Welcome to the Browser Fun Blog!
This blog will serve as a dumping ground for browser-based security research and vulnerability disclosure. To kick off this blog, we are announcing the Month of Browser Bugs (MoBB), where we will publish a new browser hack, every day, for the entire month of July. The hacks we publish are carefully chosen to demonstrate a concept without disclosing a direct path to remote code execution. Enjoy!
posted by hdm @ 8:36 AM
24 comments
links to this post
24 Comments:
Please post firefox browser bugs as well. We all know how insecure IE is. I'm very surprised that people still use it. Is it about storage space? Convenience? What?
Many banking sites use IE-based-only code.
I wrote to my banking site and within a month (yeah I know) they had FINALLY fixed the site so that once again it was compatible with Firefox. It was rendered incompatible after a major upgrade to all their computer systems.
Just, ANY browser other then IE would work wonders. Would you drive a car with a built-in-computer that could be hacked remotely? Would you be willing to download patch after patch and *hope* that it does the trick? How would you feel if you literally *crashed* because some script kiddie took over your car?
Why should your computer be any different? Isn't it as important as your car? Don't you want to use it for online banking, online shopping, and all the wonders of the Internet, without worry, without having to spend money on 3rd-party software to fix and help IE that should already be good enough without help?
Just, focus on other browsers in addition to IE. I'd love to see some "Firefox exploit" tools.
In this case, ALL "cars" (browsers) are broken.
There is no difference between IE, Firefox and the others.
How many browsers are you going to test ... as in mainstream only?
IE, Firefox, Safari and.. Opera?
I think the last post said it. Every browser is broken - it's just easier to beat on IE because it's integrated into every possible OS bug in Windows as well - not to mention that it's been around for years longer with more available "features" than any of it's real competitors. If you use your head when you use your browser, you will be safe 99.9% of the time - if you don't then you'll get screwed sooner or later no matter what browser you choose.
Here's my favorite, crash IE with just some HTML: Brianary: Some (invalid) HTML to crash IE.
All broken?
This assertion that all browsers have precisely the same level of vulnerability is just plain ridiculous. Despite excuses like "more users = bigger target", or "people just hate Microsoft", the fact remains that IE flaws have still resulted in far more actual damage than all competitors combined.
It is worth noting that the Mozilla foundation has an excellent track record for fixing problems, measured in days or hours, as opposed to months routinely taken by Microsoft to fix things, giving malware authors plenty of time to build a business model around exploits.
More features?
IE was left stagnant for five years! It is now playing catch-up with Firefox, Safari, and Opera--the only sources of browser innovation this millennium.
Q&A with Firefox's Blake Ross: Extended version - Todd Bishop's Microsoft Blog @ SeattlePI.com
cool site you have :P
How do you find bugs? Are you testing all the functions with possible arguments automatically? I'm just curious about it.
*All* browsers have bugs.
*Any* browser has also to rely on one's line of defense - in & outand a minimum of config.
I use:
-Kerio's PF
-AVG
-Spybot & Spyware Blaster
-Ad-Aware & Ad-Watch
These won't keep IE (I've tried others) from acting funny but it won't crash on me.
I'll be on the lookout for a car that does online banking and a browser that will take me for a ride - on the tarmac that is.
I think everyone should stop bragging (or bitching)about the different browsers and start using the blog for the purpose it was designed for.
As a super-challenge, could you post a significant vulnerability in Opera 9? Opera may have a bug or two, sure, but I'm looking for something of the nature where simply visiting a web page causes execution of arbitrary code (a la MSIE).
And I totally agree with others on the absurdity of the assertions being made in here by some people that all browsers and platforms are equally flawed and vulnerable. My experience is that the only people who believe such nonsense are Visual Basic dummies, small-office "computer guys", and other Microsoft apologists. When it comes to technical matters, these people generally have no idea what they are talking about.
To extend the automobile analogy, you could say that no car ever manufactured is perfectly reliable. And that would be true. But if you had to drive from Porland Maine to San Jose to arrive by a certain date, would you rather be driving a Yugo or a Honda?
A quick look at Opera 9 shows that it passes the generic dhtml/css/hanoi tests without a problem. Due to differences in the JS engine, it could actually be a behavioral change in the test script. I will look into it more this week.
The biggest problem with any technology today is groups like metasploit and eEye. They are like kids in a candy store with the clerk distracted. If you think you are making the computing environment more secure by publicly disclosing how to exploit flaws in the programming, you are completely void of any intelligence.
As all of us have seen, to use the above analogy, when your car has a problem it gets recalled. All major automobile manufactures have had "DEADLY" problems with some models of their cars, and they recall them for repair. Kinda the same thing that happens when a new security patch is released.
I wonder how HDM would feel if I told the world how to get the security code to his house...?
Its time to stop acting like spoiled kids and start being responsible adults. Report flaws/bugs to the vendor of the product so that it can be fixed, instead of disclosing it to the public so that it can be exploited.
HDM: You are doing a good job! Software is one of the only items you can buy on the market and get no warranty or have the company who wrote the software responsible for the damages if it's attacked. Using the Car anology, a automaker will give you a new car or be held liable if the car explodes. Microsoft and others will just trun their back because they are not liable.
It is important that users understand and are educated of the potential flaws in software.
Keep up the good work!
I wouldn't pay any attention to these microsoft weenies and these other posers. ;-)
Has it ever occurred to you that Jesus Christ the Lord would never do this, and that what you are doing is evil? Repent and believe the gospel. You can be forgiven. He died for your sins and rose from the dead to save you. Stop this nonsense and repent.
The last comment gave me such a warm fuzzy I had to let it through. If we are pissing off the religious nuts, we must be on the right track!
Amen brother, amen.
good to see some people still have enough courage. Microsoft and all the major vendors really need a kick in the *** for 1.being slow to patch 2.not listening to users request(CSS2 respect anyone?). The more damage these exploits do, the better, that way maybe it'll force them to ACT.
DeathWolf
Great Site!
We Want More Bugs Like This!
Cool Idea! ;) I Just blogged about an Exploit i found within Opera! ;) Gonna watch your site within the next time!
You are a really smart guy, I know this. I wish I could say I'm enjoying what you are offering but I'm too afraid to try as I don't understand what you have posted although I am not totally clueless on browser vulnerabilities etc. I have IE 7 beta 3, Opera and Firefox, I usually use the latter two. I understand why you are doing this and do appreciate it. When I chanced upon your site, I bookmarked it and waited for a bit of 'hell' (lol) though I would never condemn you to hell or say that you are evil, or ask you to repent even if agnostics don't do such things, so what I am really rabbiting on about...umm... thank you, I appreciate the effort :) Jasmine
I know that this thread is relatively old, but I read one post that particularly tickled me. The one attacking the Metasploit Project and eEye, and the concept of full-disclosure in general, using some flawed metaphors and examples.
Cars that have deadly problems are usually recalled. Software with vulnerabilities are usually not “recalled” (patched) for some time, leaving users with “deadly” software for the duration. This is currently the nature of the industry.
The security code to HDM’s house is more like a password than an exploit, so that analogy is flawed. Assuming there was nothing wrong with his home security system, spreading his password would obviously be a malicious act. If there were something wrong with his security system, I’m sure he would like to know that fact.
As a professional, he did report bugs to the vendors. If a security researcher finds a bug, quietly reports it to a vendor and the vendor quietly fixes it, then alright. That can go as long as the vendor publicizes the patch. However, if a vendor is informed, and stands by, then the public needs to have the tools to develop their own solution to the problem. There is a formal methodology to ethical vulnerability disclosure.
Disclosing them to the public does several positive things. First it lets the public know what criminals have up their sleeves. What is to stop dishonest people from finding and using the same flaws under the cloak of unawareness? Second, it allows individuals with the right skills to create third party patches as a temporary fix (as Ilfak Guilfanov did for the WMF vulnerability last year). Third, it provides motivation for the vendors to release an official patch if they have not already.
