11.30.07 - 10:28pm
Jeff Jones, a director of security strategy at Microsoft published a report today about counting bugs. I blogged a few months ago about why I think counting bugs is less than useful:
Since all software has bugs, it’s more important to consider how long it takes to get a fix out when a security [...]
11.16.07 - 04:52pm
Issue
jar: protocol is not restricted to java archives and will open any zip format file. An attacker can use this to evade filtering on sites that allow users to upload content and use this initiate a cross site scripting attack.
Impact
Firefox supports the Java Archive URI scheme that allows the addressing of the contents [...]
10.01.07 - 02:17pm
How can Mozilla be open about security issues without exposing users to additional risk?
Being open about security issues means that users have the information they need to understand their risk, that the community can contribute to the security process, and that other software development projects can benefit from our experiences. Unfortunately, sharing the details of [...]
09.18.07 - 03:09pm
Firefox 2.0.0.7 was released this afternoon to patch the QuickTime issue described here. This will protect Firefox users from the public critical security vulnerability until a patch is available from Apple. I would like to personally thank the individuals at Apple who worked with us and the engineers at Mozilla that work so [...]
08.06.07 - 01:17pm
Claudio Santambrogio at Opera posted that they have been running the Mozilla JavaScript fuzzer and as of Friday have found and fixed 4 issues with it. I am thrilled. This is exactly what we hoped would happen. Hopefully, this will encourage other vendors to share their internal security tools with everyone so [...]
08.06.07 - 10:50am
Mike Shaver (Director of Ecosystem Development at Mozilla) handed his business card to Robert Hansen (RSnake) on Wednesday night at Black Hat. On it he wrote “ten f—ing days.” When I asked him about it, he said he meant to communicate to Robert that since Mozilla got a recent security update out in [...]
08.02.07 - 12:20pm
Mike Shaver and I just finished presenting “Building and Breaking the Browser”at Blackhat today in Las Vegas. We discussed the methods and tools that Mozilla uses to secure the Firefox browser. These tools include a fuzzer for Javascript, which has led to the discovery and resolution of dozens of critical security bugs. [...]
07.25.07 - 02:15pm
Issue
We are currently investigating an issue on Windows XP, where some urls for “web” protocols that contain %00 launch the wrong handler and appear to be able to launch local programs, with limited argument passing.
Impact
The impact to users is unknown at this point in time. We are working to verify this and in the [...]
07.23.07 - 04:46pm
On July 10th, I posted about a security issue in URL protocol handling on Windows. In the previous example, Internet Explorer was the entry point and Firefox was the application receiving the bad data.
Over the weekend, we learned about a new scenario that identifies ways that Firefox could also be used as the entry [...]
07.18.07 - 02:38pm
If you are a security geek in the bay area, find your way to O’Niell’s on 3rd and King Street in San Francisco at 7pm to meet up at BaySec. I’ll be there to celebrate shipping Firefox 2.0.0.5. I may even have some Mozilla and Firefox goodies to give out. Say hi [...]