- It's the applications, stupid
- Will a whitelist save personal computing?
- Thousands of Web sites under attack
- To solve the unsolvable problem
- Re-thinking the security of virtual machines
- Security Development Lifecycle trumps code complexity
- Is your Web site FIPS compliant?
- Computer security: Why have least privilege?
- Strategic security: Get a handle on authentication
- Control user installs of software
July 03, 2006 | Comments: (0)
One new browser bug a day to be released in July
Metasploit will release one new browser bug a day in July.
HD Moore of Metasploit wants to spotlight browser-based bugs. He claims, whether tongue-in-cheek I do not know, that he has enough bugs to release one a day for the next two and half years.
http://metasploit.blogspot.com/2006/07/month-of-browser-bugs.html
Normally, I like Metasploit, but I strongly disagree with anyone who releases exploit code to the public before patches are available.
Either way, this is not good news for system admins and security folks.
There is no safe Internet browser. I frequently tell my students that once you have decided to let a workstation run an HTML browser and connect to the Internet, you have accepted a much higher risk of attack and exploitation. IE, Firefox, Safari, Netscape, Opera, Mozilla...they are all very hackable. Even Lynx (a command-line, highly unfunctionaly browser) has been exploited several times.
(Thanks to my MVP friend, Susan Bradley, for the heads-up.)
Posted by Roger Grimes on July 3, 2006 06:54 AM
RATE THIS ARTICLE:
-
- COMMENTS
Please keep in mind that there is a difference between a proof-of-concept and a working exploit, just as there is a difference between a code execution and a denial of service flaw. The MoBB project is interested in increasing public awareness of browser-based flaws and we have no plans to publish working exploits for the MoBB entries.
Posted by: HD Moore at July 3, 2006 11:24 AMThe bugs we plan on publishing are almost all unexploitable denial of service flaws (NULL references, read of invalid memory, etc).
Internet Explorer 6 and 7 feature prominently, but we will also include bugs in Firefox, Safari, Opera, and Konqueror. It's a "bug a day", but not necessarily an expoit-a-day or a 0day-a-day. Some of the issues were actually patched in MS06-021, but never mentioned publicly.
