A Month of Browser Bugs
To kick off his new Browser Fun blog, H.D. Moore began with “A Month of Browser Bugs”:
This blog will serve as a dumping ground for browser-based security research and vulnerability disclosure. To kick off this blog, we are announcing the Month of Browser Bugs (MoBB), where we will publish a new browser hack, every day, for the entire month of July. The hacks we publish are carefully chosen to demonstrate a concept without disclosing a direct path to remote code execution. Enjoy!
Thirty-one days, and thirty-one hacks later, the blog lists exploits against all the major browsers:
- Internet Explorer: 25
- Mozilla: 2
- Safari: 2
- Opera: 1
- Konqueror: 1
My guess is that he could have gone on for another month without any problem, and possibly could produce a new browser bug a day indefinitely.
The moral here isn’t that IE is less secure than the other browsers, although I certainly believe that. The moral is that coding standards are so bad that security flaws are this common.
Eric Rescorla argues that it’s a waste of time to find and fix new security holes, because so many of them still remain and the software’s security isn’t improved. I think he has a point. (Note: this is not to say that it’s a waste of time to fix the security holes found and publicly exploited by the bad guys. The question Eric tries to answer is whether or not it is worth it for the security community to find new security holes.)
Another commentary is here.