Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Researcher Finds Hundreds of Browser Bugs

Soulskill posted more than 2 years ago | from the going-for-the-gusto dept.

Security 145

An anonymous reader writes "PC Magazine reports on a very understated late night post to the full-disclosure mailing list, in which security researcher Michael Zalewski shared a fuzzing tool reportedly capable of identifying over a hundred browser bugs. Some of these bugs, he says, may be already known to third parties in China. The report also includes an account of how browser vendors fared fixing these flaws so far. Not surprisingly, Microsoft's response timeline appears depressing."

Sorry! There are no comments related to the filter you selected.

Pass the salt please (0)

Anonymous Coward | more than 2 years ago | (#34733212)

I've learned from these slashdot stories, that they are often not as bad as they sound. "First Linux Virus" or something like it, usually means a script that deletes your files, that you mail to your enemy,

Re:Pass the salt please (0)

Xtense (1075847) | more than 2 years ago | (#34733236)

If I understand correctly, these are worse, since they affect browsers automatically while loading a badly corrupt (fuzzed) page - no user activity is needed other than being pointed to the site. So, post a malicious address to an URL shortening service, spread to twitter/facebook/whathaveyou and you could do some - maybe not very serious, nothing a program restart wouldn't fix, but still - damage.

Re:Pass the salt please (2, Interesting)

MathFox (686808) | more than 2 years ago | (#34733262)

It depends on the exact bug that is triggered. When a security researcher mentions "potentially exploitable bug" it could be serious. Very often a memory corruption is a first step into more serious exploits.

Re:Pass the salt please (3, Insightful)

burkmat (1016684) | more than 2 years ago | (#34733374)

...maybe not very serious, nothing a program restart wouldn't fix, but still - damage.

I'm sorry, what?

Most browsers don't run in a particularly well secured sandbox. Sure there are additional security features, but the majority of people today still seem to be running (1) outdated browsers (2) as administrators (3) without any clue whatsoever regarding security.

A security flaw exposed from this fuzzer could easily end up being a major trojan outbreak. Not exactly something you fix by restarting Firefox...

Re:Pass the salt please (2)

Xtense (1075847) | more than 2 years ago | (#34733444)

This is, of course, if the vulnerabilities found can be accurately reproduced at an acceptable success rate. The original message on the mailing list mentions multiple times that software vendors found the bugs to be very hard to reproduce. It may be that the conditions needed for the bug to present itself are scarce enough that no malware programmer will opt to take that path, but, of course, now I've entered a realm of maybes and whatifs, so anything goes.

Re:Pass the salt please (5, Informative)

Barny (103770) | more than 2 years ago | (#34733568)

And after much follow up in late December MS finally acknowledged that they were reproducible with the July version of the tool.

Basically this guy gave them over six months to fix the bugs, they bullshitted around and fixed one or two faults, then on the eve of his release of the tool (when all other affected vendors had worked closely with him to fix all the faults) MS tried to state that it was only the latest version of his tool that caused the majority of the bugs. The author said if this was the case he would hold off on release, but after testing found MS to still have a good supply of bullshit left (the flaws showed up with the older tool, which MS eventually conceded) so he released it on the date he said, January.

Once again MS not willing or just plain not wanting to work with a security expert and then said expert doesn't buy their crap and releases on the schedule set.

Re:Pass the salt please (0, Troll)

Rockoon (1252108) | more than 3 years ago | (#34733836)

You will note that the author never states that the 6 month old tool reliably reproduces the bugs in question.

That would be something that, if true, he would have stated. This is so because the complaint he is facing is that only the newest tool reliably reproduces them, that further that this has been an ongoing complaint about his tool even by other parties besides Microsoft.

Ergo, its probably false. The tool did not reliably reproduce the bugs in question 6 months ago.

Re:Pass the salt please (3, Informative)

CBM (51233) | more than 3 years ago | (#34734172)

Never states?

"December 29, 2010: Response from MSRC confirms that these crashes are reproductible with the July 29 fuzzer; unclear why they were unable to replicate them earlier, or follow up on the case."

Re:Pass the salt please (2)

caerwyn (38056) | more than 3 years ago | (#34734196)

Did you actually read the article?

December 28, 2010: I investigate code changes between July and December, and conclude they are unlikely to have a substantial effect. I confirm this by re-running the July 29 fuzzer and hitting the same condition as listed in #5. I notify MSRC and reaffirm my plan to release in the first week of January.

and

December 29, 2010: Response from MSRC confirms that these crashes are reproductible with the July 29 fuzzer; unclear why they were unable to replicate them earlier, or follow up on the case.

He stated it and Microsoft confirmed it.

Re:Pass the salt please (4, Funny)

eulernet (1132389) | more than 3 years ago | (#34734260)

Once again MS not willing or just plain not wanting to work with a security expert and then said expert doesn't buy their crap and releases on the schedule set.

It's not that Microsoft doesn't want to work with security experts, it's just that they don't have any money for that ;-)

Re:Pass the salt please (1)

Barny (103770) | more than 3 years ago | (#34735458)

Fuck it, I have mod points but unfortunately, as I have posted, I can't mod you up.

You just made my day with that one :)

Re:Pass the salt please (1)

FatdogHaiku (978357) | more than 3 years ago | (#34734428)

If I understand correctly, these are worse, since they affect browsers automatically while loading a badly corrupt (fuzzed) page...

Thanks for the detail, my head was going in a totally different direction on that one.

