July 5, 2006 5:15 PM PDT

Security expert dubs July the 'month of browser bugs'

Related Stories

Browser bugs hit IE

June 29, 2006

Microsoft releases final IE 7 beta

June 29, 2006

Microsoft meets the hackers

June 16, 2005
Each day this month, a prominent security expert will highlight a new vulnerability found in one of the major Internet browsers.

HD Moore, the creator of Metasploit Framework, a tool that helps test whether a system is safe from intrusion, has dubbed July the Month of Browser Bugs. Already, the security researcher has featured five security flaws, three for Microsoft's Internet Explorer and one apiece for Mozilla's Firefox and Apple Computer's Safari.

Moore noted that one of the IE bugs appeared to have been recently patched.

"This blog will serve as a dumping ground for browser-based security research and vulnerability disclosure," Moore said on his blog. "The hacks we publish are carefully chosen to demonstrate a concept without disclosing a direct path to remote code execution."

Browser security holes are nothing new, but Moore's repository of flaws shines a light on the problem.

Moore says on his site that he reported two of the IE bugs to Microsoft last March. Microsoft acknowledged that it had been in contact with Moore but downplayed the seriousness of the flaws Moore is publicizing.

"(Microsoft's) investigation has revealed that most issues relating to Internet Explorer in particular will result in the browser closing unexpectedly," the company said in an e-mail statement.

Moore doesn't indicate how many of his published vulnerabilities are critical, but security company Secunia has rated one of the flaws, which Moore calls Internet.HHCtrl Image Property, as highly critical.

See more CNET content tagged:
flaw, vulnerability, security, Web browser, Microsoft Internet Explorer

8 comments

Join the conversation!
Add your comment
IE
It's obviously true that no browser is perfect, but I think you're always best off using the less popular browsers. Microsoft can barely keep up releasing all these patches to cover up the flaws because of IE's default popularity. I often check my web site's statistics to find that 80% of the visitors are IE users, I bet if Opera or Firefox became super popular it would suddenly become a dangerously "insecure" browser much like IE now. So in my opinion the real reason why Opera and Firefox are a better choice for an average user isn't because of security policies or other security features, but because they aren't targeted as much by people that wish to do damage, to affect the most amount of users possible it just makes sense to target IE.
__________________________________
R.K.
<a class="jive-link-external" href="http://www.Remove-All-Spyware.com/" target="_newWindow">http://www.Remove-All-Spyware.com/</a>
Posted by Roman12 (214 comments )
Reply Link Flag
IE
It's obviously true that no browser is perfect, but I think you're always best off using the less popular browsers. Microsoft can barely keep up releasing all these patches to cover up the flaws because of IE's default popularity. I often check my web site's statistics to find that 80% of the visitors are IE users, I bet if Opera or Firefox became super popular it would suddenly become a dangerously "insecure" browser much like IE now. So in my opinion the real reason why Opera and Firefox are a better choice for an average user isn't because of security policies or other security features, but because they aren't targeted as much by people that wish to do damage, to affect the most amount of users possible it just makes sense to target IE.
__________________________________
R.K.
<a class="jive-link-external" href="http://www.Remove-All-Spyware.com/" target="_newWindow">http://www.Remove-All-Spyware.com/</a>
Posted by Roman12 (214 comments )
Reply Link Flag
IE's problem isn't its popularity...
...most of its security-related problems devolve to the browser's use of ActiveX which seems to be the component that most aggressively attracts malware. MSFT can *update, improve, assign a new higher level product number* etc all they want to IE, but until ActiveX becomes an optional component and not part of the Windows bundle, IE will remain as holey as swiss cheese. I assure you that Redmond knows this better than we do, and I doubt they'll remove ActiveX in the foreseeable future.
Posted by i_made_this (302 comments )
Reply Link Flag
Not really
Look at the list of flaws in IE again, while there are some involving ActiveX the majority of them are *not* related to ActiveX. ActiveX is a problem in and of itself simply because MS made it capable of accomplishing so very much. That's the real key to all of the vulnerabilities in IE, back in the browser wars MS was continually packing more functionality into IE in order to make their browser more attractive to developers, unfortunately security wasn't a high priority and often got short shrift.
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
IE's problem isn't its popularity...
...most of its security-related problems devolve to the browser's use of ActiveX which seems to be the component that most aggressively attracts malware. MSFT can *update, improve, assign a new higher level product number* etc all they want to IE, but until ActiveX becomes an optional component and not part of the Windows bundle, IE will remain as holey as swiss cheese. I assure you that Redmond knows this better than we do, and I doubt they'll remove ActiveX in the foreseeable future.
Posted by i_made_this (302 comments )
Reply Link Flag
Not really
Look at the list of flaws in IE again, while there are some involving ActiveX the majority of them are *not* related to ActiveX. ActiveX is a problem in and of itself simply because MS made it capable of accomplishing so very much. That's the real key to all of the vulnerabilities in IE, back in the browser wars MS was continually packing more functionality into IE in order to make their browser more attractive to developers, unfortunately security wasn't a high priority and often got short shrift.
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
News.com (hearts) security company PR.
One more regurgitated press release. Please.
Posted by M C (598 comments )
Reply Link Flag
News.com (hearts) security company PR.
One more regurgitated press release. Please.
Posted by M C (598 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.