A Month of Browser Bugs, A Little History, and What It Means for Mobile Devices
HD Moore and the MetaSploit project havegone to town with their toolbox of fuzzers and insight. They haveunleashed a raft of security vulnerabilities on the world, in majorbrowsers across many different platforms, one a day for an entire month(it is now day five of the Month of Browser Bugs as I write this).
WhileI think it's awesome that HD and the project team have made such aconcerted effort to investigate most of the major sub-systems used intoday's browsers (I don't want to detract from their initiative,motivation, or skill) it should be noted they were not the first totake a look at them, thinking that, aside from ActiveX (for a change)they could be fuzzed with high yield results. Similar methods were usedby the illustrious group at Oulu university in 2001, Michal Zalewski with mangleme in 2004, and ND of Felinemenace fame with the HTMLerpython script, also in 2004. All three have previously released anautomated test-failure harness, which is what a fuzzer is, to beat onbrowsers.
Even though I applaud these efforts, I have to scream "Think of themobile devices!" This is because, like children, mobile devices cansometimes be neglected, or an afterthought (can you tell that I don'thave any kids?). Shortly after the release of mangleme and HTMLer, I suggested thatsomeone should take these scripts and focus their attention on WAP(Wireless Application Protocol) browsers on cell phones. Well,eventually I took my own advice around December 2004 and did just that.I targeted WAP browsers and achieved some interesting results. Sincemobile vendors don't always play nicely with the information weprovide, we never saw any advisories released; not to mention that mymotivation waned quickly.
Anyway, fast forward 18 months and our SmartPhones now have real Webbrowsers instead of just WAP (plus some HTML extensions) browsers. As Isit here and write this, the Motorola A780 I have sitting beside meruns Opera 7.50 on a Linux kernel, and the Motorola A1200 beside it isrunning Opera 8.00, build 1555. Windows Mobile runs Pocket IE, andWindows CE can run Internet Explorer 6, all of which borrow code fromtheir desktop counterparts. Nokia are using the KHTML and KJS cores intheir new OSS Series 60 browser, borrowed from the Konqueror project. I personally love the description from Wikipedia:"HTML is fast, but currently less error tolerant than the Gecko layoutengine." And yes, I do believe everything I read on the Internet. Mypoint is, while people focus on the desktop browsers, what about allthe browsers in these embedded devices that might exhibit similarflaws, if not the same ones that HD and team are releasing? Are wegoing to see vendors rush out with advisories, patches, and firmwareupdates? I suspect you can all guess the answer to that, and I’ll bemore than happy to be proved wrong on my own assumptions.
So, as more code gets reused and technologies that are originallydeveloped for the desktop start popping up in mobile computing, you canexpect this trend to continue. I also think that as the desktop getsharder to exploit, attackers will look for softer targets. Mobiledevices, and SmartPhones in particular are going to be those targets,at least in the short term.