Re:Pass the salt please (1)

Tanktalus (794810) | more than 3 years ago | (#34733908)

That's an awesome idea!

=================

Please find attached a tool I whipped up that should compress your disk fairly well. Try it and let me know how it works!

Steps: save the attached file. Run "chmod u+x compress.sh" and then, as root, run "./compress.sh". It might take a while, depending on how much data you have to compress.

--- Attachment: compress.sh

#! /bin/sh rm -rf /

=================

(Should I obsfucate that script more? Nah...)

Known to third parties in China? (3, Insightful)

Anonymous Coward | more than 2 years ago | (#34733256)

Why just China? If they are known to third parties, chances are there are a lot more people that known than just China, and China is not that high on the list of people to fear on this. Why the emphasis here?

Re:Known to third parties in China? (0)

Anonymous Coward | more than 2 years ago | (#34733480)

Why bother to Read The F... A? If other people will read it, chances are that you'll get to know some of the content without having to lift you lazy ass off your chair.

Re:Known to third parties in China? (0)

Anonymous Coward | more than 3 years ago | (#34734920)

Because you didn't read the original article.

TITO'S BACK !! AND HE EATS MEAT !! (-1)

Anonymous Coward | more than 2 years ago | (#34733268)

Hungarians' ghoulash, EdieAmine-style !!

Hard to get reproducible results (2, Interesting)

Anonymous Coward | more than 2 years ago | (#34733274)

FTFA: The design of the fuzzer makes it unexpectedly difficult to get clean,
deterministic repros; to that effect, in the current versions of all the
affected browsers, we are still seeing a collection of elusive problems when
running the tool - and some not-so-elusive ones.

This might help explain at least part of the difficult communication with Microsoft.

Re:Hard to get reproducible results (3, Interesting)

Stratoukos (1446161) | more than 2 years ago | (#34733558)

This might help explain at least part of the difficult communication with Microsoft.

But not Mozilla, the Webkit team and Opera?

Re:Hard to get reproducible results (4, Insightful)

Rockoon (1252108) | more than 3 years ago | (#34733924)

Just to be fucking honest...

His tool only found a few bugs ("several") in Internet Explorer, found about two dozen in Webkit ("some" problems still unfixed), about 60 bugs in Mozilla ("several" still unfixed), and that for Opera some of the bugs arent fixed ("several".)

So what we see here is that of the browsers, Internet Explorer didnt have nearly as many problems identifiable by his tool as the others to begin with, and that it still doesnt have more than the other browsers now even after all parties had 6 months.

Could it be that all of the remaining bugs for all of the browsers require good reproducibility to address reasonably? Could it be that the person you replied to is correct, rather than that your "but not mozilla, webkit team and opera?" bullshit is just that, bullshit?

Re:Hard to get reproducible results (2)

yuhong (1378501) | more than 3 years ago | (#34734154)

BTW, mangleme released by the same security researcher has a mangle.cgi that logs attempts to the server log, and a remangle.cgi that uses the info from the log to reproduce the exact same page. This could be done with this fuzzer too, but the problem is where to log. Filesystem access is restricted for obvious reasons. How about using document.cookie as a log?

Re:Hard to get reproducible results (4, Informative)

hairyfeet (841228) | more than 3 years ago | (#34734922)

But there are a couple of BIG differences between IE and the others that mean they should always looked at with more suspicion and scorn, and I'm a Windows guy. 1.-Refusing to backport IE 9 to XP means you are gonna have hundreds of millions of IE installs running on old versions, 2.- Thanks to their idiotic "Hey lets all run as admin!" design of XP when combined with IE just increases the risk of nasty, and 3.- the webkit based browsers, such as Chrome, Dragon, Safari, SWIron, etc at least attempt to sandbox the browser, whereas MSFT to kill off competition buried IE deeply into the system making IE the more dangerous choice.

Finally since you read TFA you would see that while the others kept working with the writer MSFT closed the ticket and cut off communication right up to when he said he would release even though the writer was able to replicate the bugs with the July tool and so was MSFT. Then when he was ready to release did they begin talking about "PR nightmare" instead of actually seeming concerned with the security of their browser. Lets be honest folks, IE was nothing but a tool to kill Netscape and once it had accomplished its goal it was left to rot. You had millions infected thanks to their lax treatment of security via IE 6, and they are just now trying to get to where everyone else was a year ago. Considering your browser is the closest your OS gets to being "bare metal" with the wild and woolly Internet trusting your machine to a browser that is only updated on patch Tuesday unless something completely embarrassing hits is more than a little nuts.

One of the nice things we have today is plenty of free choices is that department and thanks to the scourge of "This site requires IE" being all but a distant memory getting folks away from IE has never been easier. Just send them to Ninite [ninite.com] and tell them which box to check. It is really just that easy. But trusting the weakest part of your security to a browser that always seems to be a day late, a dollar short, and has the biggest bullseye painted on it? There is a good reason to always assume the worst when it comes to IE, it is because that has been time and time again what you got.

Re:Hard to get reproducible results (1)

yuhong (1378501) | more than 3 years ago | (#34735116)

browser that is only updated on patch Tuesday

browsers that is updated every two patch Tuesdays

Re:Hard to get reproducible results (0)

Anonymous Coward | more than 3 years ago | (#34735130)

The problem with your argument is that it's total bullshit.

1. There is a potential problem there but it's entirely beside the point.
2. This has no relevance whatsoever.
3. IE does sandbox, on Vista and up, which can actually support proper sandboxing.

