digg

Facebook Connect Join Digg About

A Browser Exploit a day for every day in July

blogs.ittoolbox.com A new browser exploit is going to be unvieled every day in July, how will microsoft respond?

Who dugg this? Made popular Jul 6, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

91 Comments

show profanity settings
expand all
  • inactive, on 10/12/2007, -7/+64Of what year?
  • Grimdotdotdot, on 10/12/2007, -28/+75M$? What is this, Slashdot? Or 1995?
  • Winters, on 10/12/2007, -4/+51Direct Link: http://browserfun.blogspot.com/
  • tzmguitarist, on 10/12/2007, -33/+62How will M$ respond? They'll call it a feature.
  • Grimdotdotdot, on 10/12/2007, -8/+28How about 'Microsoft'?
  • Terc, on 10/12/2007, -2/+22This will be an interesting site to watch over the next month. Thanks for the link.
  • boomerxl, on 10/12/2007, -6/+24Isn't that kind of an irresponsible thing for a security firm to be doing? I know that the exploits are Microsoft's problem, but HD Moore is just trying to show how big and clever they are.
  • henrik.falk, on 10/12/2007, -2/+19It seems most of the vulnerabilites that they have "released" so far was already known.
  • nTensify, on 10/12/2007, -6/+20They'll wait until August and patch them all at once, of course.
  • wyfflemunky, on 10/12/2007, -0/+12"HD Moore should give Microsoft a grace period to fix these before releasing them to the general public since in the end this isn't about Microsoft, or how fast they can fix them, but rather about the end users who are constantly exploited. Sure, they should just switch browsers but your average computer users just don't know there are alternatives."

    A number of these were reported to Microsoft (or the owner of the browser in question) officially quite some time ago (March 6th this year). Go read the page. http://browserfun.blogspot.com/
  • jav1231, on 10/12/2007, -1/+12Okay here's one: IE walks into a bar and orders a beer and a mop! Get it? See it has so many holes that when it drinks the beer it needs a....ARGH! I give up!
  • inactive, on 10/12/2007, -4/+15First of all, there are 6 exploits (today being the 6th) but not a single one of them is new.

    Second, description misleads by asking "how will Microsoft respond" when this is about all browsers, not just IE.

    Buried as lame since these are known exploits and the title description was intentionally misleading to spark MS flames.

    All that was missing was "AMAZING"
  • silenceHR, on 10/12/2007, -0/+11FF one was patched in 1.5.0.3.
  • wvdavis, on 10/12/2007, -1/+10@ moochfish - I believe that FF will make more of a concerted effort on fixing the exploits than MS. After all, isn't that what they are trying to achieve here?
  • Thud, on 10/12/2007, -3/+12The site lists new BROWSER exploits every day. Not just IE exploits.

    There's already one for Safari, and one for Firefox as well. Certainly IE will have most of the entries, but at least other browsers get to join in on some of the fun. :-)
  • furyg3, on 10/12/2007, -0/+9How will they respond? Probably the way they always respond: by releasing a patch which only covers 5 of them on the second Tuesday of August.
  • sbrown123, on 10/12/2007, -7/+15HD Moore should give Microsoft a grace period to fix these before releasing them to the general public since in the end this isn't about Microsoft, or how fast they can fix them, but rather about the end users who are constantly exploited. Sure, they should just switch browsers but your average computer users just don't know there are alternatives.
  • anorris, on 10/12/2007, -0/+8Maybe in IE, but firefox does detect infinate JS loops and lets you choose to stop them after a short period of time.
  • pwhiteh, on 10/12/2007, -0/+6There's nothing irresponsible here except the original poster. If you look at http://browserfun.blogspot.com/, you'll see that the first IE bugs were reported back in early March. Browserfun is only making one bug public per day, it doesn't appear they are hiding anything.
  • Skates, on 10/12/2007, -0/+6Actually all the exploits have not been Microsoft only, a Safari exploit and a Mozilla exploit have also
    been posted to date:

    MoBB #5: DHTML setAttributeNode()
    MoBB #4: Mozilla Firefox DesignMode
  • nofxjunkee, on 10/12/2007, -0/+6Look they're describing bugs about Safari, IE and Firefox. Just because IE has considerably more bugs doesn't mean they're only targetting MS. This looks like an attempt to wake people up about browser issues, unfortunately they're preaching to the choir (as usual).
  • inactive, on 10/12/2007, -3/+8Is it not possible to force someone to restart their browser by simply
    while(true)
    alert('Hahahah');
    on the body onload event?

