Mozilla Delivers Security Tools, Previews Firefox 3 At Black Hat - InformationWeek
Software // Enterprise Applications
07:20 PM

Mozilla Delivers Security Tools, Previews Firefox 3 At Black Hat

Now Mozilla is making its JavaScript fuzzer available to anyone who wants to use it, and it'll be followed later this year by fuzzers for the HTTP and FTP protocols.

Browser security has long been criticized as a flawed construct, but that hasn't stopped browsers from being the default interface for most of the Web's users.

In a bid to improve browser security, both within Firefox and among competing browsers, the Mozilla Foundation Thursday announced several open-source security testing tools, in addition to several security enhancements coming with Firefox 3, scheduled for availability by the end of the year.

Mozilla has been using an open-source application security testing tool, known as a fuzzer, for JavaScript to detect and fix dozens of security bugs in Firefox, Mozilla director of ecosystem development Window Snyder said Thursday at the Black Hat USA 2007 conference in Las Vegas. The JavaScript fuzzer found 280 bugs in Firefox, 27 of which were exploitable.

Now Mozilla is making that JavaScript fuzzer available to anyone who wants to use it, and it'll be followed later this year by fuzzers for the HTTP and FTP protocols.

"The FTP and HTTP protocol fuzzers act like fake servers that send bad data to sites," Snyder told InformationWeek.The HTTP fuzzer emulates an HTTP server to test how an HTTP client handles unexpected input. The FTP fuzzer likewise tests how an FTP client handles unexpected data.

Mozilla worked with Microsoft, Apple, and Opera before making the JavaScript fuzzer widely available in order to reduce the possibility that the tool might be used to expose vulnerabilities in those browsers. All of these browser vendors reviewed the tool and let told Mozilla know that they were okay with the release, Snyder said.

Mozilla's presentation also included a look at some of the new security features for Firefox 3. Expect Firefox 3 to include new phishing and malware protection, extended validation certificates, improved password management, and a security user interface. Knowing that Web users rarely look at the symbols and other information located around the perimeter of the browser page, also known as the chrome, Firefox 3 is designed to make sure that suspected Web forgeries aren't missed, "even though users don't look for them," Mozilla Project co-founder Mike Shaver said Thursday at Black Hat.

In some cases Firefox 3 will not only issue a warning that a site is unsafe, it will prevent the user from accessing that site, "so the users can't just ignore the warnings," Shaver said. "This feature is not without controversy of course."

Mozilla's Black Hat announcements follow the release earlier this week of Firefox, designed to fix vulnerabilities that could allow the Firefox browser to pass dangerous data to third-party applications like Microsoft's Internet Explorer. Mozilla's new workarounds and patches come just a few weeks after the organization delivered Firefox, which included patches for several other vulnerabilities.

The company is hoping this proactive approach to security will alleviate the need for such incremental browser updates.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll