Firefox 2.0.0.8 now available
October 19th, 2007
Firefox 2.0.0.8 was released yesterday as part of our continuing efforts to improve the security of the web browser. This security update contains fixes for security issues described here and an additional mitigation for Windows URI handling security issues. Please be sure to update your installation of Firefox when automatic update asks, or to get it immediately choose “Check for Updates” from the Help menu.
Meet the Mozilla Security Group
October 1st, 2007
How can Mozilla be open about security issues without exposing users to additional risk?
Being open about security issues means that users have the information they need to understand their risk, that the community can contribute to the security process, and that other software development projects can benefit from our experiences. Unfortunately, sharing the details of security issues broadly before they are patched could expose users to risk. The balance we have come up with is to work with a group of people that represent the interests of the entire community who can give feedback, suggestions, and help to fix security issues.
The Mozilla Security Group is a team of people from the community, including employees, individual contributors, and other vendors who work on securing Mozilla projects. This group has been in place since 2002, is older than Mozilla Corporation, and as of today there are 93 people in the group. The team is self-organizing. New members are nominated by existing members through recognition of valuable contributions to security efforts. This system is democratic and is similar to the method used to assign rights to add code to Mozilla projects for new contributors.
This team enables us to leverage the knowledge of the community, be open about security issues, but also protect our users until we are able to ship a fix.
Firefox 2.0.0.7 now available
September 18th, 2007
Firefox 2.0.0.7 was released this afternoon to patch the QuickTime issue described here. This will protect Firefox users from the public critical security vulnerability until a patch is available from Apple. I would like to personally thank the individuals at Apple who worked with us and the engineers at Mozilla that work so hard to get security updates out so quickly.
This issue was patched in only six (or 6.25 according to John O’Duinn) days. When a vendor ships security fixes quickly, it lowers the incentive for attackers to spend time developing and deploying an exploit for that issue. The window of opportunity for attackers is reduced and so is the potential to compromise users. So thanks you guys, for helping destroy the economics of malicious exploit development.
http://www.mozilla.org/security/announce/2007/mfsa2007-28.html
Quicktime to Firefox issue
September 12th, 2007
Issue
Petko D. Petkov identified an issue in Quicktime that allows an attacker to execute arbitrary code.
Impact
If Firefox is the default browser when a user plays a malicious media file handled by Quicktime, an attacker can use a vulnerability in Quicktime to compromise Firefox or the local machine. This can happen while browsing or by opening a malicious media file directly in Quicktime. So far this is only reproducible on Windows.
Petkov provided proof of concept code that may be easily converted into an exploit, so users should consider this a very serious issue.
Status
Mozilla is working with Apple to keep our users safe and we are also investigating ways to mitigate this more broadly in Firefox.
You can follow our work in bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=395942
Credit
Petko D. Petkov discovered this issue and posted details here.
August BaySec is Tonight
August 20th, 2007
Time again to rally the infosec professionals for drinks at O’Neill’s. See you there.
http://www.sockpuppet.org/baysec/
Feedback from Opera on Mozilla JavaScript fuzzer
August 6th, 2007
Claudio Santambrogio at Opera posted that they have been running the Mozilla JavaScript fuzzer and as of Friday have found and fixed 4 issues with it. I am thrilled. This is exactly what we hoped would happen. Hopefully, this will encourage other vendors to share their internal security tools with everyone so we call all make our software more secure.
Mike Shaver, ten days, and expletives
August 6th, 2007
Mike Shaver (Director of Ecosystem Development at Mozilla) handed his business card to Robert Hansen (RSnake) on Wednesday night at Black Hat. On it he wrote “ten f—ing days.” When I asked him about it, he said he meant to communicate to Robert that since Mozilla got a recent security update out in only ten days, that there was no reason for Robert to post details of vulnerabilities publicly before a patch was available. Since we’re among the most responsive software vendors, security researchers do not have to resort to full disclosure to get us to patch bugs quickly.
Well, whatever he meant, his statement has taken on a life of its own. Robert posted on his blog, and a bunch of news articles picked it up as a challenge.
This is the official Mozilla word: This is not our policy. We do not think security is a game, nor do we issue challenges or ultimatums. We are proud of our track record of quickly releasing critical security patches, often in days. We work hard to ship fixes as fast as possible because it keeps people safe. We hope these comments do not overshadow the tremendous efforts of the Mozilla community to keep the Internet secure.
JavaScript fuzzer available
August 2nd, 2007
Mike Shaver and I just finished presenting “Building and Breaking the Browser”at Blackhat today in Las Vegas. We discussed the methods and tools that Mozilla uses to secure the Firefox browser. These tools include a fuzzer for Javascript, which has led to the discovery and resolution of dozens of critical security bugs. Fuzzers are tools that generate a large amount of input in order to test the robustness of a piece of software and can be used to identify potential vulnerabilities.
This is the tool we discussed in our presentation, the first in a series of security tools that we intend to make publicly available.
https://bugzilla.mozilla.org/show_bug.cgi?id=jsfunfuzz
The responsible sharing of security tools is an important way to contribute to the overall health of the web. We worked with Microsoft, Apple, and Opera to reduce the possibility that this tool might adversely affect users of those browsers. All of these browser vendors reviewed the tool and let us know that they were okay with the release.
Off to Black Hat!
July 30th, 2007
I’m heading to Las Vegas tomorrow for the Black Hat Briefings. If you’re in town you can catch me speaking on Thursday morning on Building and Breaking the Browser.
You can also catch up with me Wednesday afternoon on the Future of Information Security panel or Thursday afternoon on the Ethics Challenge panel.
After you roll in from all the parties on Wednesday night, stop by Royal 55, Augustus Tower in Caesar’s Palace to have milk and cookies with Mozilla. It’s a super chill pajama party with some of the people who make Firefox. Pajamas not required. Stop by on your way to bed. We’ll be there 11pm to 2am and possibly later.
Firefox 2.0.0.6 now available
July 30th, 2007
We’ve just released Firefox 2.0.0.6 which contains a security patch to mitigate the issue described here. The patch enables percent-encoding for spaces and double-quotes in URIs handed off to external programs. This reduces the risk of malicious data being passed through Firefox to another application that may then trigger unexpected and potentially dangerous behavior.
Get Firefox 2.0.0.6 here.
Read the release notes for Firefox 2.0.0.6 here.
Congratulations and thank you to the dev, QA, and build teams, and all the community members that worked so hard to get this fix out quickly to our users.
« Previous Page — Next Page »