Slashdot Mirror
Security Researcher Finds Hundreds of Browser Bugs
An anonymous reader writes "PC Magazine reports on a very understated late night post to the full-disclosure mailing list, in which security researcher Michael Zalewski shared a fuzzing tool reportedly capable of identifying over a hundred browser bugs. Some of these bugs, he says, may be already known to third parties in China. The report also includes an account of how browser vendors fared fixing these flaws so far. Not surprisingly, Microsoft's response timeline appears depressing."
I've learned from these slashdot stories, that they are often not as bad as they sound. "First Linux Virus" or something like it, usually means a script that deletes your files, that you mail to your enemy,
Why just China? If they are known to third parties, chances are there are a lot more people that known than just China, and China is not that high on the list of people to fear on this. Why the emphasis here?
FTFA: The design of the fuzzer makes it unexpectedly difficult to get clean,
deterministic repros; to that effect, in the current versions of all the
affected browsers, we are still seeing a collection of elusive problems when
running the tool - and some not-so-elusive ones.
This might help explain at least part of the difficult communication with Microsoft.
Why is ANYONE with half a brain still using Microsoft browsers?
It has only been about a decade now of bad bugs being dribbled out and gradually fixed.
Why do companies still use MS Explorer?
It's time to sandbox the entire browser. And put the sandbox in a VM.
That way you have to find 3 security holes to compromise the computer.
The story has been tagged with Firefox and IE icons. Does this imply that the other major browsers aren't affected? TFA makes no specific mention of Firefox BTW. So I'm assuming the Firefox icon is for fairness's sake (i.e. it's not the usual M$ problemo). However, there are no icons for Chrome and Safari.
Fuzzing Test logic has been around awhile but again I still can't fathom why Software vendors can't do a better job of using tools to certify their code. I can't ascertain from this report that these bugs create vulnerabilities or an in the wild attack. This report should read "IE 8 has bugs."
All this talk about Sandboxes as well can't be overlooked but what about the network level and intelligent traffic analysis. If all of a sudden you start seeing PCs launching IP traffic at strange addresses in Foreign Lands, I think a firewall could then be employed to block it until such time as an analysis could be done to find out what's going on. Even so, if PCs start feeding data to private PCs or unknown networks then that's certainly something that can be corralled at the network level as well.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
I mean come on, there is a 1 year 2 month windows between first bugs being reported and new issues with the next version being passed on.
Which adds up to about the 1 year longer it took MS to fix the issues!
Well knock me down, in over a year don't tell me that a program designed to stress test browsers that is undergoing changes being run on a years worth of updates is causing more issues!
" Early fixes from Opera and Apple started shipping somewhere in 2008; some more arrived in 2009."
the original MS fix took two months, from May to July 2008, Then we jump though to Sept. 2009!! one year and two months because of and I quote " after multiple delays at the request of other vendors"
The only time the response by MS seems to have been 'depressing' it seems to be a 4 month window when for what ever reason MS forgot about or lost the responce, that dose happen occasionally, and yet when that was identified it seems the response was to get in, kick ass and keep working on the issues. With more back and forth comunication in the last ten days of the year, over the holiday period then one has the right to expect.
How about we change the last MS bashing bit to "MS Spends months trying to fix "fairly quickly crashes""
or we could try, "New versions of stress software cause new bugs that need to be fixed by MS"
Seems like if you disable scripting, then you're just down to buffer overruns and such in the HTML engine or image display libraries. But disabling scripts has got to remove a HUGE attack surface. It seems like running a good AppArmor profile would remove most of the rest of the attack surface.
I'm amazed the pop-under problem still hasn't been addressed in MSIE nor, more surprisingly, in Firefox - even at the highest security settings, pop-unders, such as the Netflix and screensaver ones, still get through - a potential security flaw.
I've search the bug reports for Firefox in the past and pop-unders ranks high on problems that people want fixed, and yet still isn't - seems to me if pop-up windows can be blocked, why can't pop-under windows? Doesn't make sense to me ...
The cynic in me thinks there's some financial incentives for Firefox developers who happen to know how to fix the pop-under issue to not do so. Especially since some large companies, such as Netflix, and various popular websites, including Accuweather.com, heavily utilize pop-unders it makes me wonder, but I digress.