    Anyway will be interesting to see if MS do anything about it.
  • kenadak, on 10/12/2007, -1/+6This space intentionally left blank due to horribly bad pun.
  • inactive, on 10/12/2007, -4/+9@goatrandy

    I really would have though people would have realized by now that if Firefox had a 90% market share then vulnerabilities would be found in it maybe just as often as IE. In a perfect world there would be a good proportion of the worlds population using 4 or 5 good browsers therefore reducing the likely hood of one huge flaw taking everyone down. Shame OEM's (like Dell) seem to be happy installing 100 trial versions of software on their machines without ever thinking about delivering an alternative browser.
  • moochfish, on 10/12/2007, -1/+6Simply untrue. Take 2 minutes to read through the comments in the exploit posts.
  • darthsnoopy, on 10/12/2007, -3/+7Reporting this as lame for 3 reasons:
    1. not a direct link (direct link is: http://browserfun.blogspot.com/ )

    2. The article linked to states "here's the interesting part... just about any application crash can be turned into arbitrary code execution". Anyone that can code and has followed security exploits knows this is bull. Heap and Buffer overflows can be turned into exploits, the rest are DoS. Unless you can manipulate the EIP pointer, you arent going to do anything with a crash worth noting. The writer of this article is clueless.

    3. This blog is posting exploits to all browsers...publicly. The question isnt how MS will respond, but how will the world....the hackers, the security firms, the geeks, and those that are clueless that may get victimized by any new exploits he reveals...

    luckily so far the exploits have been old lame ones. Only time will tell for the future ones
  • Bradl3y, on 10/12/2007, -0/+410 REM Bugless Program
    20 PRINT "Not all software has bugs";
    30 END
  • PhonicUK, on 10/12/2007, -0/+3Notice the date at which they have been reported, some of them where nearly 2 months ago
  • LoungeActx, on 10/12/2007, -0/+3Same thing for IE although it only works half the time, but it will prompt you after 15 minutes of your computer being locked up and say "A script in this page is causing your computer to run slowly, would you like to stop it?"
  • raindog469, on 10/12/2007, -0/+3But in five of the seven cases to date (four IE6/XPSP2, one Safari), they remain unpatched.
  • Grimdotdotdot, on 10/12/2007, -0/+3You do - RTFA (and RTFC, too).
  • cmiz, on 10/12/2007, -1/+4Microsoft is notorious for using their legal teams to bury exploits by threatening people that report them with lawsuits if they are released. I know it's not the nicest thing, but this could be a good way of getting a lot of buzz out about the exploits so that either Microsoft will fix them, or people will switch over to a more secure browser.

    Point: notice that the Firefox bug that was released has already been fixed? Care to guess how many of the IE ones are? I'm not an MS hater, but they have GOT to fix their software when exploits come out, and they won't unless we make them.
  • CharlesDarwin, on 10/12/2007, -4/+6"baited our breath"

    fscking grammar noobs!
  • jinexile, on 10/12/2007, -0/+2Actually Dell, at least the UK division, is shipping Firefox with their computers.

    Firefox, has many exploits found for it, but the main difference is that they are more often than not, patched long before they are a threat. Why? Transparency. Open Source's curse of anyone being able to look at the code for vulnerabilities is also it's gift, many that audit the source aren't doing it to exploit users, many of them want the project to succeed and by reporting new vulnerabilities they also get a cash reward from Mozilla. What incentive is there in trying to find a vulnerability in Firefox that will more than likely be patches long before you're able to get that exploit out into the wild?

    Firefox gives you a window of less than a month to exploit a user, where IE has had vulnerabilities wide open for upto a year.
  • TedTschopp, on 10/12/2007, -0/+2Not all code has bugs. Bugs are not just a way of life, they might be an acceptible trade off in non-mission critical applicaitons, but there are ways of designing software that doesn't have bugs in it.
  • skidzilla, on 10/12/2007, -0/+2^Froze my browser for about 20 secs, didn't crash though (FF 1.5.0.4). :)
  • lonekorean, on 10/12/2007, -2/+4It's funny how this is skewed into MS hate bait. Someone says "hey, here are browser exploits" and everyone is quick to get in their shots at Microsoft. How many of you saw the Safari exploit listed, or the Firefox one, and made a fuss about those?
  • gregcotten, on 10/12/2007, -0/+1Guys RTFA. The exploits on the website exploit Safari, Firefox, and IE. The Firefox exploit crashed my Firefox browser (latest build) and I had to restart the computer.
  • w00ters, on 10/12/2007, -0/+1IMO browser exploits are somewhat proportional to user base size eg market share (at this point in time anyway). The more users using a piece of software the more users there are to find exploits in code. There are near countless well known and not so well known security teams working at finding bugs and exploits in IE round the clock b/c there is lots of insentive to do so.

    None of the browsers have anything that makes them more secure OOTB and all of them can be configured to be extremely secure. In short one would be hard pressed to find anything advantageous security wise amongst the various browsers.
  • painextremus, on 10/12/2007, -0/+1Don't you think that by releasing these bugs, which will end up with regular users being exploited, Microsoft will have to actually fix their browser due to the endless complaints they'll receive from those users?

    Their entire 'security' marketing scheme would suffer from the shame of someone releasing a bug for their browser every single day; they can't afford that. I hope they DO fix it so there is good competition again, not to mention a little more security.
  • NSMike, on 10/12/2007, -1/+2Yeesh, I didn't think diggers were that slow.

    "Second Tuesday of Next Week" is another way of saying NEVER.

    It's not a pun, nor a long week. It's just a really old joke, probably too old for the audience of Digg.
  • wvdavis, on 10/12/2007, -0/+1@ jrbrewin - That right, I am special. And as your therapist tells you all the time, you're special too. Now take your warm fuzzy, run off and have a great day.
  • whistles, on 10/12/2007, -0/+1HD Moore _is_ Metasploit
  • inactive, on 10/12/2007, -0/+1i love how people get dugg down for not bashing microsoft
  • ThinkFr33ly, on 10/12/2007, -1/+2"just about any application crash can be turned into arbitrary code execution, if someone is determined enough to work at it."

    This is completely false.

    Most code execution exploits occur due to buffer overflows. When the buffer overflows whatever data is outside the bounds of the variable may be placed in memory which was originally intended to be a point of execution for the application. When the application goes to execute the instructions at that location it instead executes any instructions that were placed there due to the overflow.

    To exploit a buffer overflow it takes a decent amount of work and a little luck.

    Buffer overflows don't always cause crashes, and crashes often have nothing to do with buffer overflows.

    Yes, there are other ways to cause code execution, but the VAST majority are due to buffer overflows.

    In short, this statement is the worst kind of FUD.
  • Zippo, on 10/12/2007, -1/+2OS X is safer for reasons beside than it being a minority, namely the well-built backbone. And IE is weaker for other reasons than being the #1 browser, namely the fact that its integrated with the shell.
    IE7 will likely be much safer than IE6, but Firefox is open-source and bugs are discovered and fixed much quicker. It's also seen as a "freedom fighter" of programs, because it's a free, well-built competitor for Microsoft.
  • howie, on 10/12/2007, -0/+1I agree with the person who said "RTFA". After all, he is not publishing browser exploits, just crash bugs.

    And crash bugs aren't security vulnerabilities unless they can be exploited to run arbitrary code, which is usually not the case.

    This guy is basically littering the world of security by bragging about normal crash bugs as "vulnerabilities" to get cheap PR for himself.
  • cremate, on 10/12/2007, -0/+1Or just patch bad code - one or the other.
  • gukid, on 10/12/2007, -0/+1LOL! In July? It's time to get some sun buddy.
  • jaymzz, on 10/12/2007, -0/+1One exploit a day. Isn't that a slow month?
  • Fetching more discussions...
    Show 51 - 91 of 91 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.