Researcher vows to publish a browser bug a day for July

The creator of a widely used hacking tool has promised to publish details on one browser vulnerability per day for the month of July.

HD Moore, the hacker behind the Metasploit toolkit, began publishing software that demonstrates bugs in a variety of Web browsers on July 1. He has dubbed his effort the Month of Browser Bugs.

Moore said he decided to do the month of bugs in order to show the kinds of results he's generated using a variety of automated security testing tools known as "fuzzers."

"This information is being published to create awareness about the types of bugs that plague modern browsers and to demonstrate the techniques I used to discover them," Moore said in a Sunday blog posting. 

The Month of Browser Bugs code does not include details that would allow attackers to run unauthorized code on a victim's machine, Moore said.

To date, the security researcher has published information on bugs he found in Internet Explorer, Firefox, and Apple Computer Inc.'s Safari browser.

Microsoft has had an advance look at the bugs, and some of them can cause the browser to crash, said Stephen Toulouse, security program manager with Microsoft's security response center. Others have been fixed in previous security updates, he said.

Some of the bugs were fixed in Microsoft's recent MS06-021 security update, Moore said in an e-mail interview, however "the actual details of these bugs have not been made public," he said.

The relationship between Microsoft and Moore -- a speaker at Microsoft's home-grown Blue Hat hacker conference -- has been strained of late. Two weeks ago, the security researcher blasted Microsoft for implying that he had been irresponsible in his disclosure of another Microsoft flaw -- this one concerning a recently patched vulnerability in the Remote Access Connection Manager (RASMAN) service used by Windows to create network connections over the telephone.

Moore published his code nine days after the bug was patched, but Microsoft criticized the disclosure, saying it came too soon.

This criticism did not sit well with Moore. "Microsoft is doing themselves a disservice by asking for vulnerability information on one hand and then condemning the folks who provide it with the other," he said in a blog posting, adding that the software vendor "obviously has some communication issues to resolve."

Thirty-one new browser bugs will certainly get Moore some attention, but the disclosures are not going to suddenly make the Web less safe for people who "practice reasonably safe surfing" and avoid suspicious Web sites, said Russ Cooper, a senior information security analyst at Cybertrust Inc.

"Saying we are at risk due to browser vulnerabilities is akin to saying we are at risk due to being in a car," he said via instant message. "Yes, this is true... but you can certainly reduce the risk of harm while in a car through reasonable knowledge, use, and maintenance. The same is true with browsers."