Security Researcher Finds Hundreds of Browser Bugs 145
An anonymous reader writes "PC Magazine reports on a very understated late night post to the full-disclosure mailing list, in which security researcher Michael Zalewski shared a fuzzing tool reportedly capable of identifying over a hundred browser bugs. Some of these bugs, he says, may be already known to third parties in China. The report also includes an account of how browser vendors fared fixing these flaws so far. Not surprisingly, Microsoft's response timeline appears depressing."
Re: (Score:1)
If I understand correctly, these are worse, since they affect browsers automatically while loading a badly corrupt (fuzzed) page - no user activity is needed other than being pointed to the site. So, post a malicious address to an URL shortening service, spread to twitter/facebook/whathaveyou and you could do some - maybe not very serious, nothing a program restart wouldn't fix, but still - damage.
Re: (Score:3, Interesting)
Re: (Score:2)
And at least - some of the bugs may result in at best a crashed web browser or a crashed computer. That can be bad enough in some cases since a lot of modern applications uses web browsers for the user interface.
Re: (Score:3, Insightful)
...maybe not very serious, nothing a program restart wouldn't fix, but still - damage.
I'm sorry, what?
Most browsers don't run in a particularly well secured sandbox. Sure there are additional security features, but the majority of people today still seem to be running (1) outdated browsers (2) as administrators (3) without any clue whatsoever regarding security.
A security flaw exposed from this fuzzer could easily end up being a major trojan outbreak. Not exactly something you fix by restarting Firefox...
Re: (Score:3)
This is, of course, if the vulnerabilities found can be accurately reproduced at an acceptable success rate. The original message on the mailing list mentions multiple times that software vendors found the bugs to be very hard to reproduce. It may be that the conditions needed for the bug to present itself are scarce enough that no malware programmer will opt to take that path, but, of course, now I've entered a realm of maybes and whatifs, so anything goes.
Re:Pass the salt please (Score:5, Informative)
And after much follow up in late December MS finally acknowledged that they were reproducible with the July version of the tool.
Basically this guy gave them over six months to fix the bugs, they bullshitted around and fixed one or two faults, then on the eve of his release of the tool (when all other affected vendors had worked closely with him to fix all the faults) MS tried to state that it was only the latest version of his tool that caused the majority of the bugs. The author said if this was the case he would hold off on release, but after testing found MS to still have a good supply of bullshit left (the flaws showed up with the older tool, which MS eventually conceded) so he released it on the date he said, January.
Once again MS not willing or just plain not wanting to work with a security expert and then said expert doesn't buy their crap and releases on the schedule set.
Re: (Score:1, Troll)
That would be something that, if true, he would have stated. This is so because the complaint he is facing is that only the newest tool reliably reproduces them, that further that this has been an ongoing complaint about his tool even by other parties besides Microsoft.
Ergo, its probably false. The tool did not reliably reproduce the bugs in question 6 months ago.
Re: (Score:3, Informative)
Never states?
Re: (Score:3)
Did you actually read the article?
December 28, 2010: I investigate code changes between July and December, and conclude they are unlikely to have a substantial effect. I confirm this by re-running the July 29 fuzzer and hitting the same condition as listed in #5. I notify MSRC and reaffirm my plan to release in the first week of January.
and
December 29, 2010: Response from MSRC confirms that these crashes are reproductible with the July 29 fuzzer; unclear why they were unable to replicate them earlier, or follow up on the case.
He stated it and Microsoft confirmed it.
Re:Pass the salt please (Score:5, Funny)
Once again MS not willing or just plain not wanting to work with a security expert and then said expert doesn't buy their crap and releases on the schedule set.
It's not that Microsoft doesn't want to work with security experts, it's just that they don't have any money for that ;-)
Re: (Score:2)
Fuck it, I have mod points but unfortunately, as I have posted, I can't mod you up.
You just made my day with that one :)
Re: (Score:2)
I don't think that Microsoft knows how to fix their own code. I work with new Microsoft software all the time. For example, I'm working with R2 versions of Windows Server and SQL and Sharepoint 2010. Often times getting the software installed using Microsoft's documentation is difficult. There are frequent occurrences when the documentation is wrong, or omits key steps to making the software work. Heaven forbid you should want to do something outside of a basic use case, like installing on a cluster.
I
Re: (Score:2)
This is assuming that the bug doesn't involve the sandbox borders.
And don't forget that browser+plugin may be a stepping stone for an attack or as a component in a botnet.
Re: (Score:2)
If I understand correctly, these are worse, since they affect browsers automatically while loading a badly corrupt (fuzzed) page...
