Slashdot Mirror
Security Researcher Finds Hundreds of Browser Bugs
An anonymous reader writes "PC Magazine reports on a very understated late night post to the full-disclosure mailing list, in which security researcher Michael Zalewski shared a fuzzing tool reportedly capable of identifying over a hundred browser bugs. Some of these bugs, he says, may be already known to third parties in China. The report also includes an account of how browser vendors fared fixing these flaws so far. Not surprisingly, Microsoft's response timeline appears depressing."
Why just China? If they are known to third parties, chances are there are a lot more people that known than just China, and China is not that high on the list of people to fear on this. Why the emphasis here?
It comes preinstalled with the OS, it doesn't need any configuring (or, if needed, it syncs automatically with settings on a domain controller) and, for tasks actually needed in an office setting, it works.
No, it isn't "good" by any stretch of the word, but switching to a different browser is definitely not high up on the list of needed IT changes.
"We are the music makers, and we are the dreamers of dreams [...]."
And what if we put the VM... into ANOTHER VM? :O
"We are the music makers, and we are the dreamers of dreams [...]."
Momentum. A browser in operation tends to stay in operation unless acted upon by an outside IT consultant.
Check out my sci-fi/humor trilogy at PatriotsBooks.
...maybe not very serious, nothing a program restart wouldn't fix, but still - damage.
I'm sorry, what?
Most browsers don't run in a particularly well secured sandbox. Sure there are additional security features, but the majority of people today still seem to be running (1) outdated browsers (2) as administrators (3) without any clue whatsoever regarding security.
A security flaw exposed from this fuzzer could easily end up being a major trojan outbreak. Not exactly something you fix by restarting Firefox...
Home users, no idea. Ignorance and apathy I suppose.
Corporate? ActiveX controls, trivial to keep up to date with WSUS, even when the user is non-admin and a firewall is blocking most outside downloads, accepts loads of configuration options from Active Directory Group Policies, etc.
That runs into the convenience problem: Downloading pictures, files, executables, etc. and printing stuff are ridiculously common use cases for browsers. So to is the old 'opening a link in some other program in a browser'. Thus, any sort of security mechanism that makes those more of a pain will run into user resistance. Any sort of security mechanism that initially blocks those and then introduces a bunch of workarounds(shared filesystem location between VM and computer, virtual printer in VM mapping to real spooler, some sort of local process that catches URLs and passes them into the sandbox, etc. also raises the possibility of serious bugs in those workaround mechanisms...
If browsers were exclusively used for reading web pages, securing them would be so much simpler...
Because MSFT understands channel marketing. Their services, their products work with their tools. They've also fed that into the enterprise as well. Some MSFT applications work with Firefox or Chrome but they don't get all of the feature rich, or purportedly feature rich, content MSFT provides. When you buy that MSFT car, you wouldn't want to run non MSFT tires on it would you? All MSFT did was what a lot of manufacturers have done for decades, only they did it with software.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
> Why is ANYONE with half a brain still using Microsoft browsers?
Why is anyone with half a brain still using any Microsoft software at all?
People with half a brain should be using Linux instead?
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
This might help explain at least part of the difficult communication with Microsoft.
But not Mozilla, the Webkit team and Opera?
It may be 7 digits, but at least it's a semiprime
And after much follow up in late December MS finally acknowledged that they were reproducible with the July version of the tool.
Basically this guy gave them over six months to fix the bugs, they bullshitted around and fixed one or two faults, then on the eve of his release of the tool (when all other affected vendors had worked closely with him to fix all the faults) MS tried to state that it was only the latest version of his tool that caused the majority of the bugs. The author said if this was the case he would hold off on release, but after testing found MS to still have a good supply of bullshit left (the flaws showed up with the older tool, which MS eventually conceded) so he released it on the date he said, January.
Once again MS not willing or just plain not wanting to work with a security expert and then said expert doesn't buy their crap and releases on the schedule set.
...
I'm amazed the pop-under problem still hasn't been addressed in MSIE nor, more surprisingly, in Firefox - even at the highest security settings, pop-unders, such as the Netflix and screensaver ones, still get through - a potential security flaw.
I've search the bug reports for Firefox in the past and pop-unders ranks high on problems that people want fixed, and yet still isn't - seems to me if pop-up windows can be blocked, why can't pop-under windows?
Pop-up windows are still a problem in Firefox. Websites have devised new ways to pop up annoying windows that Firefox apparently isn't able to block (as of FF4 beta 8).
It's not new, those popups are being delivered through Flash, rather than javascript.
Adult Role Playing Forum
Just to be fucking honest...
His tool only found a few bugs ("several") in Internet Explorer, found about two dozen in Webkit ("some" problems still unfixed), about 60 bugs in Mozilla ("several" still unfixed), and that for Opera some of the bugs arent fixed ("several".)
So what we see here is that of the browsers, Internet Explorer didnt have nearly as many problems identifiable by his tool as the others to begin with, and that it still doesnt have more than the other browsers now even after all parties had 6 months.
Could it be that all of the remaining bugs for all of the browsers require good reproducibility to address reasonably? Could it be that the person you replied to is correct, rather than that your "but not mozilla, webkit team and opera?" bullshit is just that, bullshit?
"His name was James Damore."
Never states?
Once again MS not willing or just plain not wanting to work with a security expert and then said expert doesn't buy their crap and releases on the schedule set.
It's not that Microsoft doesn't want to work with security experts, it's just that they don't have any money for that ;-)
But there are a couple of BIG differences between IE and the others that mean they should always looked at with more suspicion and scorn, and I'm a Windows guy. 1.-Refusing to backport IE 9 to XP means you are gonna have hundreds of millions of IE installs running on old versions, 2.- Thanks to their idiotic "Hey lets all run as admin!" design of XP when combined with IE just increases the risk of nasty, and 3.- the webkit based browsers, such as Chrome, Dragon, Safari, SWIron, etc at least attempt to sandbox the browser, whereas MSFT to kill off competition buried IE deeply into the system making IE the more dangerous choice.
Finally since you read TFA you would see that while the others kept working with the writer MSFT closed the ticket and cut off communication right up to when he said he would release even though the writer was able to replicate the bugs with the July tool and so was MSFT. Then when he was ready to release did they begin talking about "PR nightmare" instead of actually seeming concerned with the security of their browser. Lets be honest folks, IE was nothing but a tool to kill Netscape and once it had accomplished its goal it was left to rot. You had millions infected thanks to their lax treatment of security via IE 6, and they are just now trying to get to where everyone else was a year ago. Considering your browser is the closest your OS gets to being "bare metal" with the wild and woolly Internet trusting your machine to a browser that is only updated on patch Tuesday unless something completely embarrassing hits is more than a little nuts.
One of the nice things we have today is plenty of free choices is that department and thanks to the scourge of "This site requires IE" being all but a distant memory getting folks away from IE has never been easier. Just send them to Ninite and tell them which box to check. It is really just that easy. But trusting the weakest part of your security to a browser that always seems to be a day late, a dollar short, and has the biggest bullseye painted on it? There is a good reason to always assume the worst when it comes to IE, it is because that has been time and time again what you got.
ACs don't waste your time replying, your posts are never seen by me.