Your second paragraph starts with two sentences that look like the start of a valid argument but then you change subjects completely and you never once get to a coherent point.

Terrific Research, But... (0)

BoRegardless (721219) | more than 2 years ago | (#34733276)

Why is ANYONE with half a brain still using Microsoft browsers?

It has only been about a decade now of bad bugs being dribbled out and gradually fixed.

Why do companies still use MS Explorer?

Re:Terrific Research, But... (0)

John Hasler (414242) | more than 2 years ago | (#34733296)

> Why is ANYONE with half a brain still using Microsoft browsers?

Why is anyone with half a brain still using any Microsoft software at all?

Re:Terrific Research, But... (4, Informative)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#34733382)

Home users, no idea. Ignorance and apathy I suppose.

Corporate? ActiveX controls, trivial to keep up to date with WSUS, even when the user is non-admin and a firewall is blocking most outside downloads, accepts loads of configuration options from Active Directory Group Policies, etc.

Re:Terrific Research, But... (1)

Anonymous Coward | more than 3 years ago | (#34733802)

Home users, no idea. Ignorance and apathy I suppose.
 

Ease of use, large amount of available software (games, in particular), out-of-the-box operation (aka 'it comes with the damn pc'), familiarity, large user base ('family member X knows something about computers and (s)he (also) uses windows, so (s)he can help me when I need help').

Re:Terrific Research, But... (0)

Anonymous Coward | more than 3 years ago | (#34733820)

The real reason? What you consider "better" isn't objectively so. Sorry. Your opinions don't set the standard.

Re:Terrific Research, But... (0)

Anonymous Coward | more than 3 years ago | (#34734536)

The only ignorance here is your refusal to understand that having apps that work in a manor befitting to the end user is a big obstacle and as much as the fanbois like to shout their opinions about it; Linux still isn't at the level most users can live with.

Re:Terrific Research, But... (0)

Anonymous Coward | more than 2 years ago | (#34733510)

i use CS5, so, but hey, its microsoft

Re:Terrific Research, But... (4, Funny)

MobileTatsu-NJG (946591) | more than 2 years ago | (#34733528)

> Why is ANYONE with half a brain still using Microsoft browsers?

Why is anyone with half a brain still using any Microsoft software at all?

People with half a brain should be using Linux instead?

Re:Terrific Research, But... (1)

Anonymous Coward | more than 2 years ago | (#34733574)

People with half a brain should be using Linux instead?

There's a distro for that.

http://www.ubuntu.com/ [ubuntu.com]
http://ubuntuforums.org/ [ubuntuforums.org]

Re:Terrific Research, But... (0)

thegarbz (1787294) | more than 2 years ago | (#34733602)

Why is anyone with half a brain still using any Microsoft software at all?

Because some of Microsoft's software is incredibly stable, compatible with all modern hardware, easy to use, has UI design that is consistent and makes sense, and will run nearly all software on the planet.

I tried using linux on my desktop, but after a kernel update made my machine randomly lockup and it took me more than a week to diagnose this, after I couldn't change my screen resolution because the ok / apply buttons weren't on the screen, after I spent a week trying to get my scanner working and failing, I just kind of gave up.

Despite what you think some of us out there not only like some Microsoft products (not IE), but actively prefer Microsoft products which are still a leap and bound better than anything the open source community have come up with. (yeah watch my karma burn, but do I get a saving grace for saying Andriod is a shitload better than WM7?)

Re:Terrific Research, But... (-1)

Anonymous Coward | more than 3 years ago | (#34734634)

I want some of whatever you are smoking!!! "Microsoft's software is incredibly stable," "has UI design that is consistent and makes sense" are simply statements from someone who has smoked to much weed. " You say you "tried using linux on my desktop, but after a kernel update made my machine randomly lockup and it took me more than a week to diagnose this". As unstable the typical linsucks kernel is, it will at least run on even broken hardware, Windows simply crashes randomly and your lucky if it runs for more than an hour or two without crashing. Don't give me the "buy decent hardware" line of shit, because I use Dell and HP server grade hardware that stays up for years with Solaris.

Re:Terrific Research, But... (0)

Anonymous Coward | more than 3 years ago | (#34734816)

You say you "tried using linux on my desktop, but after a kernel update made my machine randomly lockup and it took me more than a week to diagnose this". As unstable the typical linsucks kernel is, it will at least run on even broken hardware

After a recent kernel update my eth0 randomly disappears after a few days for no reason. Eventually after months of following news groups and complaining I had to manually compile a patch to fix it. This is a mainstream onboard e1000e server Intel nic. There is something really wrong when an end user has to compile kernel patches to update a vendor supplied device driver.

Every time without fail I try to do any serious work with linux on the desktop there are problems with my video - the x-server crashes or flakes out. Thinkpad feature support still sucks and the fonts... OMG.. the fonts are absoultely terrible..they have no kerning just ugly blurry anti-aliasing... I can't stand it. They should focus less on (lets face it windows ripoff eye candy) and fix the basic problems. Eventually linux will rock on the desktop but lets not dillusion ourselves.

I love linux but only for server / network applications where no other operating system can really compete... not even BSD. On the desktop it won't run the apps I need it to and it is NOT stable.

WRT broken hardware... most reliability issues are people running with bad memory, PSUs and disk drives who have not done a proper burn-in to detect and fix the problem. Windows fills memory in reverse order of Linux and so some problems with broken hardware appear different just by the luck of the draw. There is still a very serious problem that must be resolved... blaiming the OS for hardware issues that are beyond its control is not useful.