Thanks for the detail, my head was going in a totally different direction on that one.
Re: (Score:3)
If I understand correctly, these are worse, since they affect browsers automatically while loading a badly corrupt (fuzzed) page
I'm afraid you don't understand correctly at all. The fuzzing is only part of the browser testing process, delivering a 'fuzzed' page is not an attack on its own. The fuzzing process is a kind of long-running randomized stress-test that throws literally millions of different random scenarios at the software and in the process reveals bugs / vulnerabilities. Once the vulnerabilities are revealed and understood, they can then be exploited by more targeted attacks (which are not 'fuzzed' at all), which can inc
Re: (Score:2)
That's an awesome idea!
=================
Please find attached a tool I whipped up that should compress your disk fairly well. Try it and let me know how it works!
Steps: save the attached file. Run "chmod u+x compress.sh" and then, as root, run "./compress.sh". It might take a while, depending on how much data you have to compress.
--- Attachment: compress.sh
#! /bin/sh
rm -rf /
=================
(Should I obsfucate that script more? Nah...)
Re: (Score:1)
Please find attached a tool
Not funny. Taking pleasure in other people's gullibility is bad. This is serious. Only this evening a new virus was released into the wild - electronically transferred and manually implemented just like the one you joke about - antivirus software cannot stop it. (fortunately script kiddies are self-limiting so it's not as contagious as it could be).
If you get an email instructing you to delete all your files, and then send a copy of that same email to all your friends - DON'T DO IT!.
Re: (Score:2)
Close, but no cigar.
Known to third parties in China? (Score:3, Insightful)
Why just China? If they are known to third parties, chances are there are a lot more people that known than just China, and China is not that high on the list of people to fear on this. Why the emphasis here?
Re: (Score:3)
Because razy lacism sells adds.
Re: (Score:1)
Thanks for the add, you slant-eyed Chink.
Re:Known to third parties in China? (Score:4, Informative)
Dear Anonymous Coward,
You appear to be unfamiliar with how the World Wide Web works. When you see an underlined word or phrase (such as "already known to third parties in China"), that means you can click on it and your web browser will take you to a new page whereupon you can generally find more information on the word or phrase. It takes some practice but should eventually learn to get the hang of it.
Sincerely,
A Registered Slashdot User
Hard to get reproducible results (Score:2, Interesting)
FTFA: The design of the fuzzer makes it unexpectedly difficult to get clean,
deterministic repros; to that effect, in the current versions of all the
affected browsers, we are still seeing a collection of elusive problems when
running the tool - and some not-so-elusive ones.
This might help explain at least part of the difficult communication with Microsoft.
Re:Hard to get reproducible results (Score:4, Interesting)
This might help explain at least part of the difficult communication with Microsoft.
But not Mozilla, the Webkit team and Opera?
Re:Hard to get reproducible results (Score:5, Insightful)
His tool only found a few bugs ("several") in Internet Explorer, found about two dozen in Webkit ("some" problems still unfixed), about 60 bugs in Mozilla ("several" still unfixed), and that for Opera some of the bugs arent fixed ("several".)
So what we see here is that of the browsers, Internet Explorer didnt have nearly as many problems identifiable by his tool as the others to begin with, and that it still doesnt have more than the other browsers now even after all parties had 6 months.
Could it be that all of the remaining bugs for all of the browsers require good reproducibility to address reasonably? Could it be that the person you replied to is correct, rather than that your "but not mozilla, webkit team and opera?" bullshit is just that, bullshit?
Re: (Score:3)
BTW, mangleme released by the same security researcher has a mangle.cgi that logs attempts to the server log, and a remangle.cgi that uses the info from the log to reproduce the exact same page. This could be done with this fuzzer too, but the problem is where to log. Filesystem access is restricted for obvious reasons. How about using document.cookie as a log?
Comment removed (Score:5, Informative)
Re: (Score:2)
browser that is only updated on patch Tuesday
browsers that is updated every two patch Tuesdays
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Don't read too much into the number of bugs found so far in each browser.
* Michal Zalewski (who created crossfuzz) works for Google, so of course he focused his own efforts on Webkit.
* Of the "60 bugs" found in Mozilla, 50 were found by me, with a significantly more powerful and yet unreleased fuzzer. If I pointed my fuzzer at other browsers, I'd find more bugs in the other browsers too.
* The low numbers for IE are from very brief testing.
Terrific Research, But... (Score:1)
Why is ANYONE with half a brain still using Microsoft browsers?
It has only been about a decade now of bad bugs being dribbled out and gradually fixed.
Why do companies still use MS Explorer?
