Moore -- whose Metasploit Framework is used for penetration testing, IDS signature development and exploit research -- has declared July the "Month of Browser Bugs." In a message posted to the official Metasploit blog, he promised new browser-flaw details each day this month.
"The vendors have been notified and the time has come to start publishing the results," Moore said. "This information is being published to create awareness about the types of bugs that plague modern browsers and to demonstrate the techniques I used to discover them."
In the Browser Fun blog, Moore is quick to point out that the details will be displayed with care. "The hacks we publish are carefully chosen to demonstrate a concept without disclosing a direct path to remote code execution," he said.
Reaction so far seems to be that of detached amusement, sprinkled with some hope that vendors will put the intelligence to good use.
"It is interesting to see how horribly buggy browsers can be," computer security specialist Dominic White wrote in his blog. "I am most interested in seeing which browser gets broken the most and if we can take any defense-in-depth lessons from this."
Hopefully, he said, vendors will take all the details and release one patch for all of the bugs affecting their browser, "because nobody has the resources to run about patching user's browsers several times a month."
Taking a swipe at Microsoft, one respondent to Moore's posting on the Metasploit blog wrote, "Why not release one bug on the second Tuesday of each month? Then the bugs would last at least two and a half years."
To that Moore responded, "We could probably release one a day for the next two and a half years without running out of bugs."
McAfee laments a malware milestone
Santa Clara, Calif.-based antivirus vendor McAfee Inc. used its Avert Labs blog this week to mark a grim milestone: the 200,000th entry into its VirusScan malware detection database.
Since it took 18 years to log the first 100,000 pieces of malware in the database, McAfee said it's alarming that it took barely two years to double the number.
"Looking ahead, our researchers expect yet another doubling in a similar timeframe," McAfee's Jimmy Kuo wrote. "So, 100,000 new threats in the past two years, 200,000 new threats to come in the next two years!"
Kuo noted that the last two years marked a significant spike in downloaders and bots: malware designed to sit silently on machines and extract information that could be used for financial gain.
"In early 2004, a number of viruses like Netsky, Bagle, and Mydoom would infect multiple millions of machines with each release of a new variant," he said.
But over time, malware distribution has changed dramatically. "In the first half of 2004, 31 virus outbreaks were rated medium and above. The second half of 2004 saw 17 more. That number fell to 12 for the whole of 2005. And in 2006, there have been no outbreaks of similar severity!"
Instead of huge virus events, he said, "the preferred method of malware distribution now involves the creation of many minor variants sent through controlled spam efforts. Good family detection becomes crucial for a less worrisome experience on the Internet."