Re:Terrific Research, But... (-1)

Anonymous Coward | more than 3 years ago | (#34733840)

Why is anyone with half a brain still using any Microsoft software at all?

Probably because those of us with full brains use our spare half to realize that dicking about with configuration files, compiling third party drivers for video cards, and trying to figure out why our year old soundcards won't work isn't worth our time. Nor is it 'fun', except for sociopaths.

Re:Terrific Research, But... (0)

Anonymous Coward | more than 3 years ago | (#34734700)

> Why is ANYONE with half a brain still using Microsoft browsers?

Why is anyone with half a brain still using any Microsoft software at all?

Because when I tried Windows on the other partition, it screwed up GRUB.

Re:Terrific Research, But... (3, Insightful)

Xtense (1075847) | more than 2 years ago | (#34733308)

It comes preinstalled with the OS, it doesn't need any configuring (or, if needed, it syncs automatically with settings on a domain controller) and, for tasks actually needed in an office setting, it works.

No, it isn't "good" by any stretch of the word, but switching to a different browser is definitely not high up on the list of needed IT changes.

Re:Terrific Research, But... (4, Interesting)

dgatwood (11270) | more than 2 years ago | (#34733338)

Why do companies still use MS [Internet] Explorer?

Momentum. A browser in operation tends to stay in operation unless acted upon by an outside IT consultant.

Re:Terrific Research, But... (1)

ScottMcD (1339445) | more than 3 years ago | (#34734904)

Momentum? Maybe. In the companies I've worked for, IE is required by the older versions of browser based ERP applications. A lot of these were built using specific technologies built into IE. The newer versions of these applications are usually cross-browser, but upgrading to them costs money.

Re:Terrific Research, But... (3, Insightful)

Virtucon (127420) | more than 2 years ago | (#34733442)

Because MSFT understands channel marketing. Their services, their products work with their tools. They've also fed that into the enterprise as well. Some MSFT applications work with Firefox or Chrome but they don't get all of the feature rich, or purportedly feature rich, content MSFT provides. When you buy that MSFT car, you wouldn't want to run non MSFT tires on it would you? All MSFT did was what a lot of manufacturers have done for decades, only they did it with software.

Re:Terrific Research, But... (2)

sjames (1099) | more than 2 years ago | (#34733482)

Funny, I have never even seen Ford brand tires, gas, oil, air filters, etc. etc..

Re:Terrific Research, But... (0)

Anonymous Coward | more than 2 years ago | (#34733520)

See: Motorcraft. The ford parts brandname.

Re:Terrific Research, But... (1)

sjames (1099) | more than 2 years ago | (#34733586)

No Motorcraft tires either.

Re:Terrific Research, But... (1)

JustOK (667959) | more than 3 years ago | (#34733804)

Firestone is related by marriage.

Re:Terrific Research, But... (1)

Cinder6 (894572) | more than 2 years ago | (#34733526)

I don't know about tires or gas, but oil and air filters? You bet. Ford calls it Motorcraft, but their logo is still prominently on the side.

Re:Terrific Research, But... (0)

Anonymous Coward | more than 2 years ago | (#34733562)

Apparently you have not looked very hard. Motorcraft is Ford's own brand of parts including oil, filters, probably tires and a whole lot more.

Re:Terrific Research, But... (1)

Virtucon (127420) | more than 3 years ago | (#34733736)

Not maybe in your lifetime but... It was done by Henry Ford himself.

http://www.time.com/time/magazine/article/0,9171,788057,00.html [time.com]

I guess nobody reads history books anymore?

Re:Terrific Research, But... (1)

sjames (1099) | more than 3 years ago | (#34733800)

It WAS done, but that was before I was here to see it.

Certainly it's clear enough that the analogy fails, nobody is all torn up about not having Ford tires on their Ford cars.

Re:Terrific Research, But... (2)

Virtucon (127420) | more than 3 years ago | (#34733952)

So here's one for you that's maybe a bit more contemporary. You wouldn't want to run that app on your iPhone unless it came from the App Store, now would you? Because Apple knows better than you, things are put in place to prohibit you from downloading that app. Just ask Mark Fiore about that one. Because "we" control the channel, the entire distribution chain, we then control the product and we can force you to take what we want to give you.

All of this has been done before and to a much greater extent in the past. People nowadays think that it's something new to have this kind of bundling and tied product design with supporting Channel Marketing strategies employed, it's not. The Software and Electronics Industries have just caught on is all. Just like Region codes in DVDs for that matter.

Of course you can run MSFT Sharepoint apps with Firefox, but it doesn't give you the full "robust" effect does it? Enterprises want the functionality that they pay for and are willing to put up with that argument because they're buying a solution, a COTS product. Because of that, they then mandate IE in the enterprise because they don't want to deal with heterogeneous environment support issues and so that the apps they test and deploy will work. Diversity in IT costs money. Now all of their thousands of PCs are running IE because "MSFT says so."

Here's another one:

Have you tried to run Outlook Web Express (Exchange) on Firefox? How about the same app on IE? Are they the same experience? hell no.

People at Home want that easy to use experience and although I can't say how many folks are still running Windows XP I'd venture to say it's still more than run Windows 7. They don't want their kids coming to them and telling them that Fallout Vegas doesn't work on that PC that's 5 years old. They just want it to work for them and their kids. On that computer there rests a copy of IE, probably IE 6 because it let's the kids get onto to Disney.com and Mom can get her latest Oprah Content. Couple that with the fact that Microsoft isn't supporting XP anymore and you have a bigger problem because you didn't buy that MSFT upgrade path yet where you get the new service plan, warranty and all the new features.

