Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Experiment Tests Top 5 Browsers, Finds Safari Riddled With Security Bugs (bleepingcomputer.com)

Posted by BeauHD on from the testing-in-progress dept.

An anonymous reader writes from a report via Bleeping Computer: The Project Zero team at Google has created a new tool for testing browser DOM engines and has unleashed it on today's top five browsers, finding most bugs in Apple's Safari. Results showed that Safari had by far the worst DOM engine, with 17 new bugs discovered after Fratric's test. Second was Edge with 6, then IE and Firefox with 4, and last was Chrome with only 2 new issues. The tests were carried out with a new fuzzing tool created by Google engineers named Domato, also open-sourced on GitHub. This is the third fuzzing tool Google creates and releases into open-source after OSS-Fuzz and syzkaller. Researchers focused on testing DOM engines for vulnerabilities because they expect them to be the next target for browser exploitation after Flash reaches end-of-life in 2020.

2 of 105 comments (clear)

  1. Re:Simple Fix by amiga3D · · Score: 3, Interesting

    It's gotten to the point I do banking on a distro I run off a thumb drive on my laptop. It's designed for security from the ground up and that is the only thing I use it for. As to surfing the web and everything else I don't worry too much and just use the standard Ubuntu on the hard drive.

  2. Re:What an impartial study! by swillden · · Score: 5, Interesting

    Fuzzers are pretty impartial, and I don't find it hard to believe that the Chromium/Chrome team is the best at security.

    Also, I know a couple of people on the Project Zero team, and they treat Google absolutely different from anyone else. They attack everything, regardless of origin, with equal gusto and skill and have a strict, no-exceptions-ever 90-day public disclosure policy. I work on Android and Project Zero has even 0day'd us a couple of times, publishing existing vulns in Android that we haven't gotten fixed within the 90 day window.

    It's interesting working with PZ team members directly because even though they're Google employees, they are not subject to the standard employee NDA. More than one time I've had one of them stop me mid-sentence to remind me that they are not allowed to hear non-public information... and that if I tell them anyway they are not obligated to keep it secret.

    Project Zero is employed by Google, but that means nothing to them. And, strangely enough, Google is totally fine with that.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.