Feeds

Daily flaws ratchet up debate

To disclose or not to disclose...

5 things you didn’t know about cloud backup

HD Moore is used to polarising the vulnerability-research community.

As the creator of the Metasploit Project, an open-source tool for automating the exploitation of vulnerabilities, Moore has had his share of contentious debates with other security professionals.

However, his latest endeavour - releasing a browser bug every day during the month of July - has raised hackles on both sides of the security equation, among the black-hat as well as white-hat researchers.

After the first week of flaws were released, one online miscreant from Russia shot off an email to Moore, complaining that he had outed a vulnerability the Russian had been exploiting, Moore said.

"The black hats don't like that the fact that this is public because they have been using these bugs," Moore said. "By dumping out the bugs on the community, I'm clearing the air and letting the good guys know what others are doing."

Yet, the release did not seem so altruistic to Microsoft, whose Internet Explorer browser suffers from the lion's share of the bugs found by Moore. The software giant indirectly criticised the release of vulnerabilities in a statement to SecurityFocus, underscoring the importance of getting customers updated before they are exposed to threats from malicious attackers.

"Microsoft continues to encourage responsible disclosure of vulnerabilities," the software giant said in a statement sent to SecurityFocus. "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests."

The software giant stressed that many of the flaws merely crashed the Internet Explorer browser, while the more serious vulnerabilities were fixed in the recent MS06-021 security update.

Other browsers had fewer flaws, Moore said. He discovered some issues with Mozilla's Firefox, but the group fixed them quickly, he said. Opera's browser, at least the most recent version, stood up quite well.

"Opera 8.5 fell apart 10 different ways, but 9.0 looks pretty solid," he said.

While Microsoft and other software makers have improved their relationships with many flaw finders, other researchers have ratcheted up the pressure on the companies to fix the vulnerabilities in their systems. After finding a flaw in the online-application website of the University of Southern California, security professional Eric McCarty decided to go public with the issue to put pressure on the university and is now being prosecuted for breaching the site's security. Another researcher, David Litchfield, released descriptions of Oracle flaws, after the database maker failed to patch the issues immediately.

In the most recent case, Moore had first warned software makers of the threat posed by potential attackers using the tools, known as fuzzers. Because response to the warning seemed slow, he decided to publicly release many of the bugs, one each day in July.

The avalanche of browser flaws underscores the problems for software vendors as fuzzers become more popular. The flaw-finding programs systematically change the data sent to an application to see how the software reacts.

In many cases, bad data can cause an application to crash; other times, the application's response to the mangled data reveals underlying security flaws. HD Moore used five different fuzzers - all but one of which is publicly available - to find hundreds of vulnerabilities in the major browsers, he said.

"People now have a feeling about how things stand," Moore said. "There will be five or six tools that they can run and find out what flaws potentially could be exploited."

Next gen security for virtualised datacentres

More from The Register

next story
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Hear ye, young cyber warriors of the realm: GCHQ wants you
Get involved, get a job and then never discuss work ever again
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.