A security hacker who doesn’t play well with Microsoft has decided to up the ante.

So far this month, HD Moore has released a new chunk of browser-attack code every day. And he promises to continue releasing browser exploits through the rest of July. Moore calls it his Month of Browser Bugs Project.

He screws up the browsers with fuzzing utilities that inject psuedo-random code streams to trigger browser failures. You can test your own browser on-line:

  • CSSDIE pumps out bad style values for Cascading Style Sheets to bring down browsers adhering to CSS1, CSS2, or CSS3.
  • DOM-Hanoi adds and removes DOM elements to trip up DHTML.
  • Hamachi sends illegal values for method arguments and property values, hoping to trigger DHTML eruptions.
  • MangleMe is a downloadable browser testing script, about which Michal Zalewski writes, “This started off as a really silly idea: code a trivial program to generate tiny, razor-sharp shards of broken HTML, and repeatedly feed it to various web browsers. I expected them to exhibit some security problems handling it - but I did not expect such a disaster - no browser survived unscratched.”.

Most of Moore’s fuzz-induced failures are irritating but fairly innocuous. They simply screw up graphic rendering or crash the browser. Moore has unearthed these in triple-digits.

But a few bugs can allow a remote attacker to take over your system. These dangerous holes are the focus of Moore’s Month of Browser Bugs.

How many of these bad bugs has he found? Well… Since July has 31 days, and he’s releasing a month’s-worth… you do the math.

To date, he has published these bugs to the Open Source Vulnerabilities Database:

  1. Microsoft IE ADODB.Recordset COM Object Filter Property NULL Dereference
  2. Microsoft IE HTML Help COM Object Image Property Heap Overflow
  3. Microsoft IE OutlookExpress.AddressBook COM Object NULL Dereference
  4. Mozilla Firefox iframe.contentWindow.focus() Overflow
  5. Apple Safari DHTML setAttributeNode() NULL Dereference
  6. Microsoft IE DirectAnimation.StructuredGraphicsControl SourceURL NULL Dereference
  7. Microsoft IE Frameset inside Table NULL Dereference

Given this list, it’s easy to see why Microsoft doesn’t like him much. Nevertheless, Moore claims Microsoft, Mozilla, Opera, Safari, et al, have been pre-warned. It’s up to them to fix their software.

That doesn’t provide much comfort for harried network managers. Many of them wonder why any legitimate security researcher would release exploits before patches are available.

Moore responds that he just wants to create awareness of browser bugs and “demonstrate the techniques I used to discover them.”

His attitude is not far removed from that of holy father, the creator of Hacker Defender, the well-known rootkit. holy father wrote in Email Battles that his project and others:

…force security companies to care about the core of the problems, to develop better and better products.And after years, I see the results. The situation is better.

But there is still a lot of work to be done … This is why I will continue in my work to try to find ways to bypass their poor products until antivirus companies come with the real solution. And this is why a lot of my customers are security guys who offer penetration testing etc., not bad (or blackhat) guys.

Many have suggested that these are simply self-serving rationalizations by pyromaniacs who leave behind a legion of admins stomping out the fires they lit.

But grey hats and early-exploit-releasers say that the flaws were always there. If they could find the holes, black hats are already exploiting them.

Where’d I leave my stack of blue ribbons? These heroes deserve a good pinning.