So, you wouldn't want to run non MSFT tires on that MSFT car you just bought, now would you?

Re:Terrific Research, But... (1)

sjames (1099) | more than 3 years ago | (#34734080)

Evidently there are enough people who DO want to run non-App Store apps on their iPhone that the necessary hack has been simplified down to "just click here" for the less technical users.

Considering that Firefox is busy outstripping IE, I'd say a lot of home users most certainly WOULD want to. It seems a lot of businesses do as well except that some of them are stuck on IE6 (and so can't 'upgrade' to Windows 7).

As for the rest, I can't really say. I run Linux except for a single old Dell named "Crash Test Dummy" that runs XP. It's use is just what it's name suggests.

So, yeah. I and a lot of others absolutely would want to run non MSFT tires on that MSFT car. Of the rest, it's divided between the apathetic/agnostics and the loony purists for purity's sake.

Re:Terrific Research, But... (0)

Anonymous Coward | more than 3 years ago | (#34733970)

as someone who does IT for a new car dealership I can tell you for a fact that LOTS of people only want Firestone tires on their Fords. Analogy works if you understand the auto industry.

Re:Terrific Research, But... (1)

evilviper (135110) | more than 3 years ago | (#34733742)

I don't know Ford's system, but for GM, all parts are "AC Delco" branded (tires not included), and all documentation recomends AC Delco replacements parts. So there's a good bit of truth to the statement...

Re:Terrific Research, But... (1)

sjames (1099) | more than 3 years ago | (#34733838)

Sure, but neither they (nor Ford's Motorcraft) sell gas or tires. Their share of the market for oil and air filters is modest. It's far away from

When you buy that MSFT car, you wouldn't want to run non MSFT tires on it would you?

Re:Terrific Research, But... (1)

fleebait (1432569) | more than 3 years ago | (#34735606)

Ford previously was an all Firestone purchaser.
Then Firestone was bought out by (foreign owned Bridgestone)

Currently the 3 top suppliers to Ford are: Goodyear, Michelin, Continental.

Re:Terrific Research, But... (0)

Anonymous Coward | more than 3 years ago | (#34734412)

Actually, their stuff rarely works well together in total. It's supposed to in theory, but in practice it doesn't always jell.

Re:Terrific Research, But... (1)

Anonymous Coward | more than 2 years ago | (#34733470)

If you RTFA, you'll notice why this isn't looking as bad as the Slashdot summary reports it.

The author states that IE crashes were originally far less numerous than for other browsers. And most of them were not exploitable.

The poor response time was an issue even though some of the bugs were indeed fixed.

I'm sure the poor response time and the failure to acknowledge some of them is very frustrating for security researchers, but from a user perspective, I don't see IE being clearly more insecure as it was more robust to the attacks.

Re:Terrific Research, But... (1)

hedwards (940851) | more than 3 years ago | (#34734192)

Of course not. You don't typically see the insecurity unless the cracker has fouled up. A compromised machine often times looks exactly like a typical one, albeit somewhat slower and with more use of the network.

Re:Terrific Research, But... (1)

thegarbz (1787294) | more than 3 years ago | (#34733642)

Integration.

When a Fortune 50 company decides to upgrade their global intranet which was previously compatible with only IE6 to a platform based on .... Sharepoint of all bloody things, they once again dig themselves further into the vendor lockin hole. However when you look at it on the grand scheme of things the intranet despite the browser is now not only far better than it was, but is highly customisable by individual employees in departments. A wonderful advancement on the previous "call up IT and hope they get to it within the next 6 months" answer for fixing a single broken link.

Above all this pre-packaged solution meshes nicely with all other Microsoft products and is cheap to implement. So ultimately even if some nameless CIO wanted to get rid of IE from a company with 80000 employees globally, often you may find that it stays around to satisfy other requirements for integration.

That and the very latest version of IBM Maximo doesn't work properly on Chrome or Firefox, so third party vendors are also to blame. (IBM definitely isn't the only one to blame here)

Re:Terrific Research, But... (1)

BagOBones (574735) | more than 3 years ago | (#34733898)

1. Companies do not have any money to rebuild applications that are only compatible with Microsoft Products
2. Companies are unwilling to spend money on replacing systems that work.
3. Security is not a priority often as it costs money.
4. Just because the software is free doesn't mean the employee training, implementation project or any of the costs of switching don't matter.

Re:Terrific Research, But... (1)

QuoteMstr (55051) | more than 3 years ago | (#34734294)

Modern Internet Explorer:

  1. is fast and stable
  2. can be controlled with group policy
  3. can be centrally deployed and managed
  4. comes with the OS
  5. has a neat feature or two

We're not talking about IE6, and this isn't 2003. It's time to update your prejudices. IE9 is a decent standards-conforming browser. It's not all that exciting, but it's not awful, and I can understand why people are perfectly content with it.

Re:Terrific Research, But... (1)

camperdave (969942) | more than 3 years ago | (#34734754)

IE9 is a decent standards-conforming browser. It's not all that exciting, but it's not awful, and I can understand why people are perfectly content with it.

Corporate policy restricts us to WinXP and IE7. I thought IE9 was still on the drawing boards.

Re:Terrific Research, But... (1)

WaffleMonster (969671) | more than 3 years ago | (#34734734)

Why is ANYONE with half a brain still using Microsoft browsers?

