Original URL: http://www.theregister.co.uk/2006/04/13/data_fuzzing/

Browser crashers warm to data fuzzing

IE under attack

By Robert Lemos

Posted in Security, 13th April 2006 14:58 GMT

Last month, security researcher HD Moore decided to write a simple program that would mangle the code found in web pages and gauge the effect such data would have on the major browsers. The result: hundreds of crashes and the discovery of several dozen flaws.

The technique - called packet, or data, fuzzing - is frequently used to find flaws in network applications. Moore and others are now turning the tool on browsers to startling results. In a few weeks, the researcher had found hundreds of ways to crash Internet Explorer and, to a lesser extent, other browsers.

In another example, it took less than an hour at the CanSecWest Conference last week for Moore and computer-science student Matthew Murphy to hack together a simple program to test a browser's handling of cascading style sheets (CSS), finding another dozen or so ways to crash browsers.

"Fuzzing is probably the easiest way to find flaws, because you don't have to figure out how the application is dealing with input," said Moore, a well-known hacker and the co-founder of the Metasploit Project. "It lets me be a lazy vulnerability researcher."

Tracing the root causes of the crashes has resulted in the discovery of more than 50 flaws in Internet Explorer, a handful of which could be used to gain control of a website visitor's Windows system, Moore said. Other browsers had far fewer flaws, but each one had at least one remotely exploitable vulnerability that could be used to exploit users' systems, Moore said.

Microsoft stressed that the issues are still under investigation.

"Microsoft's initial investigation of HD Moore's findings determined that these are stability issues and not security vulnerabilities," a spokesperson for the software giant said Wednesday. "Microsoft will, of course, continue to work closely with HD to further investigate these findings and address these issues as appropriate for our customers."

The effectiveness of fuzzing at defining quality and security issues is nothing new.

Data fuzzing, or mangling, has been used often by security and quality-control engineers to test network devices. In 2002, the University of Oulu's Secure Programming Group (OUSPG) used the techniques to find a slew of flaws in the implementation of a basic communication protocol known as Abstract Syntax Notation One, or ASN.1, on which internet protocols are based. The next year, the university used the same technique to find issues in a protocol used for internet telephony.

Targeting browsers and other client-side applications using data fuzzing, or mangling, has become another tool on the belt of security engineers. As finding and exploiting server flaws has become more difficult, some researchers are turning to client-side applications, focusing mainly on web browsers and desktop security software to date.

"Why go after the server where the safeguards are, when all this identity and data can be gotten from the client," said Timothy Keanini, chief technology officer for nCircle Network Security.

The most significant flaws discovered this year have been flaws that affected Microsoft's browser, Internet Explorer. A vulnerability in how Windows processes the Windows Meta File (WMF) format resulted in Microsoft fixing that issue in early January, ahead of schedule. On Tuesday, Microsoft issued a patch to close a critical vulnerability in Internet Explorer that had threatened users with compromise if they visited any of a few hundred malicious websites.

Security researchers have targeted browsers with fuzzing tools in the past. In 2004, Michal Zalewski released a tool that mangled HTML code and produced frequent crashes on browsers other than Microsoft's Internet Explorer. Another researcher, Shane Hird, targeted the Windows Component Object Model (COM) and ActiveX controls using a fuzzer, finding other security issues with Internet Explorer.

"For the most part, security people have stayed away from browser bugs," Moore said. "You can't go into a company at three in the morning and exploit all their desktops. You have to have the user involved."

Browser flaws have become more important to attackers, because they allow them to slip by a network's more secure network defenses and attack the internal systems, which are generally less well guarded, said Window Snyder, chief technology officer for security start-up Matasano and a former security strategist for Microsoft.

"There are so many ways to get past the perimeter and once you are in, it's an open field," Snyder said. "Internal applications have not been audited with the same rigor as core external applications."

The change in focus leaves system administrators having to worry about which of their desktop applications have been well audited, she said.

"We have to worry about vulnerabilities in Notepad - that is now considered a product that can affect your security," Snyder said.

Yet, fuzzing tools can, and should be, used for defense, nCircle's Keanini said. In many ways, fuzzers bring the same automated code checking capabilities as the static code checkers that are now being used with greater frequency by companies to audit their program code. And company administrators who decline to check a program do so at their own risk, because program complexity - and the number of vulnerabilities - has skyrocketed, he said.

"It used to be that the client was twenty times smaller than the server," Keanini said. "That's not the case anymore. There are clients that are bigger than operating systems - it's grotesque. There is nothing thin about the client anymore."

For his part, Moore has already tired of trying out fuzzing techniques, but he may try coding one more, he said. Almost every browser has plug-ins to handle Adobe's Flash format, and the security researcher said he wonders about the code's security.

"These are plug-ins that are installed by default, and no one has really taken a look at a corrupted Flash generator," he said.

Soon, that may not be true.

This article originally appeared in SecurityFocus

Copyright © 2006, SecurityFocus

Update

Microsoft's statement was added to the article late Wednesday, following the company's response to SecurityFocus's request for comment. The original article was posted at 8am PST.