A Month of Browser Bugs, A Little History, and What It Means for Mobile Devices
HD Moore and the MetaSploit project have gone to town with their toolbox of fuzzers and insight. They have unleashed a raft of security vulnerabilities on the world, in major browsers across many different platforms, one a day for an entire month (it is now day five of the Month of Browser Bugs as I write this).
While I think it's awesome that HD and the project team have made such a concerted effort to investigate most of the major sub-systems used in today's browsers (I don't want to detract from their initiative, motivation, or skill) it should be noted they were not the first to take a look at them, thinking that, aside from ActiveX (for a change) they could be fuzzed with high yield results. Similar methods were used by the illustrious group at Oulu university in 2001, Michal Zalewski with mangleme in 2004, and ND of Felinemenace fame with the HTMLer python script, also in 2004. All three have previously released an automated test-failure harness, which is what a fuzzer is, to beat on browsers.
Even though I applaud these efforts, I have to scream "Think of the mobile devices!" This is because, like children, mobile devices can sometimes be neglected, or an afterthought (can you tell that I don't have any kids?). Shortly after the release of mangleme and HTMLer, I suggested that someone should take these scripts and focus their attention on WAP (Wireless Application Protocol) browsers on cell phones. Well, eventually I took my own advice around December 2004 and did just that. I targeted WAP browsers and achieved some interesting results. Since mobile vendors don't always play nicely with the information we provide, we never saw any advisories released; not to mention that my motivation waned quickly.
Anyway, fast forward 18 months and our SmartPhones now have real Web browsers instead of just WAP (plus some HTML extensions) browsers. As I sit here and write this, the Motorola A780 I have sitting beside me runs Opera 7.50 on a Linux kernel, and the Motorola A1200 beside it is running Opera 8.00, build 1555. Windows Mobile runs Pocket IE, and Windows CE can run Internet Explorer 6, all of which borrow code from their desktop counterparts. Nokia are using the KHTML and KJS cores in their new OSS Series 60 browser, borrowed from the Konqueror project. I personally love the description from Wikipedia: "HTML is fast, but currently less error tolerant than the Gecko layout engine." And yes, I do believe everything I read on the Internet. My point is, while people focus on the desktop browsers, what about all the browsers in these embedded devices that might exhibit similar flaws, if not the same ones that HD and team are releasing? Are we going to see vendors rush out with advisories, patches, and firmware updates? I suspect you can all guess the answer to that, and I’ll be more than happy to be proved wrong on my own assumptions.
So, as more code gets reused and technologies that are originally developed for the desktop start popping up in mobile computing, you can expect this trend to continue. I also think that as the desktop gets harder to exploit, attackers will look for softer targets. Mobile devices, and SmartPhones in particular are going to be those targets, at least in the short term.