Ron
Seriously. Todays browsers need to implement so many technologies that they automatically get bloated. There is CSS, various HTML versions, XHTML (in various versions and dialects), XSLT, MathML, Vectorgraphics (SVG), RSS, Atom, {Java, ECMA}Script, varios image formats (JPEG, GIF, PNG, ..), etc. The code gets so utterly complicated that it inherently contains many, many vulnerabilities. Just take a look at the Firefox/gecko code, for example.
Do you think HTML5 is a good idea? Well, it probably is in order to get rid of ugly third-party plugins like flash and java. However, it's going to make browsers even more complicated (and therefore likely less secure).
I sometimes wish there was some sort of "legacy" web which would contain all the information, just without the glossy rubbish. Gopher someone?
At 83 with years of computer experience I can't understand for the life of me why people dislike Microsoft so much. When I was growing up the American dream was to build a business and make it grow like crazy. Bill Gates did exactly that. So to me he represents the culmination of an American dream. That said the main reason Microsoft gets pummeled with exploits is that they are a huge target. Virus writers want to make a name for themselves so they go after the biggest targets. My answer is simple - I use Windows Security Essentials - a free virus tool from MS and I haven't had a virus since I started using it. Many of the commercial anti-virus folks aren't real happy but frankly I don't care. And yes - I do run other tools occassionally to ensure that all is well. You say you don't like Microsoft? I say "fine - no problem - you use whatever floats your boat but stop taking pot shots at MS." You don't need to use it and you don't need to like it. I don't care. I don't take shots at any "...ix" versions. You're welcome to use them or whatever you want. I just happen to love all things Microsoft and get a lot of work done using them. Take pot shots at me if you like - my name is Bud Aaron and you will find me with a simple name search.
We need to see some kind of lightweight VM machine running in a sandbox on the windows OS, which acts and looks just like a web browser to anybody using it, and saves downloaded files to a directory on the Windows desktop folder in a Directory named "Downloads". Today the majority of users certainly have the CPU power to pull it off, why not run it completely in RAM too to facilitate never having to access the hard drive. It would probably be the fastest web browser ever made, and the most secure.
It's Michal, not Michael
Anyone tested with emet 2 running on the browsers?
Who's writing these headlines?
His own post says "about one hundred." How does that turn into "Hundreds of browser bugs"?
And he does not say "some" of these bugs may be known to third parties. He says "at least one."
What he found is bad enough. Why the need to exaggerate?
Read the link where the Chinese are mentioned.
Chinese IPs were accessing the developers' web page with Google referer strings that showed they were searching for the two functions involved in the vulnerability, despite their being no other mentions of those functions on the internet at the time.
I'm the author of TFA and I have made changes to include reactions from Microsoft and Zalewski. Larry Seltzer PC Magazine
FF vulns have been exploited for some weeks now. Ta Cyber Command, now fuck right off.
"I've found by moving users away from IE I've had their rate of infection drop by a good 75% on fully patched XP machines tells me all I need to know in all honestly" - by hairyfeet (841228) on Monday January 03, @01:35AM (#34741562)
By using a custom HOSTS file, I've seen myself go to NO MALWARE INFESTATIONS for over 15++ yrs. now online, & others have been seeing the same results for over 5 yrs. now:
---
"Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)
FROM http://tech.slashdot.org/comments.pl?sid=1907528&cid=34532122
---
Wait, because IT GETS BETTER (especially for this fellow, considering he runs Windows 2000 UNPATCHED, with no antivirus program & no antispyware program, or a firewall even (though we did substitute in PORT FILTERING, often called "the poor man's firewall" for him)):
---
""the use of the hosts file has worked for me in many ways. for one it stops ad banners, it helps speed up your computer as well. if you need more proof i am writing to you on a 400 hertz computer and i run with ease. i do not get 200++ viruses and spy ware a month as i use to. now i am lucky if i get 1 or 2 viruses a month. if you want my opinion if you stick to what APK says in his article about securing your computer then you will be safe and should not get any viruses or spy ware, but if you do get hit with viruses and spy ware then it will your own fault. keep up the good fight APK."
FROM -> http://forums.theplanet.com/index.php?showtopic=89123&st=60&start=60
---
That's a GIGANTIC & MANY ORDERS OF MAGNITUDE DECREASE IN MALWARE INFESTATIONS, far more than 75% that moving away from IE gave you per your quoted statements... & it's also on a totally unpatched system + otherwise unsecured system via antivirus/antispyware programs, OR even a typical firewall program
(Where the user removed SOME ENTRIES in the hosts file himself (he likes "certain kinds of sites" is why, you fill that in yourself), & even thinks that is where he got his infection from & how - we'd spoken via email before, & he wanted to see just how effective a hosts file can be, for added layered security, & there was nobody offering a BETTER WAY TO TEST IT, than he had, from those I correspond in email with regarding that much either... so, we tried it, & those were the results)).
APK
P.S.=> So, overall? Well - That's better results, using a custom HOSTS file, than you're saying by moving away from IE alone!
Even though I'd recommend that myself, & I do, here http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE for added "layered security" (more like added layered common-sense)... apk
And if I give them a magical LOLCat infections rates will go down by 10,000% and magic pixies will appear to rub their little footies and...wait a tick, that is a what you call it, oh yeah an anecdote and doesn't prove jack which is why I put a disclaimer at the front instead of trying to pass it off as proof like you do Petey, but you KNOW this, don't you?
poor wittle APK, also know as "Petey, the idiot HOPES file guy" As in you HOPES that one of the 300,000+ constantly changing array of websites that are infected doesn't happen to be the one you visit today? Or that you HOPES that nobody notices after repeatedly being asked you have FAILED to show even the tiniest shred of mathematical proof that your magical woobie can scale? That you HOPES nobody notices your only "proof" is anecdotes, often by your own sock puppets like Kingsjester?
Remember Petey I'm not the ponce making outrageous claims so it is up to you to show the math instead of wasting everyone's time waving your little shriveled winkie around by making claims with no mathematical proof and nothing but anecdotes as "evidence". After all those that the earth is only 6000 years old have a full boat of anecdotes to back up THEIR claims as well, but we still think they are just as batshit as you, now don't we?
The simple fact is this: no matter how many times trollie says "1+1 = 3" the math simply proves you wrong and THAT is why all you can do is throw insults. You have 190,000 to 340,000 infected websites at this very moment and that list will change by the thousands per minute as sites are cleaned, new sites are infected, new vulnerabilities found, etc. Now for your HOPES file to actually be a REAL protection and not just a woobie? It will have to dynamically scale and keep up with that ever changing list of infections. Now even if you had twenty fingers and subscribed to every security list on the planet your HOPES file will ALWAYS BE OUT OF DATE and behind the curve. Always. Don't like those numbers? Use the ones from Securina, Grisoft, Symantec, any reputable security site. YOU CHOOSE. I have shown mathematically you are full of shit, now lets see you math that proves me wrong PETEY.
Now if you have a mathematical proof that shows how a static .txt file dropped into system 32 can magically scale dynamically? Lets see it. Otherwise it is NOTHING more a magical LOLCat pic backed up by anecdotes. That is the nice thing about math, it doesn't lie or believe in anecdotes. So it is all on Petey and your magical HOPES woobie now. YOU made the extravagant claims, back them up with the math. If you can't? Well then you are full of shit, case closed. Notice how ALL YOU CAN DO is throw insults and trollbomb? Why is that? I'll tell you why, because math doesn't lie and you just can't show the math you just can't do it or you would have by now, but it would be like trying to mathematically prove you are not an idiot PETEY. It just can't be done.
So please, keep posting APK, I do so enjoy pointing out the total uber fail of your magical woobie so. I also personally consider it a public service to point people to solutions that actually work instead of relying on magical woobies and anecdotes. And of course bitch slapping your around is also quite fun!
ACs don't waste your time replying, your posts are never seen by me.
