- Date: July 5, 2006
Summary
The developers of the Metasploit project have announced that they will release one vulnerability per day in popular web browsers during the month of July as part of a "Month of Browser Bugs (MoBB)" initiative.
Scope
Multiple web browsers are affected including the latest versions Internet Explorer, Firefox, Safari, and potentially other web browsers.
If a vulnerability is used to compromise a web browser there could be significant impact to the end-user including losing personal information. Successful exploitation of a remote code execution vulnerability can allow an attacker complete access to the system which can lead to a larger network compromise, loss of sensitive materials, and other adverse impacts to business operations. These types of vulnerabilities are widely used by phishers and malicious software ("malware") developers to surreptitiously install spyware or bypass security measures.
Detailed Research Analysis
These browser-based vulnerabilities are being discovered using a technique known as fuzzing that involves developing pseudo-random permutations of input. Although fuzzing is not a new technique for discovering vulnerabilities, the application to web browsers is relatively new. The "Month of Browser Bugs (MoBB)" initiative has amassed a large number of vulnerabilities in many popular web browsers through purpose-built web browser fuzzing tools. They have pledged to release vulnerability per day for the month of July. In addition they have made the tools used to find these vulnerabilities available for anyone to use.
Protection/Response
Although no specific incidents of the discovered vulnerabilities have been used in malware at this time, SecureWorks Research is working to proactively monitor and develop countermeasures for new vulnerabilities and exploits as details become available. Secureworks will be actively monitoring for exploitation of these vulnerabilities and will update this alert as more information is available.
Additionally, vendor notifications have taken place. While vendor responses are pending, no specific browser patches have been made available at the time of publication.
Recommendations
Good security practices should be observed including timely patch management practices as soon as remediation information is made available from your browser developer/vendor.