• United States



One hundred browser holes uncovered by cross_fuzz

Jan 03, 20112 mins
Core Java

More than a few of you are no doubt familiar with Michal Zalewski — a.k.a lcamtuf — a Polish hacker, computer security expert and Google employee.

There’s even a Wikipedia page on the man, which says the following:

He has been a prolific vulnerability researcher and a frequent Bugtraq poster since mid-1990s, and has authored a number of programs for Unix-like operating systems. In 2005, Zalewski authored Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks, a computer security book published by No Starch Press and subsequently translated to a number of languages.

For his continued research on browser security, he was named one of the 15 most influential people in security and among the 100 most influential people in IT.Zalewski was one the original creators of Argante, a virtual open source operating system.

According to a couple friends on Twitter — security and risk management consultant Nick Selby and Threatpost scribe Paul Roberts — 2011 is starting with a bang in the form of 100 browser holes uncovered by cross_fuzz, Zalewski’s newest creation.

He announced details of the fuzzer in his blog on New year’s Day:

I am happy to announce the availability of cross_fuzz – an amazingly effective but notoriously annoying cross-document DOM binding fuzzer that helped identify about one hundred bugs in all browsers on the market – many of said bugs exploitable – and is still finding more.

The fuzzer owes much of its efficiency to dynamically generating extremely long-winding sequences of DOM operations across multiple documents, inspecting returned objects, recursing into them, and creating circular node references that stress-test garbage collection mechanisms.

But, he warns, the design can make it tough to get clean, deterministic reproductions. He writes:

I also believe that at least one of the vulnerabilities discovered by cross_fuzz may be known to third parties – which makes getting this tool out a priority.

His blog includes details on the bugs found and what has and hasn’t been fixed, as well as a link to download or simply demo the tool.

–Bill Brenner