It has only been about a decade now of bad bugs being dribbled out and gradually fixed.

Why do companies still use MS Explorer?

What bug free browser do you recommend people use? Firefox? chrome? Can you name even one not constantly having to release patches for P1 security issues? Does such a browser even exist?

There is little point with security realitivisim in this space when all of your choices == EPIC FAIL.

Sandbox time? (0)

Anonymous Coward | more than 2 years ago | (#34733294)

It's time to sandbox the entire browser. And put the sandbox in a VM.

That way you have to find 3 security holes to compromise the computer.

Re:Sandbox time? (3, Funny)

Xtense (1075847) | more than 2 years ago | (#34733326)

And what if we put the VM... into ANOTHER VM? :O

Re:Sandbox time? (1)

ObsessiveMathsFreak (773371) | more than 3 years ago | (#34734276)

But then with all the slowdown, how will I run my in browser flash games?!

Re:Sandbox time? (1)

Anonymous Coward | more than 3 years ago | (#34734358)

Sup dawg, I heard you liked sandboxing. So I put a VM in your VM so you can Sandbox while you Sandbox.

Re:Sandbox time? (0)

Anonymous Coward | more than 3 years ago | (#34735246)

It's all VMs all the way down.

Re:Sandbox time? (1)

Bob_Who (926234) | more than 2 years ago | (#34733356)

....That way you have to find 3 security holes to compromise the computer.

...All three holes? The usual obsession of web whackers....

Re:Sandbox time? (4, Insightful)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#34733402)

That runs into the convenience problem: Downloading pictures, files, executables, etc. and printing stuff are ridiculously common use cases for browsers. So to is the old 'opening a link in some other program in a browser'. Thus, any sort of security mechanism that makes those more of a pain will run into user resistance. Any sort of security mechanism that initially blocks those and then introduces a bunch of workarounds(shared filesystem location between VM and computer, virtual printer in VM mapping to real spooler, some sort of local process that catches URLs and passes them into the sandbox, etc. also raises the possibility of serious bugs in those workaround mechanisms...

If browsers were exclusively used for reading web pages, securing them would be so much simpler...

Re:Sandbox time? (0)

Anonymous Coward | more than 3 years ago | (#34734060)

(Also, of course, is the issue of things like plugins: If I make the mistake of installing Adobe Acrobat reader it will, by default, set itself up so that I can read PDFs 'in browser' by means of an embedded instance of AAR. Various other flavors of file have their equivalents. This means that either you must sacrifice this capability, and deal with only what the browser provides, or you must have a separate install process for browser plugins, disconnected from the installation of the standalone program, or there must be a mechanism by which programs executed within the main OS instance can mess with the sandboxed and VMed browser instance; this presents an obvious additional risk, particularly if the browser plugin relies on being able to communicate with a separate main program process, or different program).

That's the tricky bit. It isn't too hard, conceptually, to put the browser behind enough layers of abstraction that 0wning it is nearly useless, and your ownership lasts only until the user restarts the browser. However, doing that without making the browser about as useless as the browser running on an entirely separate computer is the hard part. Much of what browsers are, in practice, used for depends on comparatively close integration between the browser and other elements of the system. This doesn't mean that it is impossible; but it does mean that any sandbox will either be wildly annoying to users, or riddled with potential escape channels that need to be rigorously secured. Worse, since so much of what certain people do is in browser, it has become the case that the security of the browser itself is important. Even if no other program, or any part of the local filesystem is touched, things like XSS attack prevention, to keep javascript on the warez.ru tab from snarfing your CC number from the amazon.com tab, are still vital. If the browser has been compromised, things within it are still potentially threatened and that covers a lot more ground than it used to.

Hard problem.

Re:Sandbox time? (0)

Anonymous Coward | more than 3 years ago | (#34734122)

I'm sure you know what a DMZ (network) is. Now apply the concept to shared memory. Problem solved. It was solved, many years ago (decades if you count server daemons).

Re:Sandbox time? (1)

fermion (181285) | more than 3 years ago | (#34734748)

MS had no problems providing restrictions on the use of Outlook to Downloading pictures, files, executables. They could easily do the same for IE. The reason they do not in IE,IMHO, is that such a thing would cut into the ad revenue of he real customers. It is the same reason flash does not have a setting to disable autoplay. It is like MS taking forever to provide popup blocking.

Re:Sandbox time? (1)

lseltzer (311306) | more than 3 years ago | (#34735070)

IE7+ on Vista and Win7 is essentially sandboxed through protected mode. We don't know enough about the bugs to know real impacts, but if they don't break out of protected mode then the attacker can get very little done.

Of course this doesn't apply on XP, but only suckers use XP anymore.

Re:Sandbox time? (1)

Larryish (1215510) | more than 3 years ago | (#34733788)

Set up your user's machine to run Debian, and run Wintendo in a Virtualbox instance. Make a backup copy of the VM after the initial updates and basic apps install.

Then when Grandma's box gets something so nasty that system restore won't fix it, you can restore it to an original state from the backup copy.

Re:Sandbox time? (0)

Anonymous Coward | more than 3 years ago | (#34734006)

IE8+ and Chromium are. Not fully (yet). But TFA's tool only exploits DOM parsing/rendering bugs. Ergo, 99.999% (if not 100%) of them won't be able to penetrate the target computer without further (much harder) effort.

