Mozilla Giving Away Security Testing Tools

Mozilla is releasing some of its own security tools to the open-source community.
Gregg Keizer, Computerworld

Mozilla Corp. will release some of its homegrown security tools to the open-source community, the company's head of security said Wednesday, starting with a "fuzzer" it uses to pin down JavaScript bugs in Firefox.

The JavaScript fuzzer, said Window Snyder, Mozilla's security chief since last September, will be handed over Thursday morning, following a presentation at Black Hat, a two-day security conference that opened Wednesday in Las Vegas.

"We're announcing that we'll be sharing our tools with the community, and releasing the JavaScript fuzzer then," said Snyder. Other tools will follow, including fuzzers that stress-test the HTTP and FTP protocols. Those two tools, however, are not ready to offer to outsiders, largely because Mozilla wants to wrap up talks with other browser vendors before they are shared.

Fuzzing, a technique used by both white- and black-hat researchers trolling for vulnerabilities, and by developers to finger flaws in their code before it goes public, drops data into applications or operating system components to see if -- and where -- breakdowns occur. Typically, the process is automated with a fuzzer, the term for software that hammers on application inputs. The JavaScript fuzzer, Snyder said, has identified "dozens" of vulnerabilities in Firefox code.

Snyder said Firefox developers have created many tools, and though a lot of them are small, special-purpose ones, all of them could be useful to others.

"We want to make the work we're already doing available to other people and to other products" in the hope that the tools might help developers outside Mozilla spot problems in their code, she said. Snyder sees a direct benefit to Mozilla, too. The more people who bang on the tool, tweak it and modify it, the better the tools should become, she said.

She seemed unconcerned that any tool Mozilla released would prove a significant danger to users. Although hackers also use fuzzers in their vulnerability-sniffing tool kits, "the tool isn't bad or good on its own," Snyder argued. "They use debuggers all the time. Debuggers aren't bad" because of that.

Mozilla might have wished it had fuzzed Firefox a bit more over the past three weeks, when it was caught in a name-calling contest between it and Microsoft Corp. supporters. Early last month, Danish researcher Thor Larholm found what he said was a critical input-validation bug in Internet Explorer that let the browser pass potentially malicious URLs to other programs, including Firefox. He laid blame on IE, while other security experts said it was Firefox's fault.

Shortly after that, Snyder hinted that she saw the whole mess as an IE problem, but within days acknowledged that Firefox was guilty of the same behavior. "We thought this was just a problem with IE," she said July 23. "It turns out, it is a problem with Firefox as well."

Wednesday, she said that the very public disagreements between security experts as to which browser was to blame had actually been a good thing. "Debate is healthy," she said. "And if we're wrong, we say we're wrong and move on."

Mozilla updated Firefox twice in July, first on July 17 with 2.0.0.5, and then Monday when it released Version 2.0.0.6. Both updates included fixes for the URL protocol handling bug that started the brouhaha. "We weren't twiddling our thumbs during all of this," said Snyder. "We were also on the back end moving forward with fixes."

At Black Hat, Snyder and fellow Mozilla executive Mike Shaver, the company's technology strategist, also plan to discuss the new security features of Firefox 3, the major update that currently is in preview testing. Firefox 3 is expected to ship sometime this year.


source:pcworld.com

No comments:

One Stop Entertainment