Over a hundred vulnerabilities were found in browsers

2013.08.02

Over a hundred vulnerabilities were found in browsers in the course of The University of Oulu's effective data security testing programme

The Radamsa tool developed by The University of Oulu has already been used to find over a hundred previously unknown vulnerabilities in browsers. All these vulnerabilities have been reported to the manufacturers at once so that they could be fixed as quickly as possible. Vulnerabilities have been found in anti-virus programs and widely used image and audio formats as well.

Radamsa is a completely automated data security testing tool developed by The University of Oulu, which is the architect of the structure and the creator of testing events. In it, the best properties of previously developed automated data security testing tools have been collated. The Radamsa software has been developed in the course of a four-year Cloud Software programme. Business partners in the project have included Ericsson, Nokia, F-Secure, Google, the Mozilla Foundation and WebKit.org. Radamsa is based on an open source code.

”One effective way to look for vulnerabilities, that attackers also favour for their attacks, is a search program in practice. A piece of data is sought against each program that causes an error in the functioning of the program. Naturally, the program has to have a defect so that this will work, but in practice all our cases had at least one defect ”, states The University of Oulu’s Professor of Embedded Systems Juha Röning.

The search for mechanical errors like this is called fuzzing. Often, it makes use of pieces of information that are known to be understood by the program (such as databases and web traffic) as models by which the fuzzer can construct the same types of attacks with which it can see if there are vulnerabilities in the program. Over a hundred browser vulnerabilities have been found in Google Chrome and Mozilla Firefox.

”We defined a vulnerability as a defect that can probably be used in an attack that happens through the browser, based on the manufacturer’s analysis. A successful attack normally needs between one and five errors to get control of the computer’s other content through the site.” says Röning.

Firefox is wholly, and Google Chrome for the most part, an open source project that uses a lot of shared files. In this way, vulnerabilities that have been fixed usually help to improve data security. According to Röning, most defects have indirectly improved the security of almost all Apple devices,
Android phones and smart TVs.

Google Bounty:

http://www.chromium.org/Home/chromium-security/hall-of-fame

Mozilla security announcements

http://www.mozilla.org/security/announce/2010/mfsa2010-41.html
http://www.mozilla.org/security/announce/2012/mfsa2012-14.html
http://www.mozilla.org/security/announce/2012/mfsa2012-22.html
http://www.mozilla.org/security/announce/2013/mfsa2013-22.html
http://www.mozilla.org/security/announce/2013/mfsa2013-05.html

The Radamsa software has been developed in the course of a four-year Cloud Software programme. Cloud Software Finland is a four-year programme of Tivit (2010-2014), which focuses on developing various aspects of cloud services. The programme is funded by Tekes.

www.cloudsoftwareprogram.org

https://www.ee.oulu.fi/research/ouspg/Radamsa

Further information:
Juha Röning, tel. +040 518 1621
The University of Oulu

Print

Send

Back