News
News
8/10/2007
03:15 PM
Connect Directly
RSS
E-Mail
50%
50%

Mozilla Aims To Warn Users About Dangerous Sites

The next version of Firefox will identify malware on Web sites and make users stop and think about it.

With the number of malicious Web pages mushrooming over the past several months, the Mozilla Foundation is looking to help users defend themselves. Window Snyder, who is Mozilla's "chief security something-or-other," says the company is taking a two-pronged approach.

First, Mozilla developers are working on giving Firefox 3.0, the next version of the open source browser due later this year, the ability to detect malicious code on Web sites that users are trying to access. "In Firefox 2, there's no mechanism that identifies if malware is present," says Snyder.


Users won't ignore this warning, vows Window Snyder.

Users won't ignore this warning, vows Snyder
Second, developers are working on creating an interface that will warn users that the pages they're trying to call up are dangerous. "We don't want to just pop up an alert that gives them an OK or cancel option," says Snyder. "We want to create a warning that users won't mistake. ... It's going to be a different kind of warning, and it's not going to be a click-through."

Security company Sophos reported last month that the number of malicious Web sites has skyrocketed over the past few months, from 5,000 new ones a day in April to nearly 30,000 a day in early July. One reason, according to Sophos researchers, is that hackers are increasingly turning away from e-mail as their preferred method of spreading malware and putting their focus on malicious sites. In some cases, they're creating their own sites, but in most cases they're hacking into legitimate sites and embedding malware into them.

The mock-up of the alert appears as a red-letter warning that doesn't have a click-through option, and the malicious page wouldn't be able to load. It's still a work in progress, and it could change dramatically before Firefox 3.0 ships, Snyder says. Technicians are debating whether there should be an override mechanism that lets users go to malicious pages regardless of the danger.

One of the most difficult aspects of implementing something like this is making sure the interface communicates clearly to the user, that it's "the sort of thing users won't be able to sail through without a real context change," Snyder says.

Mozilla programmers are rewriting a lot of the Firefox code for the upcoming version release, Snyder says. They're replacing much of the older code to increase performance and make the code base more modular, able to handle new security threats like phishing. In a previous interview, Snyder said some of the browser's components that are written in native code are being rewritten in managed code to reduce memory management flaws, like buffer overflow vulnerabilities. Managed code executes in a virtual machine, so there's less space for memory management problems.

10 DAYS
Meanwhile, Mozilla faced another security-related issue recently, one of its own making. An executive appeared to suggest the company could patch any known security vulnerability within 10 days. Snyder, who was quick to try to clear up what Mozilla says was a muddled message, says on her blog that Mozilla doesn't set such parameters: "We do not think security is a game, nor do we issue challenges or ultimatums."

That's not what it sounded like at the Black Hat security conference two weeks ago in Las Vegas. Mike Shaver, director of ecosystem development at Mozilla, passed a business card to security researcher Robert Hansen, known as RSnake, with "ten [expletive] days" written on it. Hansen wrote on his blog that Shaver was claiming that, with responsible disclosure, Mozilla could patch any critical hole in that amount of time. Wrote Hansen, "I told him I would post his card--and he didn't flinch. No, he wasn't drunk. He's serious."

Snyder says Shaver meant that, since Mozilla got a recent security update out in only 10 days, there's no reason security researchers should post details of a vulnerability before a patch is available. But security bloggers pounced on what sure sounded like a challenge. Admits Snyder, "His statement has taken on a life of its own."

Comment  | 
Print  | 
More Insights
IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government Tech Digest Oct. 27, 2014
To meet obligations -- and avoid accusations of cover-up and incompetence -- federal agencies must get serious about digitizing records.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of October 26, 2014 and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.