The Project Zero team at Google has created a new tool for testing browser DOM engines and has unleashed it on today's top five browsers, finding most bugs in Apple's Safari.

The tool — named Domato — is a fuzzer, a security testing toolkit that feeds a software application with random data and analyzes the output for abnormalities.

Google engineer Ivan Fratric created Domato with the goal of fuzzing DOM engines, the browser components that read HTML code and organize it into the DOM (Document Object Model), which is then "painted" and displayed inside the browser window that human users view on their screens.

Google: DOM engine bugs should be a priority

Fratric says he focused on DOM engines because it's "a rare case that a vendor will publish a security update that doesn’t contain fixes for at least several DOM engine bugs," showing how prevalent they are today.

He also argues that while Flash bugs provide a cross-browser attack surface, once Flash reaches end-of-life (in 2020), attackers will focus their efforts on DOM engines, the browser's biggest attack surface.

With Domato he wants to help browser vendors test and patch as many security bugs in their respective DOM engines before it is too late.

Google test finds 17 security bugs in Safari's DOM engine

To prove Domato's capabilities, Fratric took today's top five browsers — Chrome, Firefox, Internet Explorer, Edge, and Safari — and subjected them to 100 million fuzz tests with Domato.

Results showed that Safari had by far the worst DOM engine, with 17 new bugs discovered after Fratric's test. Second was Edge with 6, then IE and Firefox with 4, and last was Chrome with only 2 new issues.

Non-security bugs were ignored, and Fratric also pointed out that if Microsoft wouldn't have added MemGC (user-after-free exploit mitigation) in IE and Edge, those browsers would have faired much worse.

Vendor Browser Engine Number of Bugs Project Zero Bug IDs Google Chrome Blink 2 994, 1024 Mozilla Firefox Gecko 4* 1130, 1155, 1160, 1185 Microsoft Internet Explorer Trident 4 1011, 1076, 1118, 1233 Microsoft Edge EdgeHtml 6 1011, 1254, 1255, 1264, 1301, 1309 Apple Safari WebKit 17 999, 1038, 1044, 1080, 1082, 1087, 1090, 1097, 1105, 1114, 1241, 1242, 1243, 1244, 1246, 1249, 1250 Total 31**

*Total is 33 but 2 of the bugs affected multiple browsers

**One of the bugs found in Firefox was in the Skia graphics library and not in the Firefox source code, but the code flaw was contributed to Skia by Mozilla engineers.

Google said it contacted each browser vendor and reported the newly found bugs, and also provided copies of the Domato engine so each vendor can perform more extensive tests.

Fratric has also open-sourced the Domato source code on GitHub and hopes that others adapt it to work on other applications, not just browser DOM engines.

Domato is just the latest fuzzing tool released by Google engineers, who appear to be in love with this technique when it comes to discovering security bugs. Previous tools include OSS-Fuzz and syzkaller.

Image credits: Julynn B., Apple, Bleeping Computer