08.06.07 - 01:17pm
Claudio Santambrogio at Opera posted that they have been running the Mozilla JavaScript fuzzer and as of Friday have found and fixed 4 issues with it. I am thrilled. This is exactly what we hoped would happen. Hopefully, this will encourage other vendors to share their internal security tools with everyone so we call all [...]
08.06.07 - 10:50am
Mike Shaver (Director of Ecosystem Development at Mozilla) handed his business card to Robert Hansen (RSnake) on Wednesday night at Black Hat. On it he wrote “ten f—ing days.” When I asked him about it, he said he meant to communicate to Robert that since Mozilla got a recent security update out in only ten [...]
08.02.07 - 12:20pm
Mike Shaver and I just finished presenting “Building and Breaking the Browser”at Blackhat today in Las Vegas. We discussed the methods and tools that Mozilla uses to secure the Firefox browser. These tools include a fuzzer for Javascript, which has led to the discovery and resolution of dozens of critical security bugs. Fuzzers are tools [...]
07.30.07 - 09:34pm
I’m heading to Las Vegas tomorrow for the Black Hat Briefings. If you’re in town you can catch me speaking on Thursday morning on Building and Breaking the Browser. You can also catch up with me Wednesday afternoon on the Future of Information Security panel or Thursday afternoon on the Ethics Challenge panel. After you [...]
07.30.07 - 09:11pm
We’ve just released Firefox 2.0.0.6 which contains a security patch to mitigate the issue described here. The patch enables percent-encoding for spaces and double-quotes in URIs handed off to external programs. This reduces the risk of malicious data being passed through Firefox to another application that may then trigger unexpected and potentially dangerous behavior. Get [...]
07.18.07 - 02:38pm
If you are a security geek in the bay area, find your way to O’Niell’s on 3rd and King Street in San Francisco at 7pm to meet up at BaySec. I’ll be there to celebrate shipping Firefox 2.0.0.5. I may even have some Mozilla and Firefox goodies to give out. Say hi if you see [...]
07.18.07 - 11:49am
Firefox 2.0.0.5 is now available and there is a fix for the URL protocol handling issue described here. We warned that other Windows applications may be vulnerable to this Internet Explorer issue, and on Sunday Nate Mcfeters, Billy Rios, and Raghav Dube posted a proof of concept that demonstrates the same attack through Internet Explorer [...]
06.04.07 - 03:59pm
Mike Shaver and I will be speaking at Blackhat August 1-2, 2007 on Firefox Security. It looks like there will be a number of Mozilla folks in attendance. I hope to see some of you there. Building and Breaking the Browser Traditional software vendors have little interest in sharing the gory details of what is [...]
06.01.07 - 04:56pm
Welcome to the Mozilla Security blog. This is the place to come for updates on what is going on with security at Mozilla.
