Feeds

Daily flaws ratchet up debate

To disclose or not to disclose...

Protecting against web application threats using SSL

HD Moore is used to polarising the vulnerability-research community.

As the creator of the Metasploit Project, an open-source tool for automating the exploitation of vulnerabilities, Moore has had his share of contentious debates with other security professionals.

However, his latest endeavour - releasing a browser bug every day during the month of July - has raised hackles on both sides of the security equation, among the black-hat as well as white-hat researchers.

After the first week of flaws were released, one online miscreant from Russia shot off an email to Moore, complaining that he had outed a vulnerability the Russian had been exploiting, Moore said.

"The black hats don't like that the fact that this is public because they have been using these bugs," Moore said. "By dumping out the bugs on the community, I'm clearing the air and letting the good guys know what others are doing."

Yet, the release did not seem so altruistic to Microsoft, whose Internet Explorer browser suffers from the lion's share of the bugs found by Moore. The software giant indirectly criticised the release of vulnerabilities in a statement to SecurityFocus, underscoring the importance of getting customers updated before they are exposed to threats from malicious attackers.

"Microsoft continues to encourage responsible disclosure of vulnerabilities," the software giant said in a statement sent to SecurityFocus. "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests."

The software giant stressed that many of the flaws merely crashed the Internet Explorer browser, while the more serious vulnerabilities were fixed in the recent MS06-021 security update.

Other browsers had fewer flaws, Moore said. He discovered some issues with Mozilla's Firefox, but the group fixed them quickly, he said. Opera's browser, at least the most recent version, stood up quite well.

"Opera 8.5 fell apart 10 different ways, but 9.0 looks pretty solid," he said.

While Microsoft and other software makers have improved their relationships with many flaw finders, other researchers have ratcheted up the pressure on the companies to fix the vulnerabilities in their systems. After finding a flaw in the online-application website of the University of Southern California, security professional Eric McCarty decided to go public with the issue to put pressure on the university and is now being prosecuted for breaching the site's security. Another researcher, David Litchfield, released descriptions of Oracle flaws, after the database maker failed to patch the issues immediately.

In the most recent case, Moore had first warned software makers of the threat posed by potential attackers using the tools, known as fuzzers. Because response to the warning seemed slow, he decided to publicly release many of the bugs, one each day in July.

The avalanche of browser flaws underscores the problems for software vendors as fuzzers become more popular. The flaw-finding programs systematically change the data sent to an application to see how the software reacts.

In many cases, bad data can cause an application to crash; other times, the application's response to the mangled data reveals underlying security flaws. HD Moore used five different fuzzers - all but one of which is publicly available - to find hundreds of vulnerabilities in the major browsers, he said.

"People now have a feeling about how things stand," Moore said. "There will be five or six tools that they can run and find out what flaws potentially could be exploited."

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.