible with only IE6 to a platform based on .... Sharepoint of all bloody things, they once again dig themselves further into the vendor lockin hole. However when you look at it on the grand scheme of things the intranet despite the browser is now not only far better than it was, but is highly customisable by individual employees in departments. A wonderful advancement on the previous "call up IT and
    • by BagOBones (574735)

      1. Companies do not have any money to rebuild applications that are only compatible with Microsoft Products
      2. Companies are unwilling to spend money on replacing systems that work.
      3. Security is not a priority often as it costs money.
      4. Just because the software is free doesn't mean the employee training, implementation project or any of the costs of switching don't matter.

    • by QuoteMstr (55051)

      Modern Internet Explorer:

      1. is fast and stable
      2. can be controlled with group policy
      3. can be centrally deployed and managed
      4. comes with the OS
      5. has a neat feature or two

      We're not talking about IE6, and this isn't 2003. It's time to update your prejudices. IE9 is a decent standards-conforming browser. It's not all that exciting, but it's not awful, and I can understand why people are perfectly content with it.

      • IE9 is a decent standards-conforming browser. It's not all that exciting, but it's not awful, and I can understand why people are perfectly content with it.

        Corporate policy restricts us to WinXP and IE7. I thought IE9 was still on the drawing boards.
      • by thsths (31372)

        We're not talking about IE6, and this isn't 2003. It's time to update your prejudices. IE9 is a decent standards-conforming browser.

        You say that, but even compared with the current generation of browsers, IE9 is usually ranked towards the bottom, and it is not even released yet. Once that happens, it will have to compete with Firefox 4, Opera 12 (I guess) and Chrome developing at insane speeds. Microsoft has promised to catch up with IE7, and again with IE8, and again with IE9. But it seems that is all they are doing: playing catch up.

    • Why is ANYONE with half a brain still using Microsoft browsers?

      It has only been about a decade now of bad bugs being dribbled out and gradually fixed.

      Why do companies still use MS Explorer?

      What bug free browser do you recommend people use? Firefox? chrome? Can you name even one not constantly having to release patches for P1 security issues? Does such a browser even exist?

      There is little point with security realitivisim in this space when all of your choices == EPIC FAIL.

    • by Rolman (120909)

      Why is ANYONE with half a brain still using Microsoft browsers?

      It has only been about a decade now of bad bugs being dribbled out and gradually fixed.

      Why do companies still use MS Explorer?

      That means half a brain is not required to browse the Internet these days.

    • Why do companies still use MS Explorer?

      Well in this case IE was found to have far fewer bugs than WebKit or Mozilla. They have all fixed some (but not all) of the reported bugs, so I don't think it is such a easy conclusion to say that you shouldn't use IE.

      Personally, I am thinking of moving back to Opera. I have never been a fan of WebKit, and I don't think that Mozilla deserves the high praise that it gets for security. Of course, the best solution is to not trust any of the browsers.

    • by BeanThere (28381)

      Why do companies still use MS Explorer?

      Because MSCE's and MVP's and their ilk hired in the IT department need to pledge their allegiance rigidly to MS solutions in order to cover up their own lack of competency.

      As for home users, well a significant percentage of them wouldn't know a web browser from a street whore.

  • Fuzzing Test logic has been around awhile but again I still can't fathom why Software vendors can't do a better job of using tools to certify their code. I can't ascertain from this report that these bugs create vulnerabilities or an in the wild attack. This report should read "IE 8 has bugs."

    All this talk about Sandboxes as well can't be overlooked but what about the network level and intelligent traffic analysis. If all of a sudden you start seeing PCs launching IP traffic at strange addresses in Fore

    • by jesser (77961)

      I still can't fathom why Software vendors can't do a better job of using tools to certify their code.

      I blame C++. Hard to parse, hard to analyze, full of surprises.

      So do a few other people at Mozilla, who are working on a new systems language called Rust [github.com].

  • I'm amazed the pop-under problem still hasn't been addressed in MSIE nor, more surprisingly, in Firefox - even at the highest security settings, pop-unders, such as the Netflix and screensaver ones, still get through - a potential security flaw.

    I've search the bug reports for Firefox in the past and pop-unders ranks high on problems that people want fixed, and yet still isn't - seems to me if pop-up windows can be blocked, why can't pop-under windows? Doesn't make sense to me ...

    The cynic in me thinks there

    • by rudy_wayne (414635) on Saturday January 01, 2011 @07:54PM (#34733594)

      I'm amazed the pop-under problem still hasn't been addressed in MSIE nor, more surprisingly, in Firefox - even at the highest security settings, pop-unders, such as the Netflix and screensaver ones, still get through - a potential security flaw.

      I've search the bug reports for Firefox in the past and pop-unders ranks high on problems that people want fixed, and yet still isn't - seems to me if pop-up windows can be blocked, why can't pop-under windows?

      Pop-up windows are still a problem in Firefox. Websites have devised new ways to pop up annoying windows that Firefox apparently isn't able to block (as of FF4 beta 8).

      • by Vekseid (1528215) on Saturday January 01, 2011 @08:06PM (#34733664) Homepage

        It's not new, those popups are being delivered through Flash, rather than javascript.

        • by QuoteMstr (55051)

          No, at least Mozilla blocks Flash popups too. The issue is that these "popups" are created in response to user clicks, and the browser can't tell the difference between Live Jasmin spam and a legitimate, requested pop-up because both are run from the click event handler.

          The only solution is to disable popups entirely, which will cause compatibility issues. This is why we can't have nice things.

          • by didroe84 (1324187)
            You can get "Adblock Plus Pop-up Addon" which will allow you to manually block specific popups.
      • by hedwards (940851)
        I haven't seen that, but then again I typically browse with noscript running in the background.
    • by jesser (77961)

      In most browsers, including Firefox, popups (including popunders) are blocked except when they appear in response to clicks.

      In Firefox 4, we think we've solved the problem [mozilla.org] that allows popups to turn into popunders. Now that you see them right away, it should be clearer that they're appearing only in response to clicks, and you should be able to tell which sites they're coming from.

  • We need to see some kind of lightweight VM machine running in a sandbox on the windows OS, which acts and looks just like a web browser to anybody using it, and saves downloaded files to a directory on the Windows desktop folder in a Directory named "Downloads". Today the majority of users certainly have the CPU power to pull it off, why not run it completely in RAM too to facilitate never having to access the hard drive. It would probably be the fastest web browser ever made, and the most secure.
  • Who's writing these headlines?
    His own post says "about one hundred." How does that turn into "Hundreds of browser bugs"?
    And he does not say "some" of these bugs may be known to third parties. He says "at least one."

    What he found is bad enough. Why the need to exaggerate?
  • I'm the author of TFA [pcmag.com] and I have made changes to include reactions from Microsoft and Zalewski. Larry Seltzer PC Magazine

Some people have a great ambition: to build something that will last, at least until they've finished building it.

Working...