Security Researcher Finds Hundreds of Browser Bugs 145
An anonymous reader writes "PC Magazine reports on a very understated late night post to the full-disclosure mailing list, in which security researcher Michael Zalewski shared a fuzzing tool reportedly capable of identifying over a hundred browser bugs. Some of these bugs, he says, may be already known to third parties in China. The report also includes an account of how browser vendors fared fixing these flaws so far. Not surprisingly, Microsoft's response timeline appears depressing."
Re:Terrific Research, But... (Score:5, Informative)
Corporate? ActiveX controls, trivial to keep up to date with WSUS, even when the user is non-admin and a firewall is blocking most outside downloads, accepts loads of configuration options from Active Directory Group Policies, etc.
Re:Pass the salt please (Score:5, Informative)
And after much follow up in late December MS finally acknowledged that they were reproducible with the July version of the tool.
Basically this guy gave them over six months to fix the bugs, they bullshitted around and fixed one or two faults, then on the eve of his release of the tool (when all other affected vendors had worked closely with him to fix all the faults) MS tried to state that it was only the latest version of his tool that caused the majority of the bugs. The author said if this was the case he would hold off on release, but after testing found MS to still have a good supply of bullshit left (the flaws showed up with the older tool, which MS eventually conceded) so he released it on the date he said, January.
Once again MS not willing or just plain not wanting to work with a security expert and then said expert doesn't buy their crap and releases on the schedule set.
Re:Unwanted Pop-Unders Still a Security Issue (Score:4, Informative)
I'm amazed the pop-under problem still hasn't been addressed in MSIE nor, more surprisingly, in Firefox - even at the highest security settings, pop-unders, such as the Netflix and screensaver ones, still get through - a potential security flaw.
I've search the bug reports for Firefox in the past and pop-unders ranks high on problems that people want fixed, and yet still isn't - seems to me if pop-up windows can be blocked, why can't pop-under windows?
Pop-up windows are still a problem in Firefox. Websites have devised new ways to pop up annoying windows that Firefox apparently isn't able to block (as of FF4 beta 8).
Re:Unwanted Pop-Unders Still a Security Issue (Score:4, Informative)
It's not new, those popups are being delivered through Flash, rather than javascript.
Re:Pass the salt please (Score:3, Informative)
Never states?
Comment removed (Score:5, Informative)
Re:Known to third parties in China? (Score:4, Informative)
Dear Anonymous Coward,
You appear to be unfamiliar with how the World Wide Web works. When you see an underlined word or phrase (such as "already known to third parties in China"), that means you can click on it and your web browser will take you to a new page whereupon you can generally find more information on the word or phrase. It takes some practice but should eventually learn to get the hang of it.
Sincerely,
A Registered Slashdot User