News Stay informed about the latest enterprise technology news and product updates.

Metasploit creator promises browser flaws galore

This week in Security Blog Log: A researcher vows to expose a new browser flaw every day this month. Meanwhile, McAfee's blog marks a mournful malware milestone.

Security Blog Log
Looking for a blog that outlines the latest security holes in the most popular Web browsers? If so, Metasploit Framework creator H.D. Moore has just the thing: a new vulnerability listing site called the Browser Fun blog.

Moore -- whose Metasploit Framework is used for penetration testing, IDS signature development and exploit research -- has declared July the "Month of Browser Bugs." In a message posted to the official Metasploit blog, he promised new browser-flaw details each day this month.

"The vendors have been notified and the time has come to start publishing the results," Moore said. "This information is being published to create awareness about the types of bugs that plague modern browsers and to demonstrate the techniques I used to discover them."

In the Browser Fun blog, Moore is quick to point out that the details will be displayed with care. "The hacks we publish are carefully chosen to demonstrate a concept without disclosing a direct path to remote code execution," he said.

About Security Blog Log

Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at

Recent articles:
Would Blue Pill create a matrix for PCs?

Microsoft and the peril of predatory pricing

Doing good with exploit code

Here's what was posted as of Thursday morning:

  • July 2: Three Internet Explorer flaws.

  • July 3: One flaw in Mozilla Firefox running on Gentoo Linux, which was fixed in Firefox

  • July 4: One flaw in Safari, tested on a fully patched Mac OS X machine.

  • July 5: One flaw in Internet Explorer, tested on a fully patched Windows XP SP2 machine.

    Reaction so far seems to be that of detached amusement, sprinkled with some hope that vendors will put the intelligence to good use.

    "It is interesting to see how horribly buggy browsers can be," computer security specialist Dominic White wrote in his blog. "I am most interested in seeing which browser gets broken the most and if we can take any defense-in-depth lessons from this."

    Hopefully, he said, vendors will take all the details and release one patch for all of the bugs affecting their browser, "because nobody has the resources to run about patching user's browsers several times a month."

    Taking a swipe at Microsoft, one respondent to Moore's posting on the Metasploit blog wrote, "Why not release one bug on the second Tuesday of each month? Then the bugs would last at least two and a half years."

    To that Moore responded, "We could probably release one a day for the next two and a half years without running out of bugs."

    McAfee laments a malware milestone
    Santa Clara, Calif.-based antivirus vendor McAfee Inc. used its Avert Labs blog this week to mark a grim milestone: the 200,000th entry into its VirusScan malware detection database.

    Since it took 18 years to log the first 100,000 pieces of malware in the database, McAfee said it's alarming that it took barely two years to double the number.

    "Looking ahead, our researchers expect yet another doubling in a similar timeframe," McAfee's Jimmy Kuo wrote. "So, 100,000 new threats in the past two years, 200,000 new threats to come in the next two years!"

    Kuo noted that the last two years marked a significant spike in downloaders and bots: malware designed to sit silently on machines and extract information that could be used for financial gain.

    "In early 2004, a number of viruses like Netsky, Bagle, and Mydoom would infect multiple millions of machines with each release of a new variant," he said.

    But over time, malware distribution has changed dramatically. "In the first half of 2004, 31 virus outbreaks were rated medium and above. The second half of 2004 saw 17 more. That number fell to 12 for the whole of 2005. And in 2006, there have been no outbreaks of similar severity!"

    Instead of huge virus events, he said, "the preferred method of malware distribution now involves the creation of many minor variants sent through controlled spam efforts. Good family detection becomes crucial for a less worrisome experience on the Internet."

  • Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.