Web browsers: twenty new vulnerabilities in twenty days
July is the Month of Browser Bugs (MoBB), declared Metasploit developer H.D. Moore, and he has shown that he has the goods to prove it. Since the beginning of July, Moore has published one browser hack per day, a total of 20 in web browsers so far. Seventeen of them are in Internet Explorer, the other three in Firefox, Safari and Konqueror, respectively.
While almost all of the seventeen vulnerabilities revealed up to now in Microsoft's browser can only be used in denial-of-service attacks, one of the latest revelations can potentially allow the infiltration of malicious code. The hole is based on an integer overflow and not null pointer dereferences like most of the others, but its exploitability remains unproven. The demo by H.D. Moore only causes Internet Explorer to crash. France's FrSIRT is nevertheless categorizing the glitch as critical. The flaw is located in the Common Controls library comctl32.dll and is provoked through specific calls of the function setSlice() for depicting WebViewFolderIcons.
No patches have yet been released for the flaws sketched by Moore in his blog "Browser Fun - Browser bugs, tricks, and hacks.". When he first started releasing details of these various vulnerabilities, Moore claimed that he had warned Microsoft about the flaws back in March. No such claim has been made for the more recent revelations. The Metasploit developer has of late frequently presented himself as an advocate of a full disclosure policy, and as such, he was one of the first to develop a functional exploit of the WMF hole. Similarly, his exploit of the only recently closed RRAS vulnerability earned him little love from Microsoft.
- Browser Fun - bugs, tricks, and hacks, IE error reports from H.D. Moore
- A Heap of Risk - Buffer overflows on the heap and how they are exploited, background article at heise Security
- Metasploit - Exploits for All, background article at heise Security