Slashdot Mirror
Security Researcher Finds Hundreds of Browser Bugs
An anonymous reader writes "PC Magazine reports on a very understated late night post to the full-disclosure mailing list, in which security researcher Michael Zalewski shared a fuzzing tool reportedly capable of identifying over a hundred browser bugs. Some of these bugs, he says, may be already known to third parties in China. The report also includes an account of how browser vendors fared fixing these flaws so far. Not surprisingly, Microsoft's response timeline appears depressing."
Why just China? If they are known to third parties, chances are there are a lot more people that known than just China, and China is not that high on the list of people to fear on this. Why the emphasis here?
It depends on the exact bug that is triggered. When a security researcher mentions "potentially exploitable bug" it could be serious. Very often a memory corruption is a first step into more serious exploits.
extern warranty;
main()
{
(void)warranty;
}
FTFA: The design of the fuzzer makes it unexpectedly difficult to get clean,
deterministic repros; to that effect, in the current versions of all the
affected browsers, we are still seeing a collection of elusive problems when
running the tool - and some not-so-elusive ones.
This might help explain at least part of the difficult communication with Microsoft.
It comes preinstalled with the OS, it doesn't need any configuring (or, if needed, it syncs automatically with settings on a domain controller) and, for tasks actually needed in an office setting, it works.
No, it isn't "good" by any stretch of the word, but switching to a different browser is definitely not high up on the list of needed IT changes.
"We are the music makers, and we are the dreamers of dreams [...]."
And what if we put the VM... into ANOTHER VM? :O
"We are the music makers, and we are the dreamers of dreams [...]."
Momentum. A browser in operation tends to stay in operation unless acted upon by an outside IT consultant.
Check out my sci-fi/humor trilogy at PatriotsBooks.
...maybe not very serious, nothing a program restart wouldn't fix, but still - damage.
I'm sorry, what?
Most browsers don't run in a particularly well secured sandbox. Sure there are additional security features, but the majority of people today still seem to be running (1) outdated browsers (2) as administrators (3) without any clue whatsoever regarding security.
A security flaw exposed from this fuzzer could easily end up being a major trojan outbreak. Not exactly something you fix by restarting Firefox...
Home users, no idea. Ignorance and apathy I suppose.
Corporate? ActiveX controls, trivial to keep up to date with WSUS, even when the user is non-admin and a firewall is blocking most outside downloads, accepts loads of configuration options from Active Directory Group Policies, etc.
That runs into the convenience problem: Downloading pictures, files, executables, etc. and printing stuff are ridiculously common use cases for browsers. So to is the old 'opening a link in some other program in a browser'. Thus, any sort of security mechanism that makes those more of a pain will run into user resistance. Any sort of security mechanism that initially blocks those and then introduces a bunch of workarounds(shared filesystem location between VM and computer, virtual printer in VM mapping to real spooler, some sort of local process that catches URLs and passes them into the sandbox, etc. also raises the possibility of serious bugs in those workaround mechanisms...
If browsers were exclusively used for reading web pages, securing them would be so much simpler...
Because MSFT understands channel marketing. Their services, their products work with their tools. They've also fed that into the enterprise as well. Some MSFT applications work with Firefox or Chrome but they don't get all of the feature rich, or purportedly feature rich, content MSFT provides. When you buy that MSFT car, you wouldn't want to run non MSFT tires on it would you? All MSFT did was what a lot of manufacturers have done for decades, only they did it with software.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
This is, of course, if the vulnerabilities found can be accurately reproduced at an acceptable success rate. The original message on the mailing list mentions multiple times that software vendors found the bugs to be very hard to reproduce. It may be that the conditions needed for the bug to present itself are scarce enough that no malware programmer will opt to take that path, but, of course, now I've entered a realm of maybes and whatifs, so anything goes.
"We are the music makers, and we are the dreamers of dreams [...]."
Oh, right. Forgot about that one, sorry.
*holds up geek card* So where do I turn in this thing?
"We are the music makers, and we are the dreamers of dreams [...]."
Funny, I have never even seen Ford brand tires, gas, oil, air filters, etc. etc..
> Why is ANYONE with half a brain still using Microsoft browsers?
Why is anyone with half a brain still using any Microsoft software at all?
People with half a brain should be using Linux instead?
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
And after much follow up in late December MS finally acknowledged that they were reproducible with the July version of the tool.
Basically this guy gave them over six months to fix the bugs, they bullshitted around and fixed one or two faults, then on the eve of his release of the tool (when all other affected vendors had worked closely with him to fix all the faults) MS tried to state that it was only the latest version of his tool that caused the majority of the bugs. The author said if this was the case he would hold off on release, but after testing found MS to still have a good supply of bullshit left (the flaws showed up with the older tool, which MS eventually conceded) so he released it on the date he said, January.
