H.D.Moore, he of Metasploit toolkit fame, has vowed to publish details of one browser vulnerability every day during July. Already he has been true to his word with exploit information relating to Internet Explorer, Firefox and Safari but nothing that would help any would be attacker run unauthorized code on an unsuspecting victim’s computer.
Although officially Moore claims it is to publicize the inherent dangers of browsers, there is a feeling that it might also have something to do with a bit of a spat between Moore and Microsoft. Only a couple of weeks ago Microsoft berated the security researcher for acting irresponsibly by disclosing a flaw with a recently patched vulnerability in the Windows Remote Access Connection Manager service. The nature of this ‘irresponsible’ act? Apparently waiting only 9 days to publish code after the bug was patched, far too soon said Microsoft. Cobblers, was the gist of Moore’s blog reply: “Microsoft is doing themselves a disservice by asking for vulnerability information on one hand and then condemning the folks who provide it with the other."
The month of browser bugs, as it is being called, is nothing to get too worried about though. Provided you are well patched, avoid suspect sites, and do all the usual safe surfing stuff that is. However, the fact that someone is releasing vulnerabilities from some list of such not known by the browser developers is worrying. Why not just let them know the whole lot, and make the web a safer place? I don’t believe that Moore is slaving away all hours and able to discover a new bug every day, on the fly, do you? I’m all for the ‘information is power’ concept, but there is such a thing as responsible disclosure: and this isn’t it. Vendors should always be given the details before any vulnerability is made public, to at least give them some opportunity to release a patch. That is the honest thing to do, the safe thing to do, the decent thing to do.
My mum used to tell me not to air my dirty laundry in public; it looks like Mrs. Moore didn’t give her son the benefit of the same advice.