Why an outdated Java Plugin is so serious

Recently, Mozilla responded to an imminent threat to Firefox users who have an outdated Java plugin installed: Vulnerable versions of the plugin were blocked automatically (see blog post). Since then, I’ve been asked a few times why this is important; others have complained that their <any large number> corporate/government installations don’t work anymore because they depend on an outdated Java version (note that some of these problems/complaints were probably caused by a bug in the initial deployment of the blocklisting entry itself that is now fixed). While we all understand that an operational Java Plugin is absolutely crucial for some users, I’d like to emphasize how critical the situation requiring the block is by providing more details concerning this incident and why it is indeed more serious than some people might think. Read the rest of this entry »

ADBFuzz – A Fuzz Testing Harness for Firefox Mobile

Fuzz testing (automated, random testing) is an important part of nearly every application security life cycle. While there are a lot of tools, frameworks and harnesses available for regular desktop platforms/operating systems, there’s still a lot missing in the mobile sector which is becoming increasingly important.

In this article, I will describe the necessary implementation steps for a mobile fuzzing harness and provide a proof-of-concept implementation called ADBFuzz that allows anyone to run fuzzers written in Javascript in Firefox Mobile on Android. In the near future, we will also likely release internal fuzzers that can be used with this harness. Read the rest of this entry »

Update on Address Sanitizer

In a previous blog post, I outlined how the memory error detection tool Address Sanitizier (ASan) can be used with Firefox to find memory problems with a high degree of performance and how it can even detect certain errors that conventional tools missed.

While it was very complex to build Firefox with ASan support in the past, we now provide a much easier way (achieved by landing bug 727445). Read the rest of this entry »

Mozilla CTF – Challenge 15 Walkthrough

Recently, Mozilla held a CTF (Capture the Flag) contest where teams had to solve a set of challenges from different areas of security. I was asked to create one of these challenges (CH15) and decided to use a real (old) Firefox JS engine vulnerability for that purpose. Read the rest of this entry »

Trying new code analysis techniques

Recently, we decided to try two new code analysis techniques for the Mozilla code base, the memory error detector “Address Sanitizer (ASan)” and  a static analysis tool, the “Clang Static Analyzer.” Read the rest of this entry »

It’s a Bird, It’s a Plane…

No! :D It’s real, I do have a blog now.

And I promise to try keeping it filled with posts about my work, security in general and technical stuff.

Enjoy :)

This blog is protected by Dave\'s Spam Karma 2: 33802 Spams eaten and counting...