Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

7/18/2006
09:45 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Getting Buggy with the MOBB

Instigator of Month of Browser Bugs promises more fun stuff on the way

More than halfway through the Month of Browser Bugs (MOBB) project, and the mastermind behind the project says the best is yet to come.

HD Moore's been busy all month writing code that demonstrates bugs in all types of browsers. "Many of these are interesting because they point to larger problems in the underlying operating system and programming API," Moore says. "All Mozilla-based browsers are vulnerable to a code execution flaw that involves the garbage collection code in the javascript engine. I reported this bug last Friday and even the Mozilla developers are having a tough time tracking it down."

Security experts have been waiting for the other shoe to drop as Moore has revealed a new browser vulnerability each day this month. But so far no major browser attack outbreaks have hit, although researchers say they've seen signs of activity.

Moore says he'll reveal bugs this week in Opera 9, Internet Explorer 6, Internet Explorer 7, and possibly Safari or Konquerer.

Just yesterday, Moore released a malware search tool that combs Google's database for malicious software. Rumors were flying that Google would end up purging its index of malware, but as of presstime, Moore says he couldn't confirm it and Google was unavailable for comment.

Meanwhile, despite criticism that Moore's MOBB disclosures -- many of which the browser vendors were apprised of beforehand -- could do more harm than good in the wrong hands, Moore maintains that his demonstration code is relatively harmless. "The actual demonstration code I provide only results in a browser crash," he says. "While it is possible to turn some of these into working exploits, it will require time and skill to do so. I expect people will use this information to verify their browser security settings and as justification for changes in IT security policies."

In some cases, the bad guys already had many of these exploits in hand anyway. Many of the bugs Moore has highlighted so far this month have been around for some time, security experts say, and are basically permutations of previous bugs. One major theme among them is denial-of-service attacks, many of which use ActiveX objects. "They're calling something through the browser that they're not supposed to be calling," says Gunter Ollmann, director of Internet Security Systems' X-Force. "These types of attacks have been in use for about five years now."

David Aitel, CTO for ImmunitySec, which makes a commercial tool that competes with the freebie Metasploit Framework, agrees that most browser bugs have been around for a while. "No one is a unique snowflake," Aitel says. "Whichever one we exploit, someone already found and exploited long ago."

Moore says the only exploit he's seen hit so far is MOBB #2 on Internet Explorer 6, an image-based vulnerability. This one was already being exploited in the wild before Moore posted it after receiving information on it from a managed security services provider. Microsoft was informed about it back in March but hasn't patched it yet.

That disclosure didn't sit well with some hackers, according to Moore. "It triggered a storm of hate mail from Eastern Europe and Russia; someone was upset the bug they were exploiting became public," he says.

Just what shape in the wild the other browser exploits will take has yet to be seen, but ISS' Ollmann expects them to be used mostly as installers for malware. So a phishing scam, for example, would send a spam message with a URL that when clicked kicks off code that exploits the browser and installs a keylogger or bot agent, he says. "This is the most popular way of getting bots installed."

SecureWorks, meanwhile, has identified MOBB #17, a stack overflow, as the most dangerous of Moore's browser bugs to date and says developing it into malware is a no-brainer. "I thought those were all but extinct. This is the equivalent of finding a dinosaur in L.A.," says David Maynor, senior security researcher for SecureWorks. "We're watching that one" very intently, he says.

Some experts worry that Moore is arming the hackers. "His work will not have a substantial measurable impact on improving the security of browsers," says security expert Ira Winkler, and author of "Spies Among Us." "I've never been a fan of telling how you break the software. Proof of concept is equivalent to code that can go ahead and be modified for an attack."

Winkler argues that work like Moore's hurts users who aren't on top of their patches. And attacks occur in earnest after a software vendor releases patches, he notes.

But Moore's fans say his work is for the greater good. "He's highlighting obvious deficiencies in browsers, which will help these patches come out faster," Maynor says. The bottom line is the monetary incentive for these exploits, he says, and hackers are always on the lookout for them. "You can make $20,000 to $30,000 on a good browser bug," he says.

Maynor expects these testing tools will eventually be used by browser vendors in the quality assurance process in browser development. "I hope they start using these tools in the development process instead of writing bad code and creating band-aids for it," he says.

What happens on August 1? "It's a secret," Moore says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • SecureWorks Inc.
  • IBM Internet Security Systems

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    For Cybersecurity to Be Proactive, Terrains Must Be Mapped
    Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
    A Realistic Threat Model for the Masses
    Lysa Myers, Security Researcher, ESET,  10/9/2019
    USB Drive Security Still Lags
    Dark Reading Staff 10/9/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-17545
    PUBLISHED: 2019-10-14
    GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold is exceeded.
    CVE-2019-17546
    PUBLISHED: 2019-10-14
    tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition.
    CVE-2019-17547
    PUBLISHED: 2019-10-14
    In ImageMagick before 7.0.8-62, TraceBezier in MagickCore/draw.c has a use-after-free.
    CVE-2019-17501
    PUBLISHED: 2019-10-14
    Centreon 19.04 allows attackers to execute arbitrary OS commands via the Command Line field of main.php?p=60807&type=4 (aka the Configuration > Commands > Discovery screen).
    CVE-2019-17539
    PUBLISHED: 2019-10-14
    In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c allows a NULL pointer dereference and possibly unspecified other impact when there is no valid close function pointer.