A prominent security researcher has published the results of application tests on prominent Web browsers that he claims has uncovered scores of new, previously unknown security holes.
Michal Zalewski is a Poland-based security researcher for Google. In a post on January 1, Zalewski used a blog post to publish the partial results of tests he performed with an application testing – or “fuzzing” – tool called cross_fuzz. The results include the discovery of a large number of remotely exploitable holes in Microsoft’s Internet Explorer, Mozilla’s Firefox browser, the Opera browser and those using the WebKit HTML rendering engine, which includes Apple’s Safari and mobile browsers.
Fuzzers are a kind of automated application testing tool that barrage software applications with data inputs in various formats in an effort to expose vulnerable code and induce crashes. Cross_fuzz is described as a fuzzer that finds holes by exploiting document object model (DOM) operations across and between Web pages.
Many of the vendors in question were notified of the holes more than six months ago, prompting Zalewski’s call for broader “community engagement” to get the holes fixed. Zalewski claims that “third parties” may be aware of at least one of the remotely exploitable holes he discovered.
Zalewski who is aprominent member of Google’s vulnerability research team, has discovered critical holes in common browsers before. He said that the cross_fuzz tool is continuing to find new holes in – published a link to the cross_fuzz application for others to download and try.