Exercise some caution before you hit submit.
how about putting this "Welcome to the Browser Fun Blog" at the top of the page or as a "sticky"?
Bug report 1-D10T
Tested Vista Beta 2 (IE7). Most of the crashes are gone. Here's the complete list. Guess most of the progress comes from simply setting the kill bit. For all ActiveX controls i was asked if i want to run them. ActiveX is a design bug (run a downloadable binary in the adress space of the browser is inacceptable). Actually most of the bugs posted are not IE bugs, but bugs in the countless, carelessly programmed ActiveX controls. My option is that as long as MS and other companies stick to program in ancient C this will not get better. Also many programmers carelessly rely on initialization conditions. This is: they only test the positive execution path but almost never a non valid execution path. They simply make assumptions about input that is not valid. Any string input MUST be valided for length and contents. But that is hard work and slows down things - so most guys are just to lazy to so and tend spend more time watching dancing pigs then carefully test the code. It is a way of thinking problem. ANYTHING IS INVALID BY DEFAULT!
CRASH: http://metasploit.com/users/hdm/tools/browserfun/mobb_030.html
OK: http://browserfun.blogspot.com/2006/07/mobb-29-adodbrecordset-nextrecordset.html
OK (Object missing) http://metasploit.com/users/hdm/tools/browserfun/mobb_027.html
OK: http://metasploit.com/users/hdm/tools/browserfun/mobb_025.html
CRASH: http://metasploit.com/users/hdm/tools/browserfun/mobb_024.html
OK (Object missing): http://metasploit.com/users/hdm/tools/browserfun/mobb_023.html
CRASH: http://metasploit.com/users/hdm/tools/browserfun/mobb_022.html
OK (Object missing): http://metasploit.com/users/hdm/tools/browserfun/mobb_021.html
OK (Object missing): http://metasploit.com/users/hdm/tools/browserfun/mobb_020.html
CRASH: http://metasploit.com/users/hdm/tools/browserfun/mobb_019.html
OK (Object missing): http://metasploit.com/users/hdm/tools/browserfun/mobb_018.html
OK (Invalid procedure call): http://metasploit.com/users/hdm/tools/browserfun/mobb_017.html
OK (Popup blocked): http://metasploit.com/users/hdm/tools/browserfun/mobb_016.html
OK (NULL message): http://metasploit.com/users/hdm/tools/browserfun/mobb_015.html
OK (Invalid type): http://metasploit.com/users/hdm/tools/browserfun/mobb_014.html
OK (Unspecified error): http://metasploit.com/users/hdm/tools/browserfun/mobb_013.html
OK (Object missing): http://metasploit.com/users/hdm/tools/browserfun/mobb_012.html
OK (Unspecified error): http://metasploit.com/users/hdm/tools/browserfun/mobb_011.html
OK (Object missing): http://metasploit.com/users/hdm/tools/browserfun/mobb_010.html
OK (Object missing): http://metasploit.com/users/hdm/tools/browserfun/mobb_009.html
OK http://metasploit.com/users/hdm/tools/browserfun/mobb_008.html
OK http://metasploit.com/users/hdm/tools/browserfun/mobb_007.html
OK (Object missing): http://metasploit.com/users/hdm/tools/browserfun/mobb_006.html
OK (Invalid arguement) http://metasploit.com/users/hdm/tools/browserfun/mobb_005.html
OK (Invalid argument) http://metasploit.com/users/hdm/tools/browserfun/mobb_004.html
OK (Object missing): http://metasploit.com/users/hdm/tools/browserfun/mobb_003.html
OK http://metasploit.com/users/hdm/tools/browserfun/mobb_002.html
OK http://metasploit.com/users/hdm/tools/browserfun/mobb_001.html
Object missing - Automation Server can't create obejct
Post a Comment
Links to this post:
Create a Link
<< Home