Hacker promises month of browser holes

The creator of a widely used hacking tool has promised to publish details of one browser security hole per day during July.

HD Moore, the hacker behind the Metasploit toolkit, started his Month of Browser Bugs on 1 July by publishing software that demonstrates bugs in a variety of Web browsers.

Moore said he decided to do the month of bugs in order to show the kinds of results he's generated using a variety of automated security testing tools known as "fuzzers."

"This information is being published to create awareness about the types of bugs that plague modern browsers and to demonstrate the techniques I used to discover them," Moore said in a blog post. The code does not include details that would allow attackers to run unauthorised code on a victim's machine, Moore said.

To date, he has published information on bugs in Internet Explorer, Firefox, and Apple's Safari browser.

Microsoft has had an advance look at the bugs, and some of them can cause the browser to crash, said Stephen Toulouse, security program manager with Microsoft's security response centre. Others have been fixed in previous security updates, he said.

Some of the bugs were fixed in Microsoft's recent MS06-021 security update, Moore said in an e-mail, but "the actual details of these bugs have not been made public."

"Saying we are at risk due to browser vulnerabilities is akin to saying we are at risk due to being in a car," he added. "Yes, this is true... but you can certainly reduce the risk of harm while in a car through reasonable knowledge, use, and maintenance. The same is true with browsers."