Daily flaws ratchet up debate

HD Moore is used to polarising the vulnerability-research community.

As the creator of the Metasploit Project, an open-source tool for automating the exploitation of vulnerabilities, Moore has had his share of contentious debates with other security professionals.

However, his latest endeavour - releasing a browser bug every day during the month of July - has raised hackles on both sides of the security equation, among the black-hat as well as white-hat researchers.

After the first week of flaws were released, one online miscreant from Russia shot off an email to Moore, complaining that he had outed a vulnerability the Russian had been exploiting, Moore said.

"The black hats don't like that the fact that this is public because they have been using these bugs," Moore said. "By dumping out the bugs on the community, I'm clearing the air and letting the good guys know what others are doing."

Yet, the release did not seem so altruistic to Microsoft, whose Internet Explorer browser suffers from the lion's share of the bugs found by Moore. The software giant indirectly criticised the release of vulnerabilities in a statement to SecurityFocus, underscoring the importance of getting customers updated before they are exposed to threats from malicious attackers.

"Microsoft continues to encourage responsible disclosure of vulnerabilities," the software giant said in a statement sent to SecurityFocus. "We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests."

The software giant stressed that many of the flaws merely crashed the Internet Explorer browser, while the more serious vulnerabilities were fixed in the recent MS06-021 security update.

Other browsers had fewer flaws, Moore said. He discovered some issues with Mozilla's Firefox, but the group fixed them quickly, he said. Opera's browser, at least the most recent version, stood up quite well.

"Opera 8.5 fell apart 10 different ways, but 9.0 looks pretty solid," he said.

While Microsoft and other software makers have improved their relationships with many flaw finders, other researchers have ratcheted up the pressure on the companies to fix the vulnerabilities in their systems. After finding a flaw in the online-application website of the University of Southern California, security professional Eric McCarty decided to go public with the issue to put pressure on the university and is now being prosecuted for breaching the site's security. Another researcher, David Litchfield, released descriptions of Oracle flaws, after the database maker failed to patch the issues immediately.

In the most recent case, Moore had first warned software makers of the threat posed by potential attackers using the tools, known as fuzzers. Because response to the warning seemed slow, he decided to publicly release many of the bugs, one each day in July.

The avalanche of browser flaws underscores the problems for software vendors as fuzzers become more popular. The flaw-finding programs systematically change the data sent to an application to see how the software reacts.

In many cases, bad data can cause an application to crash; other times, the application's response to the mangled data reveals underlying security flaws. HD Moore used five different fuzzers - all but one of which is publicly available - to find hundreds of vulnerabilities in the major browsers, he said.

"People now have a feeling about how things stand," Moore said. "There will be five or six tools that they can run and find out what flaws potentially could be exploited."