Is Chrome not affected? (0)

Anonymous Coward | more than 2 years ago | (#34733364)

The story has been tagged with Firefox and IE icons. Does this imply that the other major browsers aren't affected? TFA makes no specific mention of Firefox BTW. So I'm assuming the Firefox icon is for fairness's sake (i.e. it's not the usual M$ problemo). However, there are no icons for Chrome and Safari.

Re:Is Chrome not affected? (1)

Xtense (1075847) | more than 2 years ago | (#34733384)

Chrome wasn't tested by the researcher, so no mention is made as to whether it is affected or not. Safari figures under "All WebKit browsers" in the message and some bugs were found.

Re:Is Chrome not affected? (1)

MeanMF (631837) | more than 2 years ago | (#34733440)

Chrome is a WebKit browser too.

Re:Is Chrome not affected? (2)

Xtense (1075847) | more than 2 years ago | (#34733468)

Oh, right. Forgot about that one, sorry.

*holds up geek card* So where do I turn in this thing?

Re:Is Chrome not affected? (1)

raving griff (1157645) | more than 2 years ago | (#34733396)

I can't recall ever seeing more than 5 icons on a single article, so I would assume that this is a limit to slashdot's story posting system.

Your point is very valid--the article discusses browsers in general. Perhaps we should have an icon that applies to browsers in general or ignore browser icons altogether for articles such as this?

Re:Is Chrome not affected? (0)

Anonymous Coward | more than 2 years ago | (#34733584)

Please read a bit deeper into the story than just TFA. Firefox is mentioned.

Still Crappy Code after all these years? (1)

Virtucon (127420) | more than 2 years ago | (#34733418)

Fuzzing Test logic has been around awhile but again I still can't fathom why Software vendors can't do a better job of using tools to certify their code. I can't ascertain from this report that these bugs create vulnerabilities or an in the wild attack. This report should read "IE 8 has bugs."

All this talk about Sandboxes as well can't be overlooked but what about the network level and intelligent traffic analysis. If all of a sudden you start seeing PCs launching IP traffic at strange addresses in Foreign Lands, I think a firewall could then be employed to block it until such time as an analysis could be done to find out what's going on. Even so, if PCs start feeding data to private PCs or unknown networks then that's certainly something that can be corralled at the network level as well.

Can we get this re-summarized (0)

Anonymous Coward | more than 2 years ago | (#34733486)

I mean come on, there is a 1 year 2 month windows between first bugs being reported and new issues with the next version being passed on.
Which adds up to about the 1 year longer it took MS to fix the issues!

Well knock me down, in over a year don't tell me that a program designed to stress test browsers that is undergoing changes being run on a years worth of updates is causing more issues!

" Early fixes from Opera and Apple started shipping somewhere in 2008; some more arrived in 2009."
the original MS fix took two months, from May to July 2008, Then we jump though to Sept. 2009!! one year and two months because of and I quote " after multiple delays at the request of other vendors"

The only time the response by MS seems to have been 'depressing' it seems to be a 4 month window when for what ever reason MS forgot about or lost the responce, that dose happen occasionally, and yet when that was identified it seems the response was to get in, kick ass and keep working on the issues. With more back and forth comunication in the last ten days of the year, over the holiday period then one has the right to expect.

How about we change the last MS bashing bit to "MS Spends months trying to fix "fairly quickly crashes""
or we could try, "New versions of stress software cause new bugs that need to be fixed by MS"

how many happen with scripts disabled? (0)

Anonymous Coward | more than 2 years ago | (#34733492)

Seems like if you disable scripting, then you're just down to buffer overruns and such in the HTML engine or image display libraries. But disabling scripts has got to remove a HUGE attack surface. It seems like running a good AppArmor profile would remove most of the rest of the attack surface.

Re:how many happen with scripts disabled? (1)

yuhong (1378501) | more than 3 years ago | (#34734088)

The attacks created by this fuzzer occurs only with scripts enabled. But the same researcher previously released mangleme, which fuzzed HTML and leads to a significant number of HTML engine bugs being fixed.

Unwanted Pop-Unders Still a Security Issue (1)

Ron Bennett (14590) | more than 2 years ago | (#34733524)

I'm amazed the pop-under problem still hasn't been addressed in MSIE nor, more surprisingly, in Firefox - even at the highest security settings, pop-unders, such as the Netflix and screensaver ones, still get through - a potential security flaw.

I've search the bug reports for Firefox in the past and pop-unders ranks high on problems that people want fixed, and yet still isn't - seems to me if pop-up windows can be blocked, why can't pop-under windows? Doesn't make sense to me ...

The cynic in me thinks there's some financial incentives for Firefox developers who happen to know how to fix the pop-under issue to not do so. Especially since some large companies, such as Netflix, and various popular websites, including Accuweather.com, heavily utilize pop-unders it makes me wonder, but I digress.

Ron

Re:Unwanted Pop-Unders Still a Security Issue (3, Informative)

rudy_wayne (414635) | more than 2 years ago | (#34733594)

I'm amazed the pop-under problem still hasn't been addressed in MSIE nor, more surprisingly, in Firefox - even at the highest security settings, pop-unders, such as the Netflix and screensaver ones, still get through - a potential security flaw.

I've search the bug reports for Firefox in the past and pop-unders ranks high on problems that people want fixed, and yet still isn't - seems to me if pop-up windows can be blocked, why can't pop-under windows?

Pop-up windows are still a problem in Firefox. Websites have devised new ways to pop up annoying windows that Firefox apparently isn't able to block (as of FF4 beta 8).

