Georgia Tech Finds 11 Deep Security Flaws in Chrome, Firefox
The security researchers developed a new cyber-security analysis method that discovered the holes buried deeper in the systems.Researchers from the Georgia Institute of Technology College of Computing earlier this year found 11 previously undiscovered flaws in two of the most widely used Internet browsers—Google Chrome and Mozilla Firefox. Worry not, however: The flaws have long been fixed. The security researchers developed a new cyber-security analysis method that discovered the holes buried deep in the systems. They were rewarded for their work with the Internet Defense Prize, an award presented by Facebook, in partnership with USENIX, at the 24th USENIX Security Symposium that ended Aug. 14. Ph.D. students Byoungyoung Lee and Chengyu Song, along with Professors Taesoo Kim and Wenke Lee (pictured), received $100,000 from Facebook to continue their research to make the Internet safer. Their research paper, "Type Casting Verification: Stopping an Emerging Attack Vector," explores vulnerabilities in C++ programs—such as in Chrome and Firefox—that result from "bad casting" or "type confusion." Bad casting enables an attacker to corrupt the memory in a browser so that it follows a malicious logic instead of proper instructions.
The researchers developed a new, proprietary detection tool called CAVER to catch them. CAVER is a run-time detection tool with 7.6 percent to 64.6 percent overhead on browser performance (Chrome and Firefox, respectively). The 11 vulnerabilities that Georgia Tech identified have been confirmed and fixed by vendors, USENIX said.