July is Browser Bug Month to Researcher

SAN FRANCISCO -- The creator of a widely used hacking tool has promised to publish details on one browser vulnerability per day for the month of July.

HD Moore, the hacker behind the Metasploit toolkit, began publishing software that demonstrates bugs in various Web browsers on July 1. He has dubbed his effort the Month of Browser Bugs.

Why?

Moore said that he decided to embark on the project to show the kinds of results he has generated by using a variety of automated security testing tools known as "fuzzers."

"This information is being published to create awareness about the types of bugs that plague modern browsers and to demonstrate the techniques I used to discover them," Moore said in a Sunday blog posting.

The Month of Browser Bugs code does not include details that would allow attackers to run unauthorized code on a victim's machine, Moore said.

So far, the security researcher has published information on bugs that he found in Internet Explorer, Firefox, and Apple's Safari browser.

Microsoft has had an advance look at the bugs, some of which can cause the browser to crash, said Stephen Toulouse, security program manager with Microsoft's security response center. Others have been fixed in previous security updates, he said.

In an e-mail interview, Moor said that, while Microsoft fixed some of the bugs with its recent MS06-021 security update, "the actual details of these bugs have not been made public."

Strained Relationship

The relationship between Microsoft and Moore--a speaker at Microsoft's home-grown Blue Hat hacker conference--has been strained of late. Two weeks ago, the security researcher blasted Microsoft for implying that he had acted irresponsibly in disclosing a Microsoft flaw involving a recently patched vulnerability in the Remote Access Connection Manager service, which Windows uses to create network connections over the telephone.

Moore published his code nine days after the bug was patched, but Microsoft criticized the disclosure, saying that it came too soon.

This criticism did not sit well with Moore. "Microsoft is doing themselves a disservice by asking for vulnerability information on one hand and then condemning the folks who provide it with the other," he said in a blog posting, adding that the software vendor "obviously has some communication issues to resolve."

What This Means to You

Providing details about 31 new browser bugs will certainly attract attention, but Moore's disclosures won't suddenly make the Web more dangerous for people who "practice reasonably safe surfing" and avoid suspect Web sites, said Russ Cooper, a senior information security analyst at Cybertrust.

"Saying we are at risk due to browser vulnerabilities is akin to saying we are at risk due to being in a car," he said via instant message. "Yes, this is true...but you can certainly reduce the risk of harm while in a car through reasonable knowledge, use, and maintenance. The same is true with browsers."

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon