Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:45 AM
Connect Directly

Getting Buggy with the MOBB

Instigator of Month of Browser Bugs promises more fun stuff on the way

More than halfway through the Month of Browser Bugs (MOBB) project, and the mastermind behind the project says the best is yet to come.

HD Moore's been busy all month writing code that demonstrates bugs in all types of browsers. "Many of these are interesting because they point to larger problems in the underlying operating system and programming API," Moore says. "All Mozilla-based browsers are vulnerable to a code execution flaw that involves the garbage collection code in the javascript engine. I reported this bug last Friday and even the Mozilla developers are having a tough time tracking it down."

Security experts have been waiting for the other shoe to drop as Moore has revealed a new browser vulnerability each day this month. But so far no major browser attack outbreaks have hit, although researchers say they've seen signs of activity.

Moore says he'll reveal bugs this week in Opera 9, Internet Explorer 6, Internet Explorer 7, and possibly Safari or Konquerer.

Just yesterday, Moore released a malware search tool that combs Google's database for malicious software. Rumors were flying that Google would end up purging its index of malware, but as of presstime, Moore says he couldn't confirm it and Google was unavailable for comment.

Meanwhile, despite criticism that Moore's MOBB disclosures -- many of which the browser vendors were apprised of beforehand -- could do more harm than good in the wrong hands, Moore maintains that his demonstration code is relatively harmless. "The actual demonstration code I provide only results in a browser crash," he says. "While it is possible to turn some of these into working exploits, it will require time and skill to do so. I expect people will use this information to verify their browser security settings and as justification for changes in IT security policies."

In some cases, the bad guys already had many of these exploits in hand anyway. Many of the bugs Moore has highlighted so far this month have been around for some time, security experts say, and are basically permutations of previous bugs. One major theme among them is denial-of-service attacks, many of which use ActiveX objects. "They're calling something through the browser that they're not supposed to be calling," says Gunter Ollmann, director of Internet Security Systems' X-Force. "These types of attacks have been in use for about five years now."

David Aitel, CTO for ImmunitySec, which makes a commercial tool that competes with the freebie Metasploit Framework, agrees that most browser bugs have been around for a while. "No one is a unique snowflake," Aitel says. "Whichever one we exploit, someone already found and exploited long ago."

Moore says the only exploit he's seen hit so far is MOBB #2 on Internet Explorer 6, an image-based vulnerability. This one was already being exploited in the wild before Moore posted it after receiving information on it from a managed security services provider. Microsoft was informed about it back in March but hasn't patched it yet.

That disclosure didn't sit well with some hackers, according to Moore. "It triggered a storm of hate mail from Eastern Europe and Russia; someone was upset the bug they were exploiting became public," he says.

Just what shape in the wild the other browser exploits will take has yet to be seen, but ISS' Ollmann expects them to be used mostly as installers for malware. So a phishing scam, for example, would send a spam message with a URL that when clicked kicks off code that exploits the browser and installs a keylogger or bot agent, he says. "This is the most popular way of getting bots installed."

SecureWorks, meanwhile, has identified MOBB #17, a stack overflow, as the most dangerous of Moore's browser bugs to date and says developing it into malware is a no-brainer. "I thought those were all but extinct. This is the equivalent of finding a dinosaur in L.A.," says David Maynor, senior security researcher for SecureWorks. "We're watching that one" very intently, he says.

Some experts worry that Moore is arming the hackers. "His work will not have a substantial measurable impact on improving the security of browsers," says security expert Ira Winkler, and author of "Spies Among Us." "I've never been a fan of telling how you break the software. Proof of concept is equivalent to code that can go ahead and be modified for an attack."

Winkler argues that work like Moore's hurts users who aren't on top of their patches. And attacks occur in earnest after a software vendor releases patches, he notes.

But Moore's fans say his work is for the greater good. "He's highlighting obvious deficiencies in browsers, which will help these patches come out faster," Maynor says. The bottom line is the monetary incentive for these exploits, he says, and hackers are always on the lookout for them. "You can make $20,000 to $30,000 on a good browser bug," he says.

Maynor expects these testing tools will eventually be used by browser vendors in the quality assurance process in browser development. "I hope they start using these tools in the development process instead of writing bad code and creating band-aids for it," he says.

What happens on August 1? "It's a secret," Moore says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • SecureWorks Inc.
  • IBM Internet Security Systems

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Stop Defending Everything
    Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
    Small Business Security: 5 Tips on How and Where to Start
    Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
    Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
    Jai Vijayan, Contributing Writer,  2/13/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    How Enterprises Are Developing and Maintaining Secure Applications
    How Enterprises Are Developing and Maintaining Secure Applications
    The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-02-19
    The XStream extension in HP Fortify SCA before 2.2 RC3 allows remote attackers to execute arbitrary code via unsafe deserialization of XML messages.
    PUBLISHED: 2020-02-19
    The STARTTLS implementation in MailMarshal before 7.2 allows plaintext command injection.
    PUBLISHED: 2020-02-19
    ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
    PUBLISHED: 2020-02-19
    Use-after-free vulnerability in the add_post_var function in the Posthandler component in PHP 5.6.x before 5.6.1 might allow remote attackers to execute arbitrary code by leveraging a third-party filter extension that accesses a certain ksep value.
    PUBLISHED: 2020-02-19
    Insufficient type checks were employed prior to casting input data in SimpleXMLElement_exportNode and simplexml_import_dom. This issue affects HHVM versions prior to 3.9.5, all versions between 3.10.0 and 3.12.3 (inclusive), and all versions between 3.13.0 and 3.14.1 (inclusive).