, SecurityFocus 2006-04-12
Vancouver, CANADA--Last month, security researcher HD Moore decided to write a simple program that would mangle the code found in Web pages and gauge the effect such data would have on the major browsers. The result: hundreds of crashes and the discovery of several dozen flaws.
The technique--called packet, or data, fuzzing--is frequently used to find flaws in network applications. Moore and others are now turning the tool on browsers to startling results. In a few weeks, the researcher had found hundreds of ways to crash Internet Explorer and, to a lesser extent, other browsers. In another example, it took less than an hour at the CanSecWest Conference last week for Moore and information-systems student Matthew Murphy to hack together a simple program to test a browser's handling of cascading style sheets (CSS), finding another dozen or so ways to crash browsers.
"Fuzzing is probably the easiest way to find flaws, because you don't have to figure out how the application is dealing with input," said Moore, a well-known hacker and the co-founder of the Metasploit Project. "It lets me be a lazy vulnerability researcher."
Tracing the root causes of the crashes has resulted in the discovery of more than 50 flaws in Internet Explorer, a handful of which could be used to gain control of a Web site visitor's Windows system, Moore said. Other browsers had far fewer flaws, but each one had at least one remotely exploitable vulnerability that could be used to exploit users' systems, Moore said.
Microsoft stressed that the issues are still under investigation.
"Microsoft's initial investigation of HD Moore's findings determined that these are stability issues and not security vulnerabilities," a spokesperson for the software giant said Wednesday. "Microsoft will, of course, continue to work closely with HD to further investigate these findings and address these issues as appropriate for our customers."
The effectiveness of fuzzing at defining quality and security issues is nothing new.
Data fuzzing, or mangling, has been used often by security and quality-control engineers to test network devices. In 2002, the University of Oulu's Secure Programming Group (OUSPG) used the techniques to find a slew of flaws in the implementation of a basic communication protocol known as Abstract Syntax Notation One, or ASN.1, on which Internet protocols are based. The next year, the university used the same technique to find issues in a protocol used for Internet telephony.
Targeting browsers and other client-side applications using data fuzzing, or mangling, has become another tool on the belt of security engineers. As finding and exploiting server flaws has become more difficult, some researchers are turning to client-side applications, focusing mainly on Web browsers and desktop security software to date.
"Why go after the server where the safeguards are, when all this identity and data can be gotten from the client," said Timothy Keanini, chief technology officer for nCircle Network Security.
The most significant flaws discovered this year have been flaws that affected Microsoft's browser, Internet Explorer. A vulnerability in how Windows processes the Windows Meta File (WMF) format resulted in Microsoft fixing that issue in early January, ahead of schedule. On Tuesday, Microsoft issued a patch to close a critical vulnerability in Internet Explorer that had threatened users with compromise if they visited any of a few hundred malicious Web sites.