Month of the Browser Bugs!
p2p news / p2pnet: Security probist H.D. Moore, the man who gave you Metasploit, has labeled July Month of the Browser Bugs.
Metasploit is an open-source tool for penetration testing and exploit development and last month Moore drew attention to the dangers inherent in a critical Microsoft Windows security holes in the RRAS (Routing and Remote Access Service) in Windows.
"Over the last few months, I have taken an interest in web browser security flaws," says Moore on his Metasploit blog.
"This interest has resulted in my collaboration on a few fuzzing tools (Hamachi, CSS-Die, DOM-Hanoi), a blog post, and a SecurityFocus article. The vendors have been notified and the time has come to start publishing the results.
"I will publish one new vulnerability each day during the month of July as part of the Month of Browser Bugs project. This information is being published to create awareness about the types of bugs that plague modern browsers and to demonstrate the techniques I used to discover them.
"Enjoy!"
Bill and the Boyz have had a chance to do just that via previews of Moore’s bugs, some of which can cause the browser to crash, the IDG News Service has Stephen Toulouse, security program manager with Microsoft’s security response centre, admitting.
"Some of the bugs were fixed in Microsoft’s recent MS06-021 security update, Moore said in an e-mail, but ‘the actual details of these bugs have not been made public’," says the story.
"Saying we are at risk due to browser vulnerabilities is akin to saying we are at risk due to being in a car," Toulouse states in the TechWorld item, adding, "Yes, this is true… but you can certainly reduce the risk of harm while in a car through reasonable knowledge, use, and maintenance. The same is true with browsers."
Meanwhile, Moore MoBB number 6 in the series, is fetchingly named, "StructuredGraphicsControl SourceURL
"The following bug was tested on the latest version of Internet Explorer 6 on a fully-patched Windows XP SP2 system," Moore post on his MoBB blog, going on:
"This bug appears to be triggered by a call to URLOpenBlockingStream() with a NULL pointer referenced by the ppStream argument. The only way I found to trigger this bug is by creating the object through the ActiveXObject interface – using the standard object/classid syntax (as described here) does not result in a crash.
Demonstration
eax=00000000 ebx=7726d35c ecx=02481f30
edx=0013b1a4 esi=00000000 edi=00000000
eip=772ba3bc esp=0013b18c ebp=0013b1b8
urlmon!CBaseBSCB::KickOffDownload+0×7a:
772ba3bc 8b08 mov ecx,[eax] ds:0023:00000000=????????
This bug will be added to the OSVDB:
Microsoft IE DirectAnimation.StructuredGraphicsControl SourceURL NULL Dereference.
Earlier MoBBs?
# MoBB #5: DHTML setAttributeNode()
# MoBB #4: Mozilla Firefox DesignMode
# MoBB #3: OutlookExpress.AddressBook
# MoBB #2: Internet.HHCtrl Image Property
# MoBB #1: ADODB.Recordset Filter Property
Digg this.
Also See:
critical – Critical Microsoft exploit alert, June 27, 2006
Metasploit – Month of Browser Bugs, July 2, 2006
IDG News Service – Hacker promises month of browser holes, July 6, 2006
p2pnet newsfeeds for your site.
rss feed: http://p2pnet.net/p2p.rss
Mobile – http://p2pnet.net/index-wml.php