"I do so enjoy pointing out the total uber fail of your magical woobie so. I also personally consider it a public service to point people to solutions that actually work" - by hairyfeet (841228) bassbeast1968NO@SPAMgmail.com> on Monday January 03, @03:04PM (#34746796)
Ready fool? Ok, let's see how "perfect" your "solutions" REALLY are, below (not yours, you didn't create them - you merely USE THEM, like a trained chimpanzee that you are, techie boy):
---
MULTIPLE EVIDENCES OF ANTIVIRUS &/or ANTISPYWARE PROGRAM FAILURES + SHORTCOMINGS:
http://www.theregister.co.uk/2007/12/04/win_2000_virus_tests/
http://www.securityfocus.com/infocus/1839
http://it.slashdot.org/it/08/11/07/1545238.shtml
---
(Want more? Here comes, on their "heuristics" too)
ANTIVIRUS HEURISTICS EFFECTIVENESS EVIDENCES (i.e. - NOT 100% EFFECTIVE AND GETS FALSE POSITIVES):
---
The sorry state of Avira anti-virus heuristics:
http://grack.com/blog/2010/03/17/the-sorry-state-of-avira-anti-virus-heuristics/
PERTINENT QUOTE/EXCERPT:
"Considering that the risk of false positives is so high (and users might be trained to ignore other, potentially valid virus warnings), I'd say that users are worse off with this virus definition than they are without."
---
(As "1 example thereof", because the very word "HEURISTICS" equates basically to hairyfeet's very bitch here - guesstimation technology really, in that it uses "does it smell/taste/look like a duck" type tech, & it makes mistakes... period, see above!)
---
"You have 190,000 to 340,000 infected websites at this very moment and that list will change by the thousands per minute as sites are cleaned, new sites are infected, new vulnerabilities found, etc. Now for your HOPES file to actually be a REAL protection and not just a woobie? It will have to dynamically scale and keep up with that ever changing list of infections. Now even if you had twenty fingers and subscribed to every security list on the planet your HOPES file will ALWAYS BE OUT OF DATE and behind the curve. Always. Don't like those numbers? Use the ones from Securina, Grisoft, Symantec, any reputable security site. YOU CHOOSE. I have shown mathematically you are full of shit, now lets see you math that proves me wrong PETEY." - by hairyfeet (841228) bassbeast1968NO@SPAMgmail.com> on Monday January 03, @03:04PM (#34746796)
I just did above, vs. your "suggested solutions" lol... easily!
You're "shot down in flames", yet again, hairyfeet... TOO easily!
There is NO WAY THEY CAN KEEP UP WITH NEW MALWARES BEING MADE either... and you say they "work"? See above!
(They're "better than nothing", & I use them myself, for added LAYERED SECURITY - but, I don't put my entire FAITH ON THEM, as you appear to do!)
---
"As in you HOPES that one of the 300,000+ constantly changing array of websites that are infected doesn't happen to be the one you visit today?" - by hairyfeet (841228) bassbeast1968NO@SPAMgmail.com> on Monday January 03, @03:04PM (#34746796)
I use these reputable, reliable, & regularly updated (by the HOUR no less) sources to populate my HOSTS file:
---
http://www.mvps.org/winhelp2002/hosts.htm
http://someonewhocares.org/hosts/
http://hostsfile.org/hosts.html
http://hostsfile.mine.nu/downloads/
You've also got to consider the fact that hairyfeet here is a MERELY a tech, & one that makes his living off of others' misfortunes online, and if malware removal (a big part of his day no doubt) is non-sequitur & a thing of the past? Well, where is hairyfeet going to make his income from??
I.E.-> It's not in hairyfeet, or other "techies"' truly 'best interests' to have you cleaned & fortified so you cannot get malware (otherwise, again, they won't make as much monies from YOUR return business due to being RE-INFECTED again...).
Think about it...
His "solutions" in antivirus/antispyware aren't perfect, & the url's above show anyone that much, as did my last reply -> http://slashdot.org/comments.pl?sid=1931788&cid=34747678 to his foaming @ the mouth rant.
Hairyfeet, "oddly" (not), also isn't telling you there is far more you can do for the working concept of "layered security" either, than just his "solutions" (which again, are shown to be IMPERFECT in the url's above), funny that, eh? Not.
APK
P.S.=> Hairyfeet, don't try to "take me on" again, or troll me like you have the past couple weeks... it always, ALWAYS, ends quite badly for you... see above! apk