Browser Security News

All software contains vulnerabilities, with some flaws worse than others. But should those flaws be made public after the vendor in question has been contacted? I say yes. So I applaud the security researcher who, earlier this week, declared that he’ll post one Internet browser vulnerability daily throughout the month of July. If a software vendor can’t respond quickly and either dismiss or patch a public flaw, then why should we continue to support that vendor? It should be an interesting month.

Good and bad
Software vendors can’t possibly test their own creations for every conceivable use; they built the program and know how the app is supposed to work, so they’re often blind to alternative uses. That’s where third parties come in; they bring a fresh perspective, one that’s outside the box that created the app. In a sense, I’m advocating open-source applications, because open-source apps benefit from having thousands of eyes view the code. But not everything can be open source; some software vendors need to make money, so the source code remains proprietary, hidden. That’s where it all gets interesting: even if you can’t see the code, you can observe it in action.

Security researchers are often on the vendors’ side, reporting the vulnerabilities they observe in the hopes that the vendor will make the product stronger. Criminal hackers, on the other hand, only want to exploit the flaw and often release a Trojan or a virus instead of reporting the flaw. Both, however, spend hours observing a given app and trying to get it to fail. Not all software failures (crashes, reboots, and such) are exploitable. Like tea leaves, there’s an art to reading software failures. Security Watch: Fuzzing browsers for fun - CNET reviews