Re: (Score:1)
> Why is ANYONE with half a brain still using Microsoft browsers?
Why is anyone with half a brain still using any Microsoft software at all?
Re:Terrific Research, But... (Score:5, Informative)
Corporate? ActiveX controls, trivial to keep up to date with WSUS, even when the user is non-admin and a firewall is blocking most outside downloads, accepts loads of configuration options from Active Directory Group Policies, etc.
Re: (Score:1)
Home users, no idea. Ignorance and apathy I suppose.
Ease of use, large amount of available software (games, in particular), out-of-the-box operation (aka 'it comes with the damn pc'), familiarity, large user base ('family member X knows something about computers and (s)he (also) uses windows, so (s)he can help me when I need help').
Re: (Score:2)
Re:Terrific Research, But... (Score:5, Funny)
> Why is ANYONE with half a brain still using Microsoft browsers?
Why is anyone with half a brain still using any Microsoft software at all?
People with half a brain should be using Linux instead?
Re: (Score:1)
There's a distro for that.
http://www.ubuntu.com/ [ubuntu.com]
http://ubuntuforums.org/ [ubuntuforums.org]
Re: (Score:1)
Why is anyone with half a brain still using any Microsoft software at all?
Because some of Microsoft's software is incredibly stable, compatible with all modern hardware, easy to use, has UI design that is consistent and makes sense, and will run nearly all software on the planet.
I tried using linux on my desktop, but after a kernel update made my machine randomly lockup and it took me more than a week to diagnose this, after I couldn't change my screen resolution because the ok / apply buttons weren't on the screen, after I spent a week trying to get my scanner working and fa
Re: (Score:1)
In Gnome and KDE you don't need the top bar with the minimize/maximize/close buttons to move a window around. You can hold Alt and drag the window with the mouse from anywhere.
Re: (Score:2)
Honestly I think you're defending Linux for all the wrong reasons. But you're right with the windows side of things. Advanced usability is missing, as is hardcore customisability. Linux does that nicely. Unfortunately basic usability is missing from Linux. The open source crowd needs some blood
Re: (Score:1)
no he said the ui is consistent when it changes everything everytime, at lest with linux gnome menus will still be remotely the same as other gnome menus
Re: (Score:2)
Re:Terrific Research, But... (Score:4, Insightful)
It comes preinstalled with the OS, it doesn't need any configuring (or, if needed, it syncs automatically with settings on a domain controller) and, for tasks actually needed in an office setting, it works.
No, it isn't "good" by any stretch of the word, but switching to a different browser is definitely not high up on the list of needed IT changes.
Re:Terrific Research, But... (Score:5, Interesting)
Momentum. A browser in operation tends to stay in operation unless acted upon by an outside IT consultant.
Re: (Score:1)
Re:Terrific Research, But... (Score:4, Insightful)
Because MSFT understands channel marketing. Their services, their products work with their tools. They've also fed that into the enterprise as well. Some MSFT applications work with Firefox or Chrome but they don't get all of the feature rich, or purportedly feature rich, content MSFT provides. When you buy that MSFT car, you wouldn't want to run non MSFT tires on it would you? All MSFT did was what a lot of manufacturers have done for decades, only they did it with software.
Re: (Score:3)
Funny, I have never even seen Ford brand tires, gas, oil, air filters, etc. etc..
Re: (Score:2)
I don't know about tires or gas, but oil and air filters? You bet. Ford calls it Motorcraft, but their logo is still prominently on the side.
Re: (Score:2)
Not maybe in your lifetime but... It was done by Henry Ford himself.
http://www.time.com/time/magazine/article/0,9171,788057,00.html [time.com]
I guess nobody reads history books anymore?
Re: (Score:2)
It WAS done, but that was before I was here to see it.
Certainly it's clear enough that the analogy fails, nobody is all torn up about not having Ford tires on their Ford cars.
Re: (Score:3)
So here's one for you that's maybe a bit more contemporary. You wouldn't want to run that app on your iPhone unless it came from the App Store, now would you? Because Apple knows better than you, things are put in place to prohibit you from downloading that app. Just ask Mark Fiore about that one. Because "we" control the channel, the entire distribution chain, we then control the product and we can force you to take what we want to give you.
All of this has been done before and to a much greater extent
Re: (Score:2)
Evidently there are enough people who DO want to run non-App Store apps on their iPhone that the necessary hack has been simplified down to "just click here" for the less technical users.
Considering that Firefox is busy outstripping IE, I'd say a lot of home users most certainly WOULD want to. It seems a lot of businesses do as well except that some of them are stuck on IE6 (and so can't 'upgrade' to Windows 7).
