Security Researcher Finds Hundreds of Browser Bugs

An anonymous reader writes "PC Magazine reports on a very understated late night post to the full-disclosure mailing list, in which security researcher Michael Zalewski shared a fuzzing tool reportedly capable of identifying over a hundred browser bugs. Some of these bugs, he says, may be already known to third parties in China. The report also includes an account of how browser vendors fared fixing these flaws so far. Not surprisingly, Microsoft's response timeline appears depressing."

Re:Terrific Research, But...

[fuzzyfuzzyfungus]

Home users, no idea. Ignorance and apathy I suppose.

Corporate? ActiveX controls, trivial to keep up to date with WSUS, even when the user is non-admin and a firewall is blocking most outside downloads, accepts loads of configuration options from Active Directory Group Policies, etc.

Re:Pass the salt please

[Barny]

And after much follow up in late December MS finally acknowledged that they were reproducible with the July version of the tool.

Basically this guy gave them over six months to fix the bugs, they bullshitted around and fixed one or two faults, then on the eve of his release of the tool (when all other affected vendors had worked closely with him to fix all the faults) MS tried to state that it was only the latest version of his tool that caused the majority of the bugs. The author said if this was the case he would hold off on release, but after testing found MS to still have a good supply of bullshit left (the flaws showed up with the older tool, which MS eventually conceded) so he released it on the date he said, January.

Once again MS not willing or just plain not wanting to work with a security expert and then said expert doesn't buy their crap and releases on the schedule set.

Re:Unwanted Pop-Unders Still a Security Issue

[rudy_wayne]

I'm amazed the pop-under problem still hasn't been addressed in MSIE nor, more surprisingly, in Firefox - even at the highest security settings, pop-unders, such as the Netflix and screensaver ones, still get through - a potential security flaw.

I've search the bug reports for Firefox in the past and pop-unders ranks high on problems that people want fixed, and yet still isn't - seems to me if pop-up windows can be blocked, why can't pop-under windows?

Pop-up windows are still a problem in Firefox. Websites have devised new ways to pop up annoying windows that Firefox apparently isn't able to block (as of FF4 beta 8).

Re:Unwanted Pop-Unders Still a Security Issue

[Vekseid]

It's not new, those popups are being delivered through Flash, rather than javascript.

Re:Pass the salt please

[CBM]

Never states?

"December 29, 2010: Response from MSRC confirms that these crashes are reproductible with the July 29 fuzzer; unclear why they were unable to replicate them earlier, or follow up on the case."

Re:Hard to get reproducible results

[hairyfeet]

But there are a couple of BIG differences between IE and the others that mean they should always looked at with more suspicion and scorn, and I'm a Windows guy. 1.-Refusing to backport IE 9 to XP means you are gonna have hundreds of millions of IE installs running on old versions, 2.- Thanks to their idiotic "Hey lets all run as admin!" design of XP when combined with IE just increases the risk of nasty, and 3.- the webkit based browsers, such as Chrome, Dragon, Safari, SWIron, etc at least attempt to sandbox the browser, whereas MSFT to kill off competition buried IE deeply into the system making IE the more dangerous choice.

Finally since you read TFA you would see that while the others kept working with the writer MSFT closed the ticket and cut off communication right up to when he said he would release even though the writer was able to replicate the bugs with the July tool and so was MSFT. Then when he was ready to release did they begin talking about "PR nightmare" instead of actually seeming concerned with the security of their browser. Lets be honest folks, IE was nothing but a tool to kill Netscape and once it had accomplished its goal it was left to rot. You had millions infected thanks to their lax treatment of security via IE 6, and they are just now trying to get to where everyone else was a year ago. Considering your browser is the closest your OS gets to being "bare metal" with the wild and woolly Internet trusting your machine to a browser that is only updated on patch Tuesday unless something completely embarrassing hits is more than a little nuts.

One of the nice things we have today is plenty of free choices is that department and thanks to the scourge of "This site requires IE" being all but a distant memory getting folks away from IE has never been easier. Just send them to Ninite and tell them which box to check. It is really just that easy. But trusting the weakest part of your security to a browser that always seems to be a day late, a dollar short, and has the biggest bullseye painted on it? There is a good reason to always assume the worst when it comes to IE, it is because that has been time and time again what you got.

Re:Known to third parties in China?

[Eil]

Dear Anonymous Coward,

You appear to be unfamiliar with how the World Wide Web works. When you see an underlined word or phrase (such as "already known to third parties in China"), that means you can click on it and your web browser will take you to a new page whereupon you can generally find more information on the word or phrase. It takes some practice but should eventually learn to get the hang of it.

Sincerely,
A Registered Slashdot User