Feeds

Browser crashers warm to data fuzzing

IE under attack

The Essential Guide to IT Transformation

Last month, security researcher HD Moore decided to write a simple program that would mangle the code found in web pages and gauge the effect such data would have on the major browsers. The result: hundreds of crashes and the discovery of several dozen flaws.

The technique - called packet, or data, fuzzing - is frequently used to find flaws in network applications. Moore and others are now turning the tool on browsers to startling results. In a few weeks, the researcher had found hundreds of ways to crash Internet Explorer and, to a lesser extent, other browsers.

In another example, it took less than an hour at the CanSecWest Conference last week for Moore and computer-science student Matthew Murphy to hack together a simple program to test a browser's handling of cascading style sheets (CSS), finding another dozen or so ways to crash browsers.

"Fuzzing is probably the easiest way to find flaws, because you don't have to figure out how the application is dealing with input," said Moore, a well-known hacker and the co-founder of the Metasploit Project. "It lets me be a lazy vulnerability researcher."

Tracing the root causes of the crashes has resulted in the discovery of more than 50 flaws in Internet Explorer, a handful of which could be used to gain control of a website visitor's Windows system, Moore said. Other browsers had far fewer flaws, but each one had at least one remotely exploitable vulnerability that could be used to exploit users' systems, Moore said.

Microsoft stressed that the issues are still under investigation.

"Microsoft's initial investigation of HD Moore's findings determined that these are stability issues and not security vulnerabilities," a spokesperson for the software giant said Wednesday. "Microsoft will, of course, continue to work closely with HD to further investigate these findings and address these issues as appropriate for our customers."

The effectiveness of fuzzing at defining quality and security issues is nothing new.

Data fuzzing, or mangling, has been used often by security and quality-control engineers to test network devices. In 2002, the University of Oulu's Secure Programming Group (OUSPG) used the techniques to find a slew of flaws in the implementation of a basic communication protocol known as Abstract Syntax Notation One, or ASN.1, on which internet protocols are based. The next year, the university used the same technique to find issues in a protocol used for internet telephony.

Targeting browsers and other client-side applications using data fuzzing, or mangling, has become another tool on the belt of security engineers. As finding and exploiting server flaws has become more difficult, some researchers are turning to client-side applications, focusing mainly on web browsers and desktop security software to date.

"Why go after the server where the safeguards are, when all this identity and data can be gotten from the client," said Timothy Keanini, chief technology officer for nCircle Network Security.

The most significant flaws discovered this year have been flaws that affected Microsoft's browser, Internet Explorer. A vulnerability in how Windows processes the Windows Meta File (WMF) format resulted in Microsoft fixing that issue in early January, ahead of schedule. On Tuesday, Microsoft issued a patch to close a critical vulnerability in Internet Explorer that had threatened users with compromise if they visited any of a few hundred malicious websites.

Build a business case: developing custom apps

Next page: Update

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.