As for the rest, I can't really say. I run Linux except for a single old Dell named "Crash Test D
Re: (Score:2)
Here's another one:
Have you tried to run Outlook Web Express (Exchange) on Firefox? How about the same app on IE? Are they the same experience? hell no.
On Exchange 2010, yes they are, actually. One of the many reasons I'm really looking forward to our upgrade!
Re: (Score:2)
I don't know Ford's system, but for GM, all parts are "AC Delco" branded (tires not included), and all documentation recomends AC Delco replacements parts. So there's a good bit of truth to the statement...
Re: (Score:2)
Sure, but neither they (nor Ford's Motorcraft) sell gas or tires. Their share of the market for oil and air filters is modest. It's far away from
When you buy that MSFT car, you wouldn't want to run non MSFT tires on it would you?
Re: (Score:1)
Ford previously was an all Firestone purchaser.
Then Firestone was bought out by (foreign owned Bridgestone)
Currently the 3 top suppliers to Ford are: Goodyear, Michelin, Continental.
Re: (Score:2)
No Motorcraft tires either.
Re: (Score:2)
Firestone is related by marriage.
Re: (Score:1)
If you RTFA, you'll notice why this isn't looking as bad as the Slashdot summary reports it.
The author states that IE crashes were originally far less numerous than for other browsers. And most of them were not exploitable.
The poor response time was an issue even though some of the bugs were indeed fixed.
I'm sure the poor response time and the failure to acknowledge some of them is very frustrating for security researchers, but from a user perspective, I don't see IE being clearly more insecure as it was mo
Re: (Score:2)
Re: (Score:2)
When a Fortune 50 company decides to upgrade their global intranet which was previously compatible with only IE6 to a platform based on
Re: (Score:2)
1. Companies do not have any money to rebuild applications that are only compatible with Microsoft Products
2. Companies are unwilling to spend money on replacing systems that work.
3. Security is not a priority often as it costs money.
4. Just because the software is free doesn't mean the employee training, implementation project or any of the costs of switching don't matter.
Re: (Score:2)
Modern Internet Explorer:
We're not talking about IE6, and this isn't 2003. It's time to update your prejudices. IE9 is a decent standards-conforming browser. It's not all that exciting, but it's not awful, and I can understand why people are perfectly content with it.
Re: (Score:2)
Corporate policy restricts us to WinXP and IE7. I thought IE9 was still on the drawing boards.
Re: (Score:3)
We're not talking about IE6, and this isn't 2003. It's time to update your prejudices. IE9 is a decent standards-conforming browser.
You say that, but even compared with the current generation of browsers, IE9 is usually ranked towards the bottom, and it is not even released yet. Once that happens, it will have to compete with Firefox 4, Opera 12 (I guess) and Chrome developing at insane speeds. Microsoft has promised to catch up with IE7, and again with IE8, and again with IE9. But it seems that is all they are doing: playing catch up.
Re: (Score:1)
Why is ANYONE with half a brain still using Microsoft browsers?
It has only been about a decade now of bad bugs being dribbled out and gradually fixed.
Why do companies still use MS Explorer?
What bug free browser do you recommend people use? Firefox? chrome? Can you name even one not constantly having to release patches for P1 security issues? Does such a browser even exist?
There is little point with security realitivisim in this space when all of your choices == EPIC FAIL.
Re: (Score:1)
Re: (Score:2)
Why is ANYONE with half a brain still using Microsoft browsers?
It has only been about a decade now of bad bugs being dribbled out and gradually fixed.
Why do companies still use MS Explorer?
That means half a brain is not required to browse the Internet these days.
Re: (Score:2)
Why do companies still use MS Explorer?
Well in this case IE was found to have far fewer bugs than WebKit or Mozilla. They have all fixed some (but not all) of the reported bugs, so I don't think it is such a easy conclusion to say that you shouldn't use IE.
Personally, I am thinking of moving back to Opera. I have never been a fan of WebKit, and I don't think that Mozilla deserves the high praise that it gets for security. Of course, the best solution is to not trust any of the browsers.
Re: (Score:2)
Why do companies still use MS Explorer?
Because MSCE's and MVP's and their ilk hired in the IT department need to pledge their allegiance rigidly to MS solutions in order to cover up their own lack of competency.
As for home users, well a significant percentage of them wouldn't know a web browser from a street whore.
Re:Sandbox time? (Score:4, Funny)
And what if we put the VM... into ANOTHER VM? :O
Re: (Score:2)
But then with all the slowdown, how will I run my in browser flash games?!
Re: (Score:1)
Sup dawg, I heard you liked sandboxing. So I put a VM in your VM so you can Sandbox while you Sandbox.
