The Month of The Browser Bugs Begins

Hardly a week goes by without another browser vulnerability being
reported. One security researcher is going to take it a step further this
month and by releasing a new vulnerability every day.

So far he’s living up to his promise.

H.D Moore is the co-author of the Metasploit Framework, an open source licensed platform for both the
development and testing of exploit code.

Exploits for various Microsoft
Internet Explorer browser flaws have been in the Metasploit in the past,
including a particularly nasty, late-2005 zero-day Windows Metafile outbreak.

Moore claims in a recent blog post that he has notified the vendors.

Both Moore and Microsoft were unavailable for comment by press time.

Moore has designated July as the time for his
Month of Browser Bugs (MoBB) project in which a new vulnerability will be
published every day.

“This information is being published to create awareness about the types of
bugs that plague modern browsers and to demonstrate the techniques I used to
discover them,” Moore wrote on his blog.

It is unclear how many of the vulnerabilities this month will be critical, but if early reports are any indication, it could be a lot.

Security firm Secunia has rated Moore’s July 2 MoBB vulnerability, titled “MoBB #2: Internet.HHCtrl Image Property,” as being “highly critical.”

The
alleged vulnerability could allow for arbitrary code execution and it
triggered by a flaw in how the hhctrl.ocx HTML Help ActiveX control deals
with the image property.

Moore claims that he reported this particular bug
to Microsoft on March 6, 2006. It currently remains unpatched.

IE isn’t Moore’s only target. Mozilla Firefox and Apple Safari
have alleged flaws, as well.

MoBB vulnerability No. 5, titled “DHTML setAttributeNode(),” discusses
a bug that affects Apple Safari 2.0.4 running on a fully patched Mac OX X 10.4.7. The bug can allegedly trigger a browser crash.

For both MoBB No. 2 and No. 5, there is currently no known vendor
patch.

Not all of the MoBB vulnerabilities are without patches though.
MoBB No. 4, titled “Mozilla Firefox DesignMode,” is a bug that
affected Mozilla Firefox 1.5.0.2 but was fixed in the 1.5.0.3 release.

Though the Metasploit Framework could potentially be used as a tool for
remote exploitation, the idea behind the MoBB is not to necessarily provide
new instantly exploitable exploits to hackers.

“The hacks we publish are carefully chosen to demonstrate a concept without
disclosing a direct path to remote code execution,” Moore wrote.