Google Subjects Top 5 Browsers to 100 Million Fuzz Tests

Hackers are always looking for new vulnerabilities in the software we utilize, with web browsers being a key target because we all use them. Adobe Wink and more recently JavaScript vulnerbilities have been key targets, only there'due south another attack vector not talked almost as much: the DOM.

The Document Object Model (DOM) is basically what a web browser relies on to take HTML and turn it into what end users see on their screen. DOM engines practice contain bugs that can be exploited, and Google'due south Project Cypher security team decided to see how good (or bad) the land of the height five web browser DOM engines is.

Ivan Fratric, a security researcher at Google Project Zero, created a new DOM fuzzer for the test chosen Domato, which has at present been open sourced. A fuzzer is an automated tool that feeds random data into a slice of software and then monitors information technology for unexpected behavior, memory leaks, and crashes.

Domato was used to assess the electric current meridian 5 browsers: Chrome, Firefox, Internet Explorer, Edge, and Safari. Each browser was given 100 1000000 iterations using the fuzzer. The results are summarized in the table beneath.

Typically it's Internet Explorer we look to exist the least secure web browser, but when information technology comes to the DOM, Apple's Safari is past far and away the worst performing. Of the 31 bugs discovered, 17 were for Safari. Chrome came out on peak with simply ii bugs, Firefox and IE both had four, and Edge had six.

Fratric points out the results don't reflect the overall security of a web browser every bit they focus on one aspect of it, "just one that has historically been a source of many security issues."

Fratric concludes his write-upward of the tests past saying, "DOM engines have been one of the largest sources of web browser bugs. While this type of problems are far from gone, nearly browsers prove clear progress in this area." But the DOM still remains an area of web browsers where bugs exist and therefore can be exploited. With Flash slowly disappearing, there could certainly be more than focus on trying to exploit weaknesses in DOM engines in the futurity.

The Domato fuzzer is bachelor to use and the results of this test are at present public, so hopefully browser developers will take note and deal with the highlighted bugs. The Safari squad especially needs to leap on this quickly.