Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:45 AM
Connect Directly

Getting Buggy with the MOBB

Instigator of Month of Browser Bugs promises more fun stuff on the way

More than halfway through the Month of Browser Bugs (MOBB) project, and the mastermind behind the project says the best is yet to come.

HD Moore's been busy all month writing code that demonstrates bugs in all types of browsers. "Many of these are interesting because they point to larger problems in the underlying operating system and programming API," Moore says. "All Mozilla-based browsers are vulnerable to a code execution flaw that involves the garbage collection code in the javascript engine. I reported this bug last Friday and even the Mozilla developers are having a tough time tracking it down."

Security experts have been waiting for the other shoe to drop as Moore has revealed a new browser vulnerability each day this month. But so far no major browser attack outbreaks have hit, although researchers say they've seen signs of activity.

Moore says he'll reveal bugs this week in Opera 9, Internet Explorer 6, Internet Explorer 7, and possibly Safari or Konquerer.

Just yesterday, Moore released a malware search tool that combs Google's database for malicious software. Rumors were flying that Google would end up purging its index of malware, but as of presstime, Moore says he couldn't confirm it and Google was unavailable for comment.

Meanwhile, despite criticism that Moore's MOBB disclosures -- many of which the browser vendors were apprised of beforehand -- could do more harm than good in the wrong hands, Moore maintains that his demonstration code is relatively harmless. "The actual demonstration code I provide only results in a browser crash," he says. "While it is possible to turn some of these into working exploits, it will require time and skill to do so. I expect people will use this information to verify their browser security settings and as justification for changes in IT security policies."

In some cases, the bad guys already had many of these exploits in hand anyway. Many of the bugs Moore has highlighted so far this month have been around for some time, security experts say, and are basically permutations of previous bugs. One major theme among them is denial-of-service attacks, many of which use ActiveX objects. "They're calling something through the browser that they're not supposed to be calling," says Gunter Ollmann, director of Internet Security Systems' X-Force. "These types of attacks have been in use for about five years now."

David Aitel, CTO for ImmunitySec, which makes a commercial tool that competes with the freebie Metasploit Framework, agrees that most browser bugs have been around for a while. "No one is a unique snowflake," Aitel says. "Whichever one we exploit, someone already found and exploited long ago."

Moore says the only exploit he's seen hit so far is MOBB #2 on Internet Explorer 6, an image-based vulnerability. This one was already being exploited in the wild before Moore posted it after receiving information on it from a managed security services provider. Microsoft was informed about it back in March but hasn't patched it yet.

That disclosure didn't sit well with some hackers, according to Moore. "It triggered a storm of hate mail from Eastern Europe and Russia; someone was upset the bug they were exploiting became public," he says.

Just what shape in the wild the other browser exploits will take has yet to be seen, but ISS' Ollmann expects them to be used mostly as installers for malware. So a phishing scam, for example, would send a spam message with a URL that when clicked kicks off code that exploits the browser and installs a keylogger or bot agent, he says. "This is the most popular way of getting bots installed."

SecureWorks, meanwhile, has identified MOBB #17, a stack overflow, as the most dangerous of Moore's browser bugs to date and says developing it into malware is a no-brainer. "I thought those were all but extinct. This is the equivalent of finding a dinosaur in L.A.," says David Maynor, senior security researcher for SecureWorks. "We're watching that one" very intently, he says.

Some experts worry that Moore is arming the hackers. "His work will not have a substantial measurable impact on improving the security of browsers," says security expert Ira Winkler, and author of "Spies Among Us." "I've never been a fan of telling how you break the software. Proof of concept is equivalent to code that can go ahead and be modified for an attack."

Winkler argues that work like Moore's hurts users who aren't on top of their patches. And attacks occur in earnest after a software vendor releases patches, he notes.

But Moore's fans say his work is for the greater good. "He's highlighting obvious deficiencies in browsers, which will help these patches come out faster," Maynor says. The bottom line is the monetary incentive for these exploits, he says, and hackers are always on the lookout for them. "You can make $20,000 to $30,000 on a good browser bug," he says.

Maynor expects these testing tools will eventually be used by browser vendors in the quality assurance process in browser development. "I hope they start using these tools in the development process instead of writing bad code and creating band-aids for it," he says.

What happens on August 1? "It's a secret," Moore says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • SecureWorks Inc.
  • IBM Internet Security Systems

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 9/21/2020
    Cybersecurity Bounces Back, but Talent Still Absent
    Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
    Meet the Computer Scientist Who Helped Push for Paper Ballots
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
    Register for Dark Reading Newsletters
    White Papers
    Latest Comment: Exactly
    Current Issue
    Special Report: Computing's New Normal
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    How IT Security Organizations are Attacking the Cybersecurity Problem
    How IT Security Organizations are Attacking the Cybersecurity Problem
    The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-09-21
    IBM WebSphere Application Server Liberty through running oauth-2.0 or openidConnectServer-1.0 server features is vulnerable to a denial of service attack conducted by an authenticated client. IBM X-Force ID: 184650.
    PUBLISHED: 2020-09-21
    IBM Aspera Web Application 1.9.14 PL1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188055.
    PUBLISHED: 2020-09-21
    IBM Business Automation Content Analyzer on Cloud 1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the i...
    PUBLISHED: 2020-09-21
    IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.12 could allow a remote attacker to cause a denial of service by sending a specially crafted HTTP/2 request with invalid characters. IBM X-Force ID: 184438.
    PUBLISHED: 2020-09-21
    IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.12 could allow a remote attacker to cause a denial of service by sending a specially crafted a JSON request with invalid characters. IBM X-Force ID: 184439.