A Browser Flaw a Day Keeps Hackers at PlayBy Ryan Naraine | Posted 07-05-2006
HD Moore, co-founder of the Metasploit Framework, has launched a new project called MoBB (Month of Browser Bugs) with daily releases of proof-of-concept code for flaws in Internet Explorer, Firefox, Safari, Opera and Konqueror.
"We will publish a new browser hack, every day, for the entire month of July. The hacks we publish are carefully chosen to demonstrate a concept without disclosing a direct path to remote code execution," Moore said in a blog entry announcing the project.
So far, four flaw warnings have been posted with accompanying exploit code. Three of the four pertain to Microsoft's dominant IE browser.
According to Moore, two of the IE bugs remain unpatched although they were reported to Microsoft on March 6, almost four months ago.
The other alert addresses a bug in Mozilla's Firefox, but Moore noted that this has already been fixed in newer versions of the open-source browser.
Moore, who is renowned in security circles for his work regarding penetration testing and exploit creation, has recently turned his attention to Web browsers, collaborating on several fuzz-testing tools aimed at finding design flaws.
Fuzz testers, or fuzzers, are used by security researchers to find vulnerabilities by sending random input to an application. If the program contains a vulnerability that can leads to an exception, crash or server error, researchers can parse the results of the test to pinpoint the cause of the crash.
Hamachi, for example, is a utility that attempts to verify browser integrity by looking for common DHTML (Dynamic HTML) implementation flaws. The tool specifies common "bad" values for method arguments and property values. During tests, Moore noted that Firefox 188.8.131.52 passed all Hamachi tests without crashing.
Read the full story on eWEEK.com: A Browser Flaw a Day Keeps Hackers at Play