Interesting People mailing list archives
Google Experiment Tests Top 5 Browsers, Finds Safari Riddled With Security Bugs
From: "Dave Farber" <farber () gmail com>
Date: Sat, 23 Sep 2017 17:17:44 -0400
Begin forwarded message:
From: the keyboard of geoff goodfellow <geoff () iconia com> Date: September 23, 2017 at 2:56:28 PM EDT To: "E-mail Pamphleteer Dave Farber's Interesting People list" <ip () listbox com> Subject: Google Experiment Tests Top 5 Browsers, Finds Safari Riddled With Security Bugs Google Experiment Tests Top 5 Browsers, Finds Safari Riddled With Security Bugs By Catalin Cimpanu Sep 22 2017 <https://www.bleepingcomputer.com/news/security/google-experiment-tests-top-5-browsers-finds-safari-riddled-with-security-bugs/> The Project Zero team at Google has created a new tool for testing browser DOM engines and has unleashed it on today's top five browsers, finding most bugs in Apple's Safari. The tool — named Domato — is a fuzzer, a security testing toolkit that feeds a software application with random data and analyzes the output for abnormalities. Google engineer Ivan Fratric created Domato with the goal of fuzzing DOM engines, the browser components that read HTML code and organize it into the DOM (Document Object Model), which is then "painted" and displayed inside the browser window that human users view on their screens. Google: DOM engine bugs should be a priority Fratric says he focused on DOM engines because it's "a rare case that a vendor will publish a security update that doesn’t contain fixes for at least several DOM engine bugs," showing how prevalent they are today. He also argues that while Flash bugs provide a cross-browser attack surface, once Flash reaches end-of-life (in 2020), attackers will focus their efforts on DOM engines, the browser's biggest attack surface. With Domato he wants to help browser vendors test and patch as many security bugs in their respective DOM engines before it is too late. Google test finds 17 security bugs in Safari's DOM engine To prove Domato's capabilities, Fratric took today's top five browsers — Chrome, Firefox, Internet Explorer, Edge, and Safari — and subjected them to 100 million fuzz tests with Domato. Results showed that Safari had by far the worst DOM engine, with 17 new bugs discovered after Fratric's test. Second was Edge with 6, then IE and Firefox with 4, and last was Chrome with only 2 new issues. Non-security bugs were ignored, and Fratric also pointed out that if Microsoft wouldn't have added MemGC (user-after-free exploit mitigation) in IE and Edge, those browsers would have faired much worse. [snip] -- Geoff.Goodfellow () iconia com living as The Truth is True http://geoff.livejournal.com This message was sent to the list address and trashed, but can be found online.
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580 Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125 Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20170923171753:A745C66E-A0A4-11E7-B771-B2B0715907BD Powered by Listbox: http://www.listbox.com
Current thread:
- Google Experiment Tests Top 5 Browsers, Finds Safari Riddled With Security Bugs Dave Farber (Sep 23)