News & Information for Technology Purchasers
NewsFactor Network Sites:   NewsFactor.com Security CRM Business Sci-Tech Newsletters XML/RSS Feed  
   
Home Enterprise I.T. Hardware Software Communications More Topics...
Network Security
Average Rating:
Rate this article:  
Hacker Goes Public with Unpatched Browser Bugs Hacker Goes Public with Unpatched Browser Bugs
By Walaika K. Haskins
July 6, 2006 2:05PM

    Bookmark and Share
"It doesn't really matter if Moore is doing this for publicity or to promote public safety on the Internet," said Gartner analyst Avivah Litan. "The fact remains that the browsers have too many vulnerabilities and we are all better off if Moore exposes them before the criminals exploit them."
 



A well-known hacker has vowed to disclose the details of at least one browser flaw every day in July as part of a project, called the Month of Bugs, that is designed to draw attention to unpatched security vulnerabilities.

Since the beginning of July, H.D. Moore, a researcher and the creator of the widely used Metasploit security toolkit, has already exposed several unpatched flaws in Internet Explorer, Firefox, and Apple's Safari.

"The vendors have been notified and the time has come to start publishing the results," Moore said in a blog posting. "This information is being published to create awareness about the types of bugs that plague modern browsers, and to demonstrate the techniques I used to discover them."

Bug Infestation

Inspired by the work of another security researcher, Moore wrote a program that could test and gauge the effect of mangled Web page code on leading Internet browsers. Hundreds of crashes later, Moore discovered several dozen flaws, including 50 in Internet Explorer alone.

While Moore has already begun to release detailed data Relevant Products/Services on flaws he identified in the major Web browsers, he noted in his blog that none of the information published during the Month of Bugs would include specifics that could result in malicious attacks or enable a hacker to run unauthorized code on a remote computer.

Even so, the practice of disclosing such flaws to the general public is widely derided by the software companies, who have traditionally argued that it would be more responsible to alert the companies first so they have time to patch the software before those with malicious intent can develop exploits that take advantage of the flaws.

Andrew Jaquith, a Yankee Group analyst, pointed to feuds that have erupted between security researchers and Oracle, Microsoft Relevant Products/Services, and Apple in the past three months alone.

"There will always be tension between software vendors who make large, complex, and occasionally vulnerable software products, and the researchers who find bugs in them," Jaquith explained. "This will continue, and there will never be a resolution to it."

Safety Officer

Whatever the reason, whether it is to garner attention or to educate users about the perils they face browsing the Internet, Moore's project highlights a major problem with Web browsers, said Avivah Litan, an analyst at Gartner.

"The fact remains that the browsers have too many vulnerabilities and we are all better off if Moore exposes them before the criminals exploit them," Litan said.

Litan also said she believes that the increased attention drawn to browser glitches will result in a safer environment for Web surfers because it will keep the pressure on Microsoft and other browser makers to tighten the security in their software. "Nothing is foolproof," she said. "But we need to keep raising the security bars to keep the bad guys out."

Jaquith offered a different take, saying he thinks Moore's project could give criminals access to data that will make it easier for them to exploit the flaws. The Yankee Group analyst called such full-disclosure tactics the "nuclear option."

Bad guys, Jaquith said, probably look at researchers as "useful idiots" who provide them unwittingly with free raw materials to construct malicious software.

"I don't know what H.D.'s process was -- but it looks like the details are being made public before the vendors can release corresponding patches," he said. "So I'd say, 'No, it's not responsible disclosure.'"
 

Tell Us What You Think
Your Comment:



Advertisement


 Network Security
1.   China Cyberattacks: Pervasive Threat
2.   Patch Tuesday Will Tie MS Record
3.   Cybersecurity Appears Hot for 2010
4.   EPIC Objects To Google-NSA Ties
5.   Torrent Traps Used To Harvest Logins


advertisement
EPIC Objects To Google-NSA TiesEPIC Objects To Google-NSA Ties
Cyberattack meant to rattle Google?
Average Rating:
Torrent Traps Used To Harvest LoginsTorrent Traps Used To Harvest Logins
Web sites sold with backdoor access.
Average Rating:
Social Networks: A Hacker's DelightSocial Networks: A Hacker's Delight
Workers urged to be 'trained skeptics.'
Average Rating:


advertisement


 Random Bytes
Product Information and Resources for Technology You Can Use To Boost Your Business

Enterprise Hardware Spotlight
Nvidia Auto-Switches Notebook GPU To Save Battery Life
Nvidia has taken the wraps off a notebook technology that chooses the best graphics processor for any given application and automatically routes the workload to Nvidia or Intel processors.
 
Microsoft Says Battery Woes Not Caused By Windows 7
Battery problems on Windows 7 machines are not caused by the operating system. That's the position of Stephen Sinofsky, head of the Windows division, in a long posting on the Windows engineering blog.
 
IBM's New POWER7 Servers Save Energy with Big Loads
IBM has unveiled high-capacity servers that are the first to be based on its new, multi-core POWER7 chip. It said the new line is designed "to manage the most demanding emerging applications."
 

Enterprise Technology Spotlight
Google May Add Facebook, Twitter Links to Gmail
Google will reportedly roll more social-networking features into Gmail, the fastest-growing e-mail service. The new features could save users the trouble of switching to Facebook or Twitter.
 
IBM's New POWER7 Servers Save Energy with Big Loads
IBM has unveiled high-capacity servers that are the first to be based on its new, multi-core POWER7 chip. It said the new line is designed "to manage the most demanding emerging applications."
 
IBM Opens Eco-Friendly, Cloud-Focused Data Center
IBM has opened its latest data center in North Carolina. Big Blue said the $362 million facility in Research Triangle Park is designed to support cloud computing and other new computing models.
 

Navigation
NewsFactor Network
Home/Top News | Enterprise I.T. | Hardware | Software | Communications | Network Security | Wireless Tech | Linux/Open Source
Apple/Macintosh | Microsoft/Windows | World Wide Web | Data Storage | E-Commerce | Personal Tech | Tech Trends | Press Releases
NewsFactor Network Enterprise I.T. Sites
NewsFactor Technology News | Enterprise Security Today | CRM Daily

NewsFactor Business and Innovation Sites
Sci-Tech Today | NewsFactor Business Report

NewsFactor Services
FreeNewsFeed | Free Newsletters | Free Whitepapers | XML/RSS Feed

About NewsFactor Network | How To Contact Us | Article Reprints | Careers @ NewsFactor | Services for PR Pros | Top Tech Wire | How To Advertise

Privacy Policy | Terms of Service
© Copyright 2000-2010 NewsFactor Network. All rights reserved. Article rating technology by Blogowogo.