Re: (Score:2)
....That way you have to find 3 security holes to compromise the computer.
...All three holes? The usual obsession of web whackers....
Re:Sandbox time? (Score:5, Insightful)
If browsers were exclusively used for reading web pages, securing them would be so much simpler...
Re: (Score:2)
Re: (Score:2)
IE7+ on Vista and Win7 is essentially sandboxed through protected mode. We don't know enough about the bugs to know real impacts, but if they don't break out of protected mode then the attacker can get very little done.
Of course this doesn't apply on XP, but only suckers use XP anymore.
Re: (Score:2)
Set up your user's machine to run Debian, and run Wintendo in a Virtualbox instance. Make a backup copy of the VM after the initial updates and basic apps install.
Then when Grandma's box gets something so nasty that system restore won't fix it, you can restore it to an original state from the backup copy.
Re: (Score:2)
Chrome wasn't tested by the researcher, so no mention is made as to whether it is affected or not. Safari figures under "All WebKit browsers" in the message and some bugs were found.
Re: (Score:2)
Re: (Score:3)
Oh, right. Forgot about that one, sorry.
*holds up geek card* So where do I turn in this thing?
Re: (Score:2)
I can't recall ever seeing more than 5 icons on a single article, so I would assume that this is a limit to slashdot's story posting system.
Your point is very valid--the article discusses browsers in general. Perhaps we should have an icon that applies to browsers in general or ignore browser icons altogether for articles such as this?
Still Crappy Code after all these years? (Score:2)
Fuzzing Test logic has been around awhile but again I still can't fathom why Software vendors can't do a better job of using tools to certify their code. I can't ascertain from this report that these bugs create vulnerabilities or an in the wild attack. This report should read "IE 8 has bugs."
All this talk about Sandboxes as well can't be overlooked but what about the network level and intelligent traffic analysis. If all of a sudden you start seeing PCs launching IP traffic at strange addresses in Fore
Re: (Score:2)
I blame C++. Hard to parse, hard to analyze, full of surprises.
So do a few other people at Mozilla, who are working on a new systems language called Rust [github.com].
Unwanted Pop-Unders Still a Security Issue (Score:2)
I'm amazed the pop-under problem still hasn't been addressed in MSIE nor, more surprisingly, in Firefox - even at the highest security settings, pop-unders, such as the Netflix and screensaver ones, still get through - a potential security flaw.
I've search the bug reports for Firefox in the past and pop-unders ranks high on problems that people want fixed, and yet still isn't - seems to me if pop-up windows can be blocked, why can't pop-under windows? Doesn't make sense to me ...
The cynic in me thinks there
Re:Unwanted Pop-Unders Still a Security Issue (Score:4, Informative)
I'm amazed the pop-under problem still hasn't been addressed in MSIE nor, more surprisingly, in Firefox - even at the highest security settings, pop-unders, such as the Netflix and screensaver ones, still get through - a potential security flaw.
I've search the bug reports for Firefox in the past and pop-unders ranks high on problems that people want fixed, and yet still isn't - seems to me if pop-up windows can be blocked, why can't pop-under windows?
Pop-up windows are still a problem in Firefox. Websites have devised new ways to pop up annoying windows that Firefox apparently isn't able to block (as of FF4 beta 8).
Re:Unwanted Pop-Unders Still a Security Issue (Score:4, Informative)
It's not new, those popups are being delivered through Flash, rather than javascript.
Re: (Score:2)
No, at least Mozilla blocks Flash popups too. The issue is that these "popups" are created in response to user clicks, and the browser can't tell the difference between Live Jasmin spam and a legitimate, requested pop-up because both are run from the click event handler.
The only solution is to disable popups entirely, which will cause compatibility issues. This is why we can't have nice things.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
In most browsers, including Firefox, popups (including popunders) are blocked except when they appear in response to clicks.
In Firefox 4, we think we've solved the problem [mozilla.org] that allows popups to turn into popunders. Now that you see them right away, it should be clearer that they're appearing only in response to clicks, and you should be able to tell which sites they're coming from.
We need to see another version of Lynx (Score:1)
Who's writing these headlines? (Score:1)
His own post says "about one hundred." How does that turn into "Hundreds of browser bugs"?
And he does not say "some" of these bugs may be known to third parties. He says "at least one."
What he found is bad enough. Why the need to exaggerate?
Updates in TFA (Score:2)
Re: (Score:2)
The attacks created by this fuzzer occurs only with scripts enabled. But the same researcher previously released mangleme, which fuzzed HTML and leads to a significant number of HTML engine bugs being fixed.