[VIM] [ISN] Security expert dubs July the 'Month of browser bugs' (fwd)

security curmudgeon jericho at attrition.org
Mon Jul 31 04:35:16 EDT 2006

---------- Forwarded message ----------
From: security curmudgeon <jericho at attrition.org>
To: InfoSec News <isn at infosecnews.org>
Date: Mon, 31 Jul 2006 04:32:40 -0400 (EDT)
Subject: Re: [ISN] Security expert dubs July the 'Month of browser bugs'


: http://news.com.com/Security+expert+dubs+July+the+Month+of+browser+bugs/2100-1002_3-6090959.html
: By Greg Sandoval
: Staff Writer, CNET News.com
: July 5, 2006
: Each day this month, a prominent security expert will highlight a new
: vulnerability found in one of the major Internet browsers.
: HD Moore, the creator of Metasploit Framework, a tool that helps test
: whether a system is safe from intrusion, has dubbed July the Month of
: Browser Bugs. Already, the security researcher has featured five
: security flaws, three for Microsoft's Internet Explorer and one apiece
: for Mozilla's Firefox and Apple Computer's Safari.

Thirty one days later, MoBB is done! By far one of the more interesting
vulnerability disclosure projects we've seen this year. I have a strong
feeling that the real ramifications won't be realized until months later,
but until someone does a more thorough analysis.. my random thoughts.

First, HDM and I chatted almost every single day during the month, mostly
to coordinate the pre-assignment of OSVDB IDs for each bug. Due to the
schedule I keep, it was usually easy to check the blog around midnight
every night, and for 30 of the 31 days, he was right on time releasing the
next bug. Only on the 31st day did he finally fall behind by a whole two
hours (jeez, what a slacker!) in releasing the final bug. Ok ok, it wasn't
due to slacking, he had been working for hours trying to isolate the exact
details to fully understand and document the bug he had found in Safari.

31 browser bugs, what's the final breakdown?

MSIE:		25
Apple Safari:	2
Mozilla:	2
Opera:		1
Konqueror:	1

I'll let you make any conclusions you want. If I hadn't posted this, we'd
no doubt see at least one article saying how much more insecure MSIE is
than X and this is just proof of that. Hopefully the fact I posted that
last line might actually make a journalist stop and think, "why, is it
something else?!" GLAD YOU ASKED! Ok not really, but there is more to it
than W bugs in X browser vs Y bugs in Z browser so W must be more insecure
than Y!@$#! If you can't think of any such reasons, quit your job and go
to art school.

What if he had...
a) followed 'accepted' vulnerability disclosure guidelines? (the project
would have been dubbed the YoBB?)
b) sold his findings to the shops like ZDI or iDefense that pay for such
information? (he'd be rich?!)
c) sold his findings to a russian spam syndicate? (he'd be able to buy a
new iPod?!)
d) never posted a single bug in any fashion? (he and a dozen others would
all be sitting on this information)
e) provided even more easy point-and-drool exploitation? (we'd be reading
another CNET article about the latest spyware/adware that exploited..)

Want another month of browser bugs? Yes, he could continue on into August
without a problem. The amount of browser bugs is stupid. Apparently, the
idea of writing a basic fuzzer is still lost on the authors. The good
news, HDM will be releasing the fuzzer he used to find all these to the
public. Will an insane rush of browser bugs follow? We can hope!

Want another month of browser bugs? Then do it yourself. While it may
sound easy, researching each one to the degree HDM did is not easy and it
isn't fast. If you can devote between 15 minutes and 3 hours a day for 31
days, then go for it! Until then, as my friend major says, "never lick a
gift whore in the mouse."

The bugs:

27534		Apple Safari KHTMLParser::popOneBlock Code Execution
27532		Microsoft IE ADODB.Recordset SysFreeString Invalid Length
27533		Microsoft IE Orphan Object Property Access NULL Dereference
27530		Microsoft IE NDFXArtEffects Multiple Property Stack Overflow
27559		Mozilla Multiple Product Window Navigator Object Arbitrary Code Execution
27373		Microsoft IE Native Function Iteration NULL Dereference
27374		Opera CSS Background Property HTTPS Memory Corruption
27232		Microsoft IE NMSA.ASFSourceMediaDescription dispValue Overflow
27372		Microsoft IE Forms Multiple Object ListWidth Property Overflow
27231		Microsoft IE HTML Help COM Object Click Method NULL Dereference
27230		Microsoft IE CEnroll SysAllocStringLen Invalid Length
27111		Microsoft IE OWC11.DataSourceControl getDataMemberName Method Overflow
27112		Microsoft IE OVCtl NewDefaultItem Method NULL Dereference
27109		Microsoft IE DXImageTransform.Microsoft.Gradient Multiple Property
27110		Microsoft IE WebViewFolderIcon setSlice Overflow
27108		Microsoft IE MHTMLFile Multiple Property NULL Dereference
27059		Microsoft IE FolderItem Object NULL Dereference
27058		KDE Konqueror replaceChild() NULL Dereference
27057		Microsoft IE DXImageTransform.Microsoft.RevealTrans Transition Property
27056		Microsoft IE TriEditDocument URL Property NULL Dereference
27055		Microsoft IE HtmlDlgSafeHelper fonts Property NULL Dereference
27014		Microsoft IE Object.Microsoft.DXTFilter Enabled Property NULL Dereference
27013		Microsoft IE DirectAnimation.DAUserData Data Property NULL Dereference
26955		Microsoft IE RDS.DataControl SysAllocStringLen Invalid Length Issue
26837		Microsoft IE Frameset inside Table NULL Dereference
26839		Microsoft IE DirectAnimation.StructuredGraphicsControl SourceURL NULL
26838		Apple Safari DHTML setAttributeNode() NULL Dereference
26836		Microsoft IE OutlookExpress.AddressBook COM Object NULL Dereference
26835		Microsoft IE HTML Help COM Object Image Property Heap Overflow
26834		Microsoft IE ADODB.Recordset COM Object Filter Property NULL Dereference
24967		Mozilla Firefox iframe.contentWindow.focus() Overflow

More information about the VIM mailing list