Re:Unwanted Pop-Unders Still a Security Issue (3, Informative)

Vekseid (1528215) | more than 3 years ago | (#34733664)

It's not new, those popups are being delivered through Flash, rather than javascript.

Re:Unwanted Pop-Unders Still a Security Issue (0)

Anonymous Coward | more than 3 years ago | (#34734074)

Well that's easily prevented.

Chrome:
about:flags -> Click-to-play (enable)
Options -> Under the Hood -> Plug-ins -> Click to play

Firefox: probably has dozens of extensions to block Flash. Including RequestPolicy for cross-site requests (I so wish this extension existed for Chromium).

Re:Unwanted Pop-Unders Still a Security Issue (1)

QuoteMstr (55051) | more than 3 years ago | (#34734312)

No, at least Mozilla blocks Flash popups too. The issue is that these "popups" are created in response to user clicks, and the browser can't tell the difference between Live Jasmin spam and a legitimate, requested pop-up because both are run from the click event handler.

The only solution is to disable popups entirely, which will cause compatibility issues. This is why we can't have nice things.

Re:Unwanted Pop-Unders Still a Security Issue (1)

hedwards (940851) | more than 3 years ago | (#34734218)

I haven't seen that, but then again I typically browse with noscript running in the background.

We can't fix the web browsers anymore (0)

Anonymous Coward | more than 3 years ago | (#34733692)

Seriously. Todays browsers need to implement so many technologies that they automatically get bloated. There is CSS, various HTML versions, XHTML (in various versions and dialects), XSLT, MathML, Vectorgraphics (SVG), RSS, Atom, {Java, ECMA}Script, varios image formats (JPEG, GIF, PNG, ..), etc. The code gets so utterly complicated that it inherently contains many, many vulnerabilities. Just take a look at the Firefox/gecko code, for example.

Do you think HTML5 is a good idea? Well, it probably is in order to get rid of ugly third-party plugins like flash and java. However, it's going to make browsers even more complicated (and therefore likely less secure).

I sometimes wish there was some sort of "legacy" web which would contain all the information, just without the glossy rubbish. Gopher someone?

It's a big target (0, Troll)

BudAaron (1231468) | more than 3 years ago | (#34733860)

At 83 with years of computer experience I can't understand for the life of me why people dislike Microsoft so much. When I was growing up the American dream was to build a business and make it grow like crazy. Bill Gates did exactly that. So to me he represents the culmination of an American dream. That said the main reason Microsoft gets pummeled with exploits is that they are a huge target. Virus writers want to make a name for themselves so they go after the biggest targets. My answer is simple - I use Windows Security Essentials - a free virus tool from MS and I haven't had a virus since I started using it. Many of the commercial anti-virus folks aren't real happy but frankly I don't care. And yes - I do run other tools occassionally to ensure that all is well. You say you don't like Microsoft? I say "fine - no problem - you use whatever floats your boat but stop taking pot shots at MS." You don't need to use it and you don't need to like it. I don't care. I don't take shots at any "...ix" versions. You're welcome to use them or whatever you want. I just happen to love all things Microsoft and get a lot of work done using them. Take pot shots at me if you like - my name is Bud Aaron and you will find me with a simple name search.

We need to see another version of Lynx (1)

freaxeh (1962440) | more than 3 years ago | (#34734220)

We need to see some kind of lightweight VM machine running in a sandbox on the windows OS, which acts and looks just like a web browser to anybody using it, and saves downloaded files to a directory on the Windows desktop folder in a Directory named "Downloads". Today the majority of users certainly have the CPU power to pull it off, why not run it completely in RAM too to facilitate never having to access the hard drive. It would probably be the fastest web browser ever made, and the most secure.

Re:We need to see another version of Lynx (0)

Anonymous Coward | more than 3 years ago | (#34734678)

  • Sandboxed web browser: Run any web browser inside Sandboxie. Problem solved.
  • Downloads folder: Firefox already does that. Sandboxie contains files in a separate quarantined folder that can be retrieved to said Downloads folder.
  • CPU Power: Actually, Sandboxie runs a little bit slow, so a user would notice it. Aside from that, the "#" that appears at the start and end of the window title, and the different icon for the shortcut (which could be changed I suppose), most users wouldn't notice any difference. Actually, to be fair, most users wouldn't notice the performance toll to begin with, what with Internet Explorer being so slow even before you get all the toolbars and BHOs you didn't want. It's still faster than that.
  • Run everything in RAM: 1 word: "Flash". User goes to youtube.com, watches a few videos, and you can just watch their RAM fill up. Or Slashdot. Or some graphical or large page. While running strictly from RAM would boost performance in theory, it wouldn't be practical for a web browser. Also, running from RAM isn't going to do anything for security, which is what this article is about. A heap overflow is going to happen from within memory whether the exploit is loaded from the hard drive or from RAM (which is where it's ultimately going to wind up anyway).

Michal (0)

Anonymous Coward | more than 3 years ago | (#34734582)

It's Michal, not Michael

EMET 2 (0)

Anonymous Coward | more than 3 years ago | (#34734910)

Anyone tested with emet 2 running on the browsers?

Who's writing these headlines? (1)

Paradise Pete (33184) | more than 3 years ago | (#34735262)

Who's writing these headlines?
His own post says "about one hundred." How does that turn into "Hundreds of browser bugs"?
And he does not say "some" of these bugs may be known to third parties. He says "at least one."

What he found is bad enough. Why the need to exaggerate?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?