06.18.07 - 03:35pm
Since all software has bugs, it’s more important to consider how long it takes to get a fix out when a security issue is discovered than it is to count bugs. Number of vulnerabilities identified is a function of how many bugs are present, but is probably more influenced by things like who is looking, and how good they are at finding security issues. That makes it a misleading metric.
We spend a lot of time thinking about how we can get fixes out faster to users. But the window of risk is actually determined by two factors. The first is the time it takes us to create a patch, let call this Time to Fix. This includes the time to investigate a security issue, develop and test a fix, and finally ship the update. This is a better measure for understanding how safe a user is going to be than simply counting bugs.
But there’s another aspect to getting the fix to the user that often goes overlooked. That is the Time to Deploy. Time to Deploy is how long it takes for users to get a patch installed once the fix is available from the vendor. Auto-update has gone a long way toward minimizing Time to Deploy for Firefox, but there are still areas on which we can improve.
This chart shows how long it took for users to move from 1.5.0.5 to 1.5.0.6 last year:
This shows that it took eight days for about 90 percent of Firefox users to get updated. When I saw this last year I thought it was pretty fantastic. Firefox has millions and millions of users. Getting almost everyone updated in just eight days seemed pretty incredible to me.
I ran the numbers again this year after we shipped 2.0.0.4.
This chart shows how long it took for users to move from 2.0.0.3 to 2.0.04 last month:
This time it only took six days to update 90 percent of users. That’s a 25 percent decrease in Time to Deploy and a significant improvement in reducing the window of opportunity for attackers to take advantage of security vulnerabilities. It appears that some of the improvements in infrastructure have contributed to these numbers so a big thank you to everyone working in IT and to our partners that host mirrors. You’re helping to keep Firefox users safe.
Category: Firefox, Musings, Press, Security, Security Updates | | 7 Comments »
06.05.07 - 11:14am
The bugs Michael Zalewski posted to full-disclosure yesterday are getting some attention in the press. The information below is intended to provide some clarity on the severity of these issues and how they impact users.
Bug 382686 allows the attacker to spoof content and potentially javascript. The spoofed content would be in the attacker’s domain, not the spoofed domain. This is unsafe because it could be used to lure a user to enter content into the spoofed frame, but does not result in code execution. This might be used with phishing attacks. Spoofing attacks usually generate a Mozilla severity rating of Low.
Bug 376473 requires an additional vulnerability in a content handler in order to compromise a user. This alone cannot be used to execute or even place code on the user’s machine. This bug is also rated with a severity of Low. To protect users from potential vulnerabilities in content handlers we are considering ways to improve management of content handlers.
Mozilla prioritizes bugs based on severity to help us figure out which bugs to fix first. Just because a bug has a lower severity rating does not mean we dismiss it. We fix all bugs with any security risk as part of our commitment to security.
UPDATE 06/05/2007 2:27 PDT: These two bugs may be used together to allow an attacker to access any file the user has access to on the system. If this is the case, that may change the severity rating to Medium.
Category: Security, Vulnerabilities | | 10 Comments »
06.04.07 - 03:59pm
Mike Shaver and I will be speaking at Blackhat August 1-2, 2007 on Firefox Security. It looks like there will be a number of Mozilla folks in attendance. I hope to see some of you there.
Building and Breaking the Browser
Traditional software vendors have little interest in sharing the gory details of what is required to secure a large software project. Talking about security only draws a spotlight to what is generally considered a weakness. Mozilla is using openness and transparency to better secure its products and help other software projects do the same.
Mozilla has built and collaborated on tools to secure the Firefox Web browser and Thunderbird e-mail client, the first of which will be released at Blackhat Las Vegas 2007. These tools include protocol fuzzers for HTTP and FTP and a fuzzer for Javascript, which together have led to the discovery and resolution of dozens of critical security bugs. These tools may be useful to anyone developing or testing applications that implement or depend on these technologies.
Window Snyder and Mike Shaver will introduce these tools at BlackHat Las Vegas 2007 and discuss methods used to identify vulnerabilities in Firefox; plans for expanding the scope of Mozilla’s work on Web security, and how Mozilla’s security community uses openness and transparency to protect 100 million users around the world. Learn how to apply Mozilla’s tools and techniques to secure your own software, and get an early look at new security features for Firefox 3.
Category: Announcements, Conferences, Security | | 1 Comment »
06.01.07 - 04:56pm
Welcome to the Mozilla Security blog. This is the place to come for updates on what is going on with security at Mozilla.
Category: Announcements, Security | | 3 Comments »