10.19.09 - 04:17pm
Mike Shaver has posted an update on the situation surrounding our blocking of the .Net Framework Assistant and WPF plugin.
In it, he discusses the current state of affairs, the series of events that got us to this point, as well as the steps we, and Microsoft, are taking to get the situation resolved.
10.13.09 - 07:35pm
A little over a month ago, I talked about a project we had started to inform users when their plugins were out of date. This is a really important project for us, because old versions of plugins can cause crashes and other stability problems, and can also be a major security risk. In the first [...]
12.10.08 - 12:15pm
I will be leaving Mozilla at the end of the year. I am sad to be leaving, but I am excited to go work on something I have always been passionate about. I wish I could tell you about it now, but that will have to wait for a while.
You will still get Mozilla security [...]
07.02.08 - 05:10pm
Mozilla has been working with security researcher and analyst Rich Mogull for a few months now on a project to develop a metrics model to measure the relative security of Firefox over time. We are trying to develop a model that goes beyond simple bug counts and more accurately reflects both the effectiveness of secure [...]
09.18.07 - 03:09pm
Firefox 2.0.0.7 was released this afternoon to patch the QuickTime issue described here. This will protect Firefox users from the public critical security vulnerability until a patch is available from Apple. I would like to personally thank the individuals at Apple who worked with us and the engineers at Mozilla that work so [...]
08.06.07 - 01:17pm
Claudio Santambrogio at Opera posted that they have been running the Mozilla JavaScript fuzzer and as of Friday have found and fixed 4 issues with it. I am thrilled. This is exactly what we hoped would happen. Hopefully, this will encourage other vendors to share their internal security tools with everyone so [...]
08.06.07 - 10:50am
Mike Shaver (Director of Ecosystem Development at Mozilla) handed his business card to Robert Hansen (RSnake) on Wednesday night at Black Hat. On it he wrote “ten f—ing days.” When I asked him about it, he said he meant to communicate to Robert that since Mozilla got a recent security update out in [...]
08.02.07 - 12:20pm
Mike Shaver and I just finished presenting “Building and Breaking the Browser”at Blackhat today in Las Vegas. We discussed the methods and tools that Mozilla uses to secure the Firefox browser. These tools include a fuzzer for Javascript, which has led to the discovery and resolution of dozens of critical security bugs. [...]
07.30.07 - 09:34pm
I’m heading to Las Vegas tomorrow for the Black Hat Briefings. If you’re in town you can catch me speaking on Thursday morning on Building and Breaking the Browser.
You can also catch up with me Wednesday afternoon on the Future of Information Security panel or Thursday afternoon on the Ethics Challenge panel.
After you roll [...]
07.30.07 - 09:11pm
We’ve just released Firefox 2.0.0.6 which contains a security patch to mitigate the issue described here. The patch enables percent-encoding for spaces and double-quotes in URIs handed off to external programs. This reduces the risk of malicious data being passed through Firefox to another application that may then trigger unexpected and potentially dangerous [...]