Google Experiment Tests Top 5 Browsers, Finds Safari Riddled With Security Bugs

["Dave Farber" <farber () gmail com>]

Begin forwarded message:

> From: the keyboard of geoff goodfellow <geoff () iconia com>
> Date: September 23, 2017 at 2:56:28 PM EDT
> To: "E-mail Pamphleteer Dave Farber's Interesting People list" <ip () listbox com>
> Subject: Google Experiment Tests Top 5 Browsers, Finds Safari Riddled With Security Bugs
>
> Google Experiment Tests Top 5 Browsers, Finds Safari Riddled With Security Bugs
> By Catalin Cimpanu
> Sep 22 2017
> <https://www.bleepingcomputer.com/news/security/google-experiment-tests-top-5-browsers-finds-safari-riddled-with-security-bugs/>
>
> The Project Zero team at Google has created a new tool for testing browser DOM engines and has unleashed it on 
> today's top five browsers, finding most bugs in Apple's Safari.
>
> The tool — named Domato — is a fuzzer, a security testing toolkit that feeds a software application with random data 
> and analyzes the output for abnormalities.
>
> Google engineer Ivan Fratric created Domato with the goal of fuzzing DOM engines, the browser components that read 
> HTML code and organize it into the DOM (Document Object Model), which is then "painted" and displayed inside the 
> browser window that human users view on their screens.
>
> Google: DOM engine bugs should be a priority
>
> Fratric says he focused on DOM engines because it's "a rare case that a vendor will publish a security update that 
> doesn’t contain fixes for at least several DOM engine bugs," showing how prevalent they are today.
>
> He also argues that while Flash bugs provide a cross-browser attack surface, once Flash reaches end-of-life (in 
> 2020), attackers will focus their efforts on DOM engines, the browser's biggest attack surface.
>
> With Domato he wants to help browser vendors test and patch as many security bugs in their respective DOM engines 
> before it is too late.
>
> Google test finds 17 security bugs in Safari's DOM engine
>
> To prove Domato's capabilities, Fratric took today's top five browsers — Chrome, Firefox, Internet Explorer, Edge, 
> and Safari — and subjected them to 100 million fuzz tests with Domato.
>
> Results showed that Safari had by far the worst DOM engine, with 17 new bugs discovered after Fratric's test. Second 
> was Edge with 6, then IE and Firefox with 4, and last was Chrome with only 2 new issues.
>
> Non-security bugs were ignored, and Fratric also pointed out that if Microsoft wouldn't have added MemGC 
> (user-after-free exploit mitigation) in IE and Edge, those browsers would have faired much worse.
>
> [snip]
>
> -- 
> Geoff.Goodfellow () iconia com
> living as The Truth is True
> http://geoff.livejournal.com  
>
>
>
> This message was sent to the list address and trashed, but can be found online.



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20170923171753:A745C66E-A0A4-11E7-B771-B2B0715907BD
Powered by Listbox: http://www.listbox.com