Analytics
7/18/2006
09:45 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Getting Buggy with the MOBB

Instigator of Month of Browser Bugs promises more fun stuff on the way

More than halfway through the Month of Browser Bugs (MOBB) project, and the mastermind behind the project says the best is yet to come.

HD Moore's been busy all month writing code that demonstrates bugs in all types of browsers. "Many of these are interesting because they point to larger problems in the underlying operating system and programming API," Moore says. "All Mozilla-based browsers are vulnerable to a code execution flaw that involves the garbage collection code in the javascript engine. I reported this bug last Friday and even the Mozilla developers are having a tough time tracking it down."

Security experts have been waiting for the other shoe to drop as Moore has revealed a new browser vulnerability each day this month. But so far no major browser attack outbreaks have hit, although researchers say they've seen signs of activity.

Moore says he'll reveal bugs this week in Opera 9, Internet Explorer 6, Internet Explorer 7, and possibly Safari or Konquerer.

Just yesterday, Moore released a malware search tool that combs Google's database for malicious software. Rumors were flying that Google would end up purging its index of malware, but as of presstime, Moore says he couldn't confirm it and Google was unavailable for comment.

Meanwhile, despite criticism that Moore's MOBB disclosures -- many of which the browser vendors were apprised of beforehand -- could do more harm than good in the wrong hands, Moore maintains that his demonstration code is relatively harmless. "The actual demonstration code I provide only results in a browser crash," he says. "While it is possible to turn some of these into working exploits, it will require time and skill to do so. I expect people will use this information to verify their browser security settings and as justification for changes in IT security policies."

In some cases, the bad guys already had many of these exploits in hand anyway. Many of the bugs Moore has highlighted so far this month have been around for some time, security experts say, and are basically permutations of previous bugs. One major theme among them is denial-of-service attacks, many of which use ActiveX objects. "They're calling something through the browser that they're not supposed to be calling," says Gunter Ollmann, director of Internet Security Systems' X-Force. "These types of attacks have been in use for about five years now."

David Aitel, CTO for ImmunitySec, which makes a commercial tool that competes with the freebie Metasploit Framework, agrees that most browser bugs have been around for a while. "No one is a unique snowflake," Aitel says. "Whichever one we exploit, someone already found and exploited long ago."

Moore says the only exploit he's seen hit so far is MOBB #2 on Internet Explorer 6, an image-based vulnerability. This one was already being exploited in the wild before Moore posted it after receiving information on it from a managed security services provider. Microsoft was informed about it back in March but hasn't patched it yet.

That disclosure didn't sit well with some hackers, according to Moore. "It triggered a storm of hate mail from Eastern Europe and Russia; someone was upset the bug they were exploiting became public," he says.

Just what shape in the wild the other browser exploits will take has yet to be seen, but ISS' Ollmann expects them to be used mostly as installers for malware. So a phishing scam, for example, would send a spam message with a URL that when clicked kicks off code that exploits the browser and installs a keylogger or bot agent, he says. "This is the most popular way of getting bots installed."

SecureWorks, meanwhile, has identified MOBB #17, a stack overflow, as the most dangerous of Moore's browser bugs to date and says developing it into malware is a no-brainer. "I thought those were all but extinct. This is the equivalent of finding a dinosaur in L.A.," says David Maynor, senior security researcher for SecureWorks. "We're watching that one" very intently, he says.

Some experts worry that Moore is arming the hackers. "His work will not have a substantial measurable impact on improving the security of browsers," says security expert Ira Winkler, and author of "Spies Among Us." "I've never been a fan of telling how you break the software. Proof of concept is equivalent to code that can go ahead and be modified for an attack."

Winkler argues that work like Moore's hurts users who aren't on top of their patches. And attacks occur in earnest after a software vendor releases patches, he notes.

But Moore's fans say his work is for the greater good. "He's highlighting obvious deficiencies in browsers, which will help these patches come out faster," Maynor says. The bottom line is the monetary incentive for these exploits, he says, and hackers are always on the lookout for them. "You can make $20,000 to $30,000 on a good browser bug," he says.

Maynor expects these testing tools will eventually be used by browser vendors in the quality assurance process in browser development. "I hope they start using these tools in the development process instead of writing bad code and creating band-aids for it," he says.

What happens on August 1? "It's a secret," Moore says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • SecureWorks Inc.
  • IBM Internet Security Systems

    Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Register for Dark Reading Newsletters
    White Papers
    Cartoon
    Current Issue
    Video
    Slideshows
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2012-3946
    Published: 2014-04-24
    Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

    CVE-2012-5723
    Published: 2014-04-24
    Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

    CVE-2013-6738
    Published: 2014-04-24
    Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

    CVE-2014-0188
    Published: 2014-04-24
    The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

    CVE-2014-2391
    Published: 2014-04-24
    The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

    Best of the Web