| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 1 Oct 2009 13:48:26 -0700 From: Michal Zalewski <lcamtuf@...edump.cx> To: Freddie Vicious <fred.vicious@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Exploiting memory corruption vulnerabilities on Internet Explorer 8 > Along with other security features > (http://blogs.msdn.com/architecture/archive/2009/08/13/internet-explorer-8-rated-tops-against-malware-and-phishing-attacks.aspx) > this basicly means that IE8 is the most secure web browser nowadays? If memory serves me right, it's been a while since we've witnessed successful, large-scale exploitation of memory corruption flaws in any browser, and it's probably not the most common exploitable security lapse these days. This is partly because many of the modern defenses - such as DEP/NX, ASLR, canaries, lower privileges / sandboxing - are becoming more prevalent across all browsers and operating systems; partly because browser seem to be doing a lot of in-house fuzzing (for MSIE, Firefox, and Chrome, this is probably pretty evident); and last but not least, in part because of the changing landscape for security disclosure: researchers are heavily incentivized to sell vulnerabilities instead (keeping the public as such generally safe, but probably greatly increasing exposure windows for targeted attacks). In the browser world, many other problems can have profound security consequences, however; browser chrome privilege escalations, zone fenceposts, even universal XSSes (made more serious by the fact more and more of our sensitive data is handled by web applications), and other design errors that allow much simpler paths of privilege escalation (sometimes including system compromise) are taking the center stage, particularly for malware distribution and other large-scale attacks. In this department, most vendors have several skeletons in the closet (Microsoft with content sniffing and zone model complexity, Firefox and some other browsers with privileged JavaScript used to implement extensions and UIs, etc). Anyhow - in the end, I would be tempted to say that the differences between browsers are much less pronounced that the media feels compelled to say; but this new fierce competition between vendors is exceptional, highly notable, and very beneficial for the industry in the long run. For example, weren't it for Firefox claims of superior security and the ensuing market adoption, we would probably not see a sudden push for security features in MSIE8; and weren't it for Microsoft's response, Mozilla folks would likely not feel compelled to keep up their in-house fuzzing efforts and security improvements in FF3 and 3.5. Then add Chrome to the mix, and it gets even more interesting... /mz PS. As for malware filtering - also, not a feature unique to any particular browser these days - I do not quite see the relevance to this discussion. Anti-malware checks improve the safety of casual browsing for general public - and hence has a positive effect for the health of the Internet as a whole - but they do not render any particular browser less likely to have exploitable vulnerabilities. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists