Security Researcher Finds Hundreds of Browser Bugs 145
An anonymous reader writes "PC Magazine reports on a very understated late night post to the full-disclosure mailing list, in which security researcher Michael Zalewski shared a fuzzing tool reportedly capable of identifying over a hundred browser bugs. Some of these bugs, he says, may be already known to third parties in China. The report also includes an account of how browser vendors fared fixing these flaws so far. Not surprisingly, Microsoft's response timeline appears depressing."
Known to third parties in China? (Score:3, Insightful)
Why just China? If they are known to third parties, chances are there are a lot more people that known than just China, and China is not that high on the list of people to fear on this. Why the emphasis here?
Re:Terrific Research, But... (Score:4, Insightful)
It comes preinstalled with the OS, it doesn't need any configuring (or, if needed, it syncs automatically with settings on a domain controller) and, for tasks actually needed in an office setting, it works.
No, it isn't "good" by any stretch of the word, but switching to a different browser is definitely not high up on the list of needed IT changes.
Re:Pass the salt please (Score:3, Insightful)
...maybe not very serious, nothing a program restart wouldn't fix, but still - damage.
I'm sorry, what?
Most browsers don't run in a particularly well secured sandbox. Sure there are additional security features, but the majority of people today still seem to be running (1) outdated browsers (2) as administrators (3) without any clue whatsoever regarding security.
A security flaw exposed from this fuzzer could easily end up being a major trojan outbreak. Not exactly something you fix by restarting Firefox...
Re:Sandbox time? (Score:5, Insightful)
If browsers were exclusively used for reading web pages, securing them would be so much simpler...
Re:Terrific Research, But... (Score:4, Insightful)
Because MSFT understands channel marketing. Their services, their products work with their tools. They've also fed that into the enterprise as well. Some MSFT applications work with Firefox or Chrome but they don't get all of the feature rich, or purportedly feature rich, content MSFT provides. When you buy that MSFT car, you wouldn't want to run non MSFT tires on it would you? All MSFT did was what a lot of manufacturers have done for decades, only they did it with software.
Re:Hard to get reproducible results (Score:5, Insightful)
His tool only found a few bugs ("several") in Internet Explorer, found about two dozen in Webkit ("some" problems still unfixed), about 60 bugs in Mozilla ("several" still unfixed), and that for Opera some of the bugs arent fixed ("several".)
So what we see here is that of the browsers, Internet Explorer didnt have nearly as many problems identifiable by his tool as the others to begin with, and that it still doesnt have more than the other browsers now even after all parties had 6 months.
Could it be that all of the remaining bugs for all of the browsers require good reproducibility to address reasonably? Could it be that the person you replied to is correct, rather than that your "but not mozilla, webkit team and opera?" bullshit is just that, bullshit?