Analytics
7/18/2006
09:45 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Getting Buggy with the MOBB

Instigator of Month of Browser Bugs promises more fun stuff on the way

More than halfway through the Month of Browser Bugs (MOBB) project, and the mastermind behind the project says the best is yet to come.

HD Moore's been busy all month writing code that demonstrates bugs in all types of browsers. "Many of these are interesting because they point to larger problems in the underlying operating system and programming API," Moore says. "All Mozilla-based browsers are vulnerable to a code execution flaw that involves the garbage collection code in the javascript engine. I reported this bug last Friday and even the Mozilla developers are having a tough time tracking it down."

Security experts have been waiting for the other shoe to drop as Moore has revealed a new browser vulnerability each day this month. But so far no major browser attack outbreaks have hit, although researchers say they've seen signs of activity.

Moore says he'll reveal bugs this week in Opera 9, Internet Explorer 6, Internet Explorer 7, and possibly Safari or Konquerer.

Just yesterday, Moore released a malware search tool that combs Google's database for malicious software. Rumors were flying that Google would end up purging its index of malware, but as of presstime, Moore says he couldn't confirm it and Google was unavailable for comment.

Meanwhile, despite criticism that Moore's MOBB disclosures -- many of which the browser vendors were apprised of beforehand -- could do more harm than good in the wrong hands, Moore maintains that his demonstration code is relatively harmless. "The actual demonstration code I provide only results in a browser crash," he says. "While it is possible to turn some of these into working exploits, it will require time and skill to do so. I expect people will use this information to verify their browser security settings and as justification for changes in IT security policies."

In some cases, the bad guys already had many of these exploits in hand anyway. Many of the bugs Moore has highlighted so far this month have been around for some time, security experts say, and are basically permutations of previous bugs. One major theme among them is denial-of-service attacks, many of which use ActiveX objects. "They're calling something through the browser that they're not supposed to be calling," says Gunter Ollmann, director of Internet Security Systems' X-Force. "These types of attacks have been in use for about five years now."

David Aitel, CTO for ImmunitySec, which makes a commercial tool that competes with the freebie Metasploit Framework, agrees that most browser bugs have been around for a while. "No one is a unique snowflake," Aitel says. "Whichever one we exploit, someone already found and exploited long ago."

Moore says the only exploit he's seen hit so far is MOBB #2 on Internet Explorer 6, an image-based vulnerability. This one was already being exploited in the wild before Moore posted it after receiving information on it from a managed security services provider. Microsoft was informed about it back in March but hasn't patched it yet.

That disclosure didn't sit well with some hackers, according to Moore. "It triggered a storm of hate mail from Eastern Europe and Russia; someone was upset the bug they were exploiting became public," he says.

Just what shape in the wild the other browser exploits will take has yet to be seen, but ISS' Ollmann expects them to be used mostly as installers for malware. So a phishing scam, for example, would send a spam message with a URL that when clicked kicks off code that exploits the browser and installs a keylogger or bot agent, he says. "This is the most popular way of getting bots installed."

SecureWorks, meanwhile, has identified MOBB #17, a stack overflow, as the most dangerous of Moore's browser bugs to date and says developing it into malware is a no-brainer. "I thought those were all but extinct. This is the equivalent of finding a dinosaur in L.A.," says David Maynor, senior security researcher for SecureWorks. "We're watching that one" very intently, he says.

Some experts worry that Moore is arming the hackers. "His work will not have a substantial measurable impact on improving the security of browsers," says security expert Ira Winkler, and author of "Spies Among Us." "I've never been a fan of telling how you break the software. Proof of concept is equivalent to code that can go ahead and be modified for an attack."

Winkler argues that work like Moore's hurts users who aren't on top of their patches. And attacks occur in earnest after a software vendor releases patches, he notes.

But Moore's fans say his work is for the greater good. "He's highlighting obvious deficiencies in browsers, which will help these patches come out faster," Maynor says. The bottom line is the monetary incentive for these exploits, he says, and hackers are always on the lookout for them. "You can make $20,000 to $30,000 on a good browser bug," he says.

Maynor expects these testing tools will eventually be used by browser vendors in the quality assurance process in browser development. "I hope they start using these tools in the development process instead of writing bad code and creating band-aids for it," he says.

What happens on August 1? "It's a secret," Moore says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • SecureWorks Inc.
  • IBM Internet Security Systems

    Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Register for Dark Reading Newsletters
    White Papers
    Flash Poll
    Current Issue
    Cartoon
    Video
    Slideshows
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2013-6117
    Published: 2014-07-11
    Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

    CVE-2014-0174
    Published: 2014-07-11
    Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

    CVE-2014-3485
    Published: 2014-07-11
    The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

    CVE-2014-3499
    Published: 2014-07-11
    Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

    CVE-2014-3503
    Published: 2014-07-11
    Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

    Best of the Web
    Dark Reading Radio
    Archived Dark Reading Radio
    Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.