After the fuzz about the WMF-hole and other holes in Internet Explorer of April this year, one would expect there would not be that many flaws left in this browser.
But a very thorough research project by means of Data Fuzzing showed up hundreds of new ways to make the Microsoft browser crash.
This technique, known as packet or data fuzzing, has been frequently used to find up serious flaws in network applications. Following that Security Researcher H.D. Moore developed a simple program, and worked this program on Internet Explorer together with other browsers.
To his astonishment the researcher found hundreds of crash-possibilities and flaws in IE. Who thought that only IE went down without glory is wrong because other browsers also had various flaws and security problems, but to a far lesser extent than Internet Explorer.
But that was not the end of the affair, becauseduring the CanSecWest meeting las week Moore and his student Matthew Murphy again found a score of ways to crash browsers. They had these result established in slightly over one hour.
Moore already found up more than 50 flaws in Internet Explorer. “A handful of these flaws can be used to remotely take over a Windows system completely by visiting a certain website”, according to Moore. “Other browsers at least had 1 exploit to control the system of the user in this way”, he commented.
Microsoft said it will look into the matter.
I personally would like to add that you use in-browser security (Avast Webshield, drop your rights, NoScript, DrWeb’s hyperlink pre-scanner plug-in, and McAfees’siteadvisor to make sure you do not land on exploit sites.
That is what I like there, admit the flaws immediately, and work towards a solution or try to do so at least. Can you understand now why I choose for the moment for Flock to be my browser of choice?. But we should not overemphasize the sistuation, with planning a couple of well-schemed security measures you can limit the risks you run to a minimum. But it is not a bad policy to raise the general awareness to these issues, because I think the common user isn’t aware of anything or just simply does not care. “I want to have fun with my puter, not having to think about security” is the line of their thinking.
What is fuzzing?
Fuzzing is the process of taking taking some known good data, then mangling it at random to see how a givin program responds to it. It’s a bit like the mad libs game many of us played when we were young. sometimes the sentences would make sense, often they would not. A properly written application or library will take the bad data and deal with as incorrect data. If there is a bug, it’s possible you will find it by fuzzing input, then observing how the program responds.
From personal experience, it will take many thousands of iterations in order to find a problem, and it’s likely that the problem you find won’t necessarily be a security issue. I like to compare this to sorting a deck of cards by throwing them up in the air. Eventually, the deck will get sorted, but it’s going to take a VERY long time before it does.
You will get to the holes within the hour. There is another box with a possibility to check , and to go one by one, another thing is to test this through the Tamper Data add-on, but I think that is not there for Opera, look here: http://tamperdata.mozdev.org/ I use that for security testing, that was what it was built to do. In that way you can go there request after request (text, image, etc), and analyze these. You even can see what data is comprised and how they translate. Also nice is to use PEriscope by Anne Vidstrom, or best to let run TDIMon under it. You see per object and process what your Opera 9 is doing.
The metasploit test has been running now for a little more than an hour and Opera 9 has not frozen once. No warning messages nor errors so far. I’ll let the test run about 30 mins more.
I have a much lower patience threshold and gave up after a few minutes of what appeared to be inactivity. It would be nice if there was something to give an indication something was happening.
However as it states “Mozilla Firefox 1.5.0.1 has passed all CSSDIE tests without crashing :-)” I was curious as I’m running the latest update 1.5.0.2.
Tried again and gave up again after 10 minutes zero activity on firewall logs.
The name of the game is does the browser stand, freeze or crash?
CharleyO gave proof Opera is stable, if it stands after all this testing. Congrats. With Flock I had a little hickup on a java nonparser thingie, so it is actiually worth while
testing browsers, the testing is done peddling through two objects with alternating requests. I can show it in the TDI Monitor logs.
The testing is not going out anywhere, so it has nothing to do with inter-connectivity, firewall has nothing to do, it is data fuzzing on the browser software. Like to hear what browsers actually will bite the dust here?
Ok, it has now been at least 1-1/2 hours of testing without freezing once. So, I have aborted the test as it was still running without recieving even one warning or error. Remember, this is Opera 9 Beta that I was testing. I guess it passes the test.
I use FireFox and like the idea of these automatic updates as you always know you have the latest version - whereas Internet Explorer you either check yourself or wait until Windows update checks.
It would interesting to do these tests on the latest FireFox 1.5.0.2 in comparison to Internet Explorer. So I’ll do this tommorow maybe when I have time.
After 2 hours 15 Minutes of testing Firefox 1.5.0.2 I decided to stop the test due to the high CPU useage was causing the computer to get quite hot.
Firefox did not crash once and continued to work as normal
Seen as we already know Internet Explorer crashes I thought I wouldn’t do the test if we already know what’s going to happen. It would also be interesting if Microsoft were to do this test themselves and in the next update there are over 100 security fixes for Internet Explorer ;D
Just wondering CharleyO what do you think of IE7 Beta - is there any problems with it or is it limited in functionality as I was thinking of downloading it to use alongside Firefox.
IE7 Beta2 is surely an improvement over IE6. Tabs, anti-phishing, pop-up blocker, and other items work well.
I decided to try this test on IE7 Beta2 and it crashed after about 40 mins. I noticed a strange thing that occurred with this test that did not happen when testing Opera 9 Beta. Not only did IE7 become slow, unstable, and crash but it also caused Web Shield to max out my CPU … a first time for this computer.
The final release of IE7 may be better at this test … but with Opera 9 Beta, there was no crash and almost no CPU usage.
I ran this test yesterday or about 2-3 hrs using GreenBrowser.
My default browser is IE 7 (latest beta version)
I finally stopped the test because there was no process indication except for the
fact that in the status bar I continued to see activity.
I also monitored avast!'s webshield activity.
My browser never wavered. I simply had other things to do.
You can draw your own conclusions because I’m still trying to figure out
exactly what this test was supposed to prove. ;D
Bob, I believe the tests were to see if your browser crashes or not. If it does it is unstable and poorly built.
Also, it is to find security vulnerabilities in the browser.
