Feeds

Daily flaws ratchet up debate

To disclose or not to disclose...

3 Big data security analytics techniques

HD Moore is used to polarising the vulnerability-research community.

As the creator of the Metasploit Project, an open-source tool for automating the exploitation of vulnerabilities, Moore has had his share of contentious debates with other security professionals.

However, his latest endeavour - releasing a browser bug every day during the month of July - has raised hackles on both sides of the security equation, among the black-hat as well as white-hat researchers.

After the first week of flaws were released, one online miscreant from Russia shot off an email to Moore, complaining that he had outed a vulnerability the Russian had been exploiting, Moore said.

"The black hats don't like that the fact that this is public because they have been using these bugs," Moore said. "By dumping out the bugs on the community, I'm clearing the air and letting the good guys know what others are doing."

Yet, the release did not seem so altruistic to Microsoft, whose Internet Explorer browser suffers from the lion's share of the bugs found by Moore. The software giant indirectly criticised the release of vulnerabilities in a statement to SecurityFocus, underscoring the importance of getting customers updated before they are exposed to threats from malicious attackers.

"Microsoft continues to encourage responsible disclosure of vulnerabilities," the software giant said in a statement sent to SecurityFocus. "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests."

The software giant stressed that many of the flaws merely crashed the Internet Explorer browser, while the more serious vulnerabilities were fixed in the recent MS06-021 security update.

Other browsers had fewer flaws, Moore said. He discovered some issues with Mozilla's Firefox, but the group fixed them quickly, he said. Opera's browser, at least the most recent version, stood up quite well.

"Opera 8.5 fell apart 10 different ways, but 9.0 looks pretty solid," he said.

While Microsoft and other software makers have improved their relationships with many flaw finders, other researchers have ratcheted up the pressure on the companies to fix the vulnerabilities in their systems. After finding a flaw in the online-application website of the University of Southern California, security professional Eric McCarty decided to go public with the issue to put pressure on the university and is now being prosecuted for breaching the site's security. Another researcher, David Litchfield, released descriptions of Oracle flaws, after the database maker failed to patch the issues immediately.

In the most recent case, Moore had first warned software makers of the threat posed by potential attackers using the tools, known as fuzzers. Because response to the warning seemed slow, he decided to publicly release many of the bugs, one each day in July.

The avalanche of browser flaws underscores the problems for software vendors as fuzzers become more popular. The flaw-finding programs systematically change the data sent to an application to see how the software reacts.

In many cases, bad data can cause an application to crash; other times, the application's response to the mangled data reveals underlying security flaws. HD Moore used five different fuzzers - all but one of which is publicly available - to find hundreds of vulnerabilities in the major browsers, he said.

"People now have a feeling about how things stand," Moore said. "There will be five or six tools that they can run and find out what flaws potentially could be exploited."

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.