Mozilla Tackles Malicious Web Pages In Upcoming Firefox V3

Mozilla's head of product security tells InformationWeek about new features in the works that will identify malicious sites and warn users away from them.
Mozilla is working on a new feature for the upcoming version of its Firefox browser that will identify malicious Web pages and alert users to the danger.

With the number of malicious Web pages mushrooming over the past several months, Mozilla is looking to help users defend themselves from the burgeoning attack. Window Snyder, "chief security something-or-other" at Mozilla, said in an interview that they're working on a two-pronged solution.

Developers at Mozilla are working on giving Firefox V3.0, which is due out later this year, the ability to detect malicious code on Web sites that users are trying to access, according to Snyder. They're also working equally as hard on creating a user interface that will warn users that the page they're trying to call up is dangerous. And Snyder said she wants to make sure it's a warning that users won't be quick to dismiss.

"We don't want to just pop up an alert then gives them an OK or cancel option. This is a very dangerous scenario," said Snyder. "We want to create a warning that users won't mistake... It's going to be a different kind of warning and it's not going to be a click through."

Security company Sophos reported last month that the number of malicious Web sites has skyrocketed over the past few months, going from 5,000 new ones a day in April to nearly 30,000 a day in early July. One reason, according to Sophos researchers, is that hackers are increasingly turning away from e-mail as their preferred method of spreading malware and putting their focus on the malicious Web site. In some cases, they're creating their own malicious Web sites, but in most cases they're hacking into legitimate sites and embedding malware into them.

Snyder, who is tasked with overseeing the security of Mozilla's different products, has said in other interviews with InformationWeek that Mozilla technicians are working to create user interfaces that will help users make smarter -- safer -- decisions. And this, she noted, is one of those instances.

"This is about how to communicate to a user," she added. "In Firefox 2, there's no mechanism that identifies if malware is present. This is a new functionality. I think one of the most difficult aspects of implementing something like this is making sure the user interface communicates clearly to the user. We don't want a warning dismissed because they had a task in mind and the warning is just in their way. We want to make sure the [user interface] is the sort of thing users won't be able to sail through without a real context change."

While she said it's still a work in progress and it could change dramatically before Firefox 3.0 ships, right now the mock up of the alert appears as a red-letter warning that does not have a click-through option. The malicious page would not be able to load.

Snyder said technicians are still debating whether there should be an over-ride mechanism that allows the user to go to the malicious page regardless of the danger. As it's set up now, they wouldn't be able to.

She also pointed out that Mozilla programmers are rewriting a lot of the Firefox code for the upcoming version release of the open-source browser. Most of the components in the current version of Firefox are being touched, she said, adding that programmers are replacing a lot of older code to increase performance, make the code base more modular and handle new security threats, like phishing.

Snyder had said in an earlier interview that some components that are written in native code are being rewritten in managed code to reduce memory management flaws, like buffer overflow vulnerabilities. Managed code executes in a virtual machine, so there is less space for memory management issues to occur.

Editor's Choice
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Terry White, Associate Chief Analyst, Omdia
John Abel, Technical Director, Google Cloud
Richard Pallardy, Freelance Writer
Cynthia Harvey, Freelance Journalist, InformationWeek
Pam Baker, Contributing Writer