We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
 
74,953 News Articles

A bug a day promised by hacker

Toys out of the pram

HD Moore, the hacker behind the Metasploit toolkit, has promised to publish details on one browser vulnerability per day for the month of July.

He began publishing software that demonstrates bugs in a variety of web browsers on 1 July. He has called his effort the Month of Browser Bugs.

Moore said he decided to do the month of bugs in order to show the kinds of results he's generated using a variety of automated security testing tools known as 'fuzzers'.

"This information is being published to create awareness about the types of bugs that plague modern browsers and to demonstrate the techniques I used to discover them," Moore said in a Sunday blog posting.

The Month of Browser Bugs code does not include details that would allow attackers to run unauthorised code on a victim's machine, Moore said.

To date, the security researcher has published information on bugs he found in Internet Explorer, Firefox and Apple's Safari browser.

Microsoft has had an advance look at the bugs, and some of them can cause the browser to crash, said Stephen Toulouse, security program manager with Microsoft's security response centre. Others have been fixed in previous security updates, he said.

Some of the bugs were fixed in Microsoft's recent MS06-021 security update, Moore said in an email interview. However, the actual details of these bugs have not been made public, he said.

The relationship between Microsoft and Moore – a speaker at Microsoft's home-grown Blue Hat hacker conference – has been strained of late. Two weeks ago, the security researcher blasted Microsoft for implying that he had been irresponsible in his disclosure of another Microsoft flaw – this one concerning a recently patched vulnerability in the Rasman (Remote Access Connection Manager) service used by Windows to create network connections over the telephone.

Moore published his code nine days after the bug was patched, but Microsoft criticised the disclosure, saying it came too soon.

This criticism did not sit well with Moore. "Microsoft is doing themselves a disservice by asking for vulnerability information on one hand and then condemning the folks who provide it with the other," he said in a blog posting, adding that the software vendor "obviously has some communication issues to resolve".

Thirty-one new browser bugs will certainly get Moore some attention, but the disclosures are not going to suddenly make the web less safe for people who "practise reasonably safe surfing" and avoid suspicious websites, said Russ Cooper, a senior information security analyst at Cybertrust.

"Saying we are at risk due to browser vulnerabilities is akin to saying we are at risk due to being in a car," he said. "Yes, this is true, but you can certainly reduce the risk of harm while in a car through reasonable knowledge, use, and maintenance. The same is true with browsers."


IDG UK Sites

Samsung Gear 2 review: Classy Tizen smartwatch is too expensive

IDG UK Sites

Eight possible names for the next version of Mac OS X: What will Apple call the follow-up to Maveri?......

IDG UK Sites

Why our gadgets will kill us all: bleating notifications, too many chargers and the proliferation...

IDG UK Sites

Inside Twitter's new design and ad offerings