After feud, researcher promises daily browser bugs

The creator of the Metasploit hacking tool has promised to publish details on one browser vulnerability per day for the month of July.

The creator of a widely used hacking tool has promised to publish details on one browser vulnerability per day for the month of July.

HD Moore, the hacker behind the Metasploit toolkit, began publishing software that demonstrates bugs in a variety of Web browsers on July 1. He has dubbed his effort the Month of Browser Bugs. (http://browserfun.blogspot.com/)

Moore said he decided to do the month of bugs in order to show the kinds of results he's generated using a variety of automated security testing tools known as "fuzzers."

"This information is being published to create awareness about the types of bugs that plague modern browsers and to demonstrate the techniques I used to discover them," Moore said in a Sunday blog posting.

The Month of Browser Bugs code does not include details that would allow attackers to run unauthorized code on a victim's machine, Moore said.

To date, the security researcher has published information on bugs he found in Internet Explorer, Firefox, and Apple Computer's Safari browser.

Microsoft has had an advance look at the bugs, and some of them can cause the browser to crash, said Stephen Toulouse, security program manager with Microsoft's security response center. Others have been fixed in previous security updates, he said.

Some of the bugs were fixed in Microsoft's recent MS06-021 security update, Moore said in an e-mail interview, however "the actual details of these bugs have not been made public," he said.

The relationship between Microsoft and Moore -- a speaker at Microsoft's home-grown Blue Hat hacker conference -- has been strained of late. Two weeks ago, the security researcher blasted Microsoft for implying that he had been irresponsible in his disclosure of another Microsoft flaw -- this one concerning a recently patched vulnerability in the Remote Access Connection Manager (RASMAN) service used by Windows to create network connections over the telephone.

Moore published his code nine days after the bug was patched, but Microsoft criticized the disclosure, saying it came too soon.

This criticism did not sit well with Moore. "Microsoft is doing themselves a disservice by asking for vulnerability information on one hand and then condemning the folks who provide it with the other," he said in a blog posting, adding that the software vendor "obviously has some communication issues to resolve."

Thirty-one new browser bugs will certainly get Moore some attention, but the disclosures are not going to suddenly make the Web less safe for people who "practice reasonably safe surfing" and avoid suspicious Web sites, said Russ Cooper, a senior information security analyst at Cybertrust.

"Saying we are at risk due to browser vulnerabilities is akin to saying we are at risk due to being in a car," he said via instant message. "Yes, this is true... but you can certainly reduce the risk of harm while in a car through reasonable knowledge, use, and maintenance. The same is true with browsers."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?