[This was originally published on the OSVDB blog.]
By Greg Sandoval
Each day this month, a prominent security expert will highlight a new vulnerability found in one of the major Internet browsers.
HD Moore, the creator of Metasploit Framework, a tool that helps test whether a system is safe from intrusion, has dubbed July the Month of Browser Bugs. Already, the security researcher has featured five security flaws, three for Microsoft’s Internet Explorer and one apiece for Mozilla’s Firefox and Apple Computer’s Safari.
Thirty one days later, MoBB is done! By far one of the more interesting vulnerability disclosure projects we’ve seen this year. I have a strong feeling that the real ramifications won’t be realized until months later, but until someone does a more thorough analysis.. my random thoughts.
First, HDM and I chatted almost every single day during the month, mostly to coordinate the pre-assignment of OSVDB IDs for each bug. Due to the schedule I keep, it was usually easy to check the blog around midnight every night, and for 30 of the 31 days, he was right on time releasing the next bug. Only on the 31st day did he finally fall behind by a whole two hours (jeez, what a slacker!) in releasing the final bug. Ok ok, it wasn’t due to slacking, he had been working for hours trying to isolate the exact details to fully understand and document the bug he had been researching in Safari.
31 browser bugs, what’s the final breakdown?
- MSIE: 25
- Apple Safari: 2
- Mozilla: 2
- Opera: 1
- Konqueror: 1
I’ll let you make any conclusions you want. If I hadn’t posted this, we’d no doubt see at least one article saying how much more insecure MSIE is than X and this is just proof of that. Hopefully the fact I posted that last line might actually make a journalist stop and think, “why, is it something else?!” GLAD YOU ASKED! Ok not really, but there is more to it than W bugs in X browser vs Y bugs in Z browser so W must be more insecure than Y!@$#! If you can’t think of any such reasons, quit your job and go to art school.
What if he had…
- followed ‘accepted’ vulnerability disclosure guidelines? (the project would have been dubbed the YoBB?)
- sold his findings to the shops like ZDI or iDefense that pay for such information? (he’d be rich?!)
- sold his findings to a russian spam syndicate? (he’d be able to buy a new iPod?!)
- never posted a single bug in any fashion? (he and a dozen others would all be sitting on this information)
- provided even more easy point-and-drool exploitation? (we’d be reading another CNET article about the latest spyware/adware that exploited..)
Want another month of browser bugs? Yes, he could continue on into August without a problem. The amount of browser bugs is stupid. Apparently, the idea of writing a basic fuzzer is still lost on the authors. The good news, HDM will be releasing the fuzzer he used to find all these to the public. Will an insane rush of browser bugs follow? We can hope!
Want another month of browser bugs? Then do it yourself. While it may sound easy, researching each one to the degree HDM did is not easy and it isn’t fast. If you can devote between 15 minutes and 3 hours a day for 31 days, then go for it! Until then, as my friend major says, “never lick a gift whore in the mouse.”