lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <448e9a320910011348t384f2798ua6130258640dd329@mail.gmail.com>
Date: Thu, 1 Oct 2009 13:48:26 -0700
From: Michal Zalewski <lcamtuf@...edump.cx>
To: Freddie Vicious <fred.vicious@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Exploiting memory corruption vulnerabilities
	on Internet Explorer 8

> Along with other security features
> (http://blogs.msdn.com/architecture/archive/2009/08/13/internet-explorer-8-rated-tops-against-malware-and-phishing-attacks.aspx)
> this basicly means that IE8 is the most secure web browser nowadays?

If memory serves me right, it's been a while since we've witnessed
successful, large-scale exploitation of memory corruption flaws in any
browser, and it's probably not the most common exploitable security
lapse these days.

This is partly because many of the modern defenses - such as DEP/NX,
ASLR, canaries, lower privileges / sandboxing - are becoming more
prevalent across all browsers and operating systems; partly because
browser seem to be doing a lot of in-house fuzzing (for MSIE, Firefox,
and Chrome, this is probably pretty evident); and last but not least,
in part because of the changing landscape for security disclosure:
researchers are heavily incentivized to sell vulnerabilities instead
(keeping the public as such generally safe, but probably greatly
increasing exposure windows for targeted attacks).

In the browser world, many other problems can have profound security
consequences, however; browser chrome privilege escalations, zone
fenceposts, even universal XSSes (made more serious by the fact more
and more of our sensitive data is handled by web applications), and
other design errors that allow much simpler paths of privilege
escalation (sometimes including system compromise) are taking the
center stage, particularly for malware distribution and other
large-scale attacks. In this department, most vendors have several
skeletons in the closet (Microsoft with content sniffing and zone
model complexity, Firefox and some other browsers with privileged
JavaScript used to implement extensions and UIs, etc).

Anyhow - in the end, I would be tempted to say that the differences
between browsers are much less pronounced that the media feels
compelled to say; but this new fierce competition between vendors is
exceptional, highly notable, and very beneficial for the industry in
the long run. For example, weren't it for Firefox claims of superior
security and the ensuing market adoption, we would probably not see a
sudden push for security features in MSIE8; and weren't it for
Microsoft's response, Mozilla folks would likely not feel compelled to
keep up their in-house fuzzing efforts and security improvements in
FF3 and 3.5. Then add Chrome to the mix, and it gets even more
interesting...

/mz

PS. As for malware filtering - also, not a feature unique to any
particular browser these days - I do not quite see the relevance to
this discussion. Anti-malware checks improve the safety of casual
browsing for general public - and hence has a positive effect for the
health of the Internet as a whole - but they do not render any
particular browser less likely to have exploitable vulnerabilities.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