Feeds

Browser crashers warm to data fuzzing

IE under attack

Security for virtualized datacentres

Security researchers have targeted browsers with fuzzing tools in the past. In 2004, Michal Zalewski released a tool that mangled HTML code and produced frequent crashes on browsers other than Microsoft's Internet Explorer. Another researcher, Shane Hird, targeted the Windows Component Object Model (COM) and ActiveX controls using a fuzzer, finding other security issues with Internet Explorer.

"For the most part, security people have stayed away from browser bugs," Moore said. "You can't go into a company at three in the morning and exploit all their desktops. You have to have the user involved."

Browser flaws have become more important to attackers, because they allow them to slip by a network's more secure network defenses and attack the internal systems, which are generally less well guarded, said Window Snyder, chief technology officer for security start-up Matasano and a former security strategist for Microsoft.

"There are so many ways to get past the perimeter and once you are in, it's an open field," Snyder said. "Internal applications have not been audited with the same rigor as core external applications."

The change in focus leaves system administrators having to worry about which of their desktop applications have been well audited, she said.

"We have to worry about vulnerabilities in Notepad - that is now considered a product that can affect your security," Snyder said.

Yet, fuzzing tools can, and should be, used for defense, nCircle's Keanini said. In many ways, fuzzers bring the same automated code checking capabilities as the static code checkers that are now being used with greater frequency by companies to audit their program code. And company administrators who decline to check a program do so at their own risk, because program complexity - and the number of vulnerabilities - has skyrocketed, he said.

"It used to be that the client was twenty times smaller than the server," Keanini said. "That's not the case anymore. There are clients that are bigger than operating systems - it's grotesque. There is nothing thin about the client anymore."

For his part, Moore has already tired of trying out fuzzing techniques, but he may try coding one more, he said. Almost every browser has plug-ins to handle Adobe's Flash format, and the security researcher said he wonders about the code's security.

"These are plug-ins that are installed by default, and no one has really taken a look at a corrupted Flash generator," he said.

Soon, that may not be true.

This article originally appeared in SecurityFocus

Copyright © 2006, SecurityFocus

Update

Microsoft's statement was added to the article late Wednesday, following the company's response to SecurityFocus's request for comment. The original article was posted at 8am PST.

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.