So far this year, Project Zero’s web fuzzer has found 31 bugs in browsers, and 17 of them were in Safari. Edge, on the other hand, came in at 6, Internet Explorer 4, and Chrome just 2.
The tool used by Google’s Ivan Fratric is called Domato, and searches for bugs in the Document Object Model of browser’s rendering engine. Attackers occasionally target exploits in DOM engines, a notable example being Tor.
Last year, attackers exploited the Firefox-based Tor engine to identify visitors to a child pornography website on the darknet. Despite the positive outcome, experts also believe the vulnerability could have been utilized by criminals.
Preventing Future Attacks
Google tries to discover such vulnerabilities by throwing millions of lines of random code in an attempt to cause crashes. So far, it’s been successful, but Fratric has now open-sourced Domato in the hopes of further improvement.
Before then, he offered Apple private access to the tool due to their abnormally high results. The company has since hired a Project Zero member, who accepted the offer.
“To attempt to address this discrepancy, I reached out to Apple Security proposing to share the tools and methodology,” explained Fratric in a blog post. “When one of the Project Zero members decided to transfer to Apple, he contacted me and asked if the offer was still valid. So Apple received a copy of the fuzzer and will hopefully use it to improve WebKit.”
Microsoft also received praise from the Google researcher. “Given that IE used to be plagued with use-after-free issues, MemGC is an example of a useful mitigation that results in a clear positive real-world impact. Kudos to Microsoft’s team behind it,” he said.
You can see the full results on the Project Zero blog.