A Browser Flaw a Day Keeps Hackers at Play

By Ryan Naraine  |  Posted 07-05-2006
A well-known hacker has stockpiled browser exploits and plans to release one flaw a day for the month of July to highlight the types of vulnerabilities affecting the world's most widely used Web browsers.

HD Moore, co-founder of the Metasploit Framework, has launched a new project called MoBB (Month of Browser Bugs) with daily releases of proof-of-concept code for flaws in Internet Explorer, Firefox, Safari, Opera and Konqueror.

"We will publish a new browser hack, every day, for the entire month of July. The hacks we publish are carefully chosen to demonstrate a concept without disclosing a direct path to remote code execution," Moore said in a blog entry announcing the project.

So far, four flaw warnings have been posted with accompanying exploit code. Three of the four pertain to Microsoft's dominant IE browser.

According to Moore, two of the IE bugs remain unpatched although they were reported to Microsoft on March 6, almost four months ago.

For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internet's Security IT Hub.

The other alert addresses a bug in Mozilla's Firefox, but Moore noted that this has already been fixed in newer versions of the open-source browser.

Moore, who is renowned in security circles for his work regarding penetration testing and exploit creation, has recently turned his attention to Web browsers, collaborating on several fuzz-testing tools aimed at finding design flaws.

Fuzz testers, or fuzzers, are used by security researchers to find vulnerabilities by sending random input to an application. If the program contains a vulnerability that can leads to an exception, crash or server error, researchers can parse the results of the test to pinpoint the cause of the crash.

Moore has collaborated on three browser fuzzers—Hamachi, CSS-Die and DOM-Hanai—that have been used to put the major browsers through the security testing mill.

Hamachi, for example, is a utility that attempts to verify browser integrity by looking for common DHTML (Dynamic HTML) implementation flaws. The tool specifies common "bad" values for method arguments and property values. During tests, Moore noted that Firefox 1.5.0.1 passed all Hamachi tests without crashing.

Read the full story on eWEEK.com: A Browser Flaw a Day Keeps Hackers at Play