Once again MS not willing or just plain not wanting to work with a security expert and then said expert doesn't buy their crap and releases on the schedule set.
...
I'm amazed the pop-under problem still hasn't been addressed in MSIE nor, more surprisingly, in Firefox - even at the highest security settings, pop-unders, such as the Netflix and screensaver ones, still get through - a potential security flaw.
I've search the bug reports for Firefox in the past and pop-unders ranks high on problems that people want fixed, and yet still isn't - seems to me if pop-up windows can be blocked, why can't pop-under windows?
Pop-up windows are still a problem in Firefox. Websites have devised new ways to pop up annoying windows that Firefox apparently isn't able to block (as of FF4 beta 8).
It's not new, those popups are being delivered through Flash, rather than javascript.
Adult Role Playing Forum
So here's one for you that's maybe a bit more contemporary. You wouldn't want to run that app on your iPhone unless it came from the App Store, now would you? Because Apple knows better than you, things are put in place to prohibit you from downloading that app. Just ask Mark Fiore about that one. Because "we" control the channel, the entire distribution chain, we then control the product and we can force you to take what we want to give you.
All of this has been done before and to a much greater extent in the past. People nowadays think that it's something new to have this kind of bundling and tied product design with supporting Channel Marketing strategies employed, it's not. The Software and Electronics Industries have just caught on is all. Just like Region codes in DVDs for that matter.
Of course you can run MSFT Sharepoint apps with Firefox, but it doesn't give you the full "robust" effect does it? Enterprises want the functionality that they pay for and are willing to put up with that argument because they're buying a solution, a COTS product. Because of that, they then mandate IE in the enterprise because they don't want to deal with heterogeneous environment support issues and so that the apps they test and deploy will work. Diversity in IT costs money. Now all of their thousands of PCs are running IE because "MSFT says so."
Here's another one:
Have you tried to run Outlook Web Express (Exchange) on Firefox? How about the same app on IE? Are they the same experience? hell no.
People at Home want that easy to use experience and although I can't say how many folks are still running Windows XP I'd venture to say it's still more than run Windows 7. They don't want their kids coming to them and telling them that Fallout Vegas doesn't work on that PC that's 5 years old. They just want it to work for them and their kids. On that computer there rests a copy of IE, probably IE 6 because it let's the kids get onto to Disney.com and Mom can get her latest Oprah Content. Couple that with the fact that Microsoft isn't supporting XP anymore and you have a bigger problem because you didn't buy that MSFT upgrade path yet where you get the new service plan, warranty and all the new features.
So, you wouldn't want to run non MSFT tires on that MSFT car you just bought, now would you?
Harrison's Postulate - "For every action there is an equal and opposite criticism"
Never states?
Did you actually read the article?
December 28, 2010: I investigate code changes between July and December, and conclude they are unlikely to have a substantial effect. I confirm this by re-running the July 29 fuzzer and hitting the same condition as listed in #5. I notify MSRC and reaffirm my plan to release in the first week of January.
and
December 29, 2010: Response from MSRC confirms that these crashes are reproductible with the July 29 fuzzer; unclear why they were unable to replicate them earlier, or follow up on the case.
He stated it and Microsoft confirmed it.
The ringing of the division bell has begun... -PF
Once again MS not willing or just plain not wanting to work with a security expert and then said expert doesn't buy their crap and releases on the schedule set.
It's not that Microsoft doesn't want to work with security experts, it's just that they don't have any money for that ;-)
We're not talking about IE6, and this isn't 2003. It's time to update your prejudices. IE9 is a decent standards-conforming browser.
You say that, but even compared with the current generation of browsers, IE9 is usually ranked towards the bottom, and it is not even released yet. Once that happens, it will have to compete with Firefox 4, Opera 12 (I guess) and Chrome developing at insane speeds. Microsoft has promised to catch up with IE7, and again with IE8, and again with IE9. But it seems that is all they are doing: playing catch up.
If I understand correctly, these are worse, since they affect browsers automatically while loading a badly corrupt (fuzzed) page
I'm afraid you don't understand correctly at all. The fuzzing is only part of the browser testing process, delivering a 'fuzzed' page is not an attack on its own. The fuzzing process is a kind of long-running randomized stress-test that throws literally millions of different random scenarios at the software and in the process reveals bugs / vulnerabilities. Once the vulnerabilities are revealed and understood, they can then be exploited by more targeted attacks (which are not 'fuzzed' at all), which can include far more serious payloads.
Fuzzing is a standard software testing process, and if you ask me, this is something any serious browser developer should be doing internally already - that's their JOB as browser developers, it's a little disturbing that they wait for guys like Mr Zalewski to do their jobs for them --- honestly I hope they're at least paying him market value for the labor at the rates it would've cost them to hire someone to do this in-house. The value of this testing to them is gold, as they can basically be delivered a list of probably previously unknown bugs; this is pretty skilled work.