04.06.12 - 01:54pm
TweetRecently, Mozilla responded to an imminent threat to Firefox users who have an outdated Java plugin installed: Vulnerable versions of the plugin were blocked automatically (see blog post). Since then, I’ve been asked a few times why this is important; others have complained that their <any large number> corporate/government installations don’t work anymore because they [...]
03.09.12 - 05:25pm
TweetFuzz testing (automated, random testing) is an important part of nearly every application security life cycle. While there are a lot of tools, frameworks and harnesses available for regular desktop platforms/operating systems, there’s still a lot missing in the mobile sector which is becoming increasingly important. In this article, I will describe the necessary implementation [...]
03.09.12 - 12:36am
TweetIn a previous blog post, I outlined how the memory error detection tool Address Sanitizier (ASan) can be used with Firefox to find memory problems with a high degree of performance and how it can even detect certain errors that conventional tools missed. While it was very complex to build Firefox with ASan support in [...]
02.01.12 - 12:30am
TweetRecently, Mozilla held a CTF (Capture the Flag) contest where teams had to solve a set of challenges from different areas of security. I was asked to create one of these challenges (CH15) and decided to use a real (old) Firefox JS engine vulnerability for that purpose.
01.27.12 - 06:25pm
TweetRecently, we decided to try two new code analysis techniques for the Mozilla code base, the memory error detector “Address Sanitizer (ASan)” and a static analysis tool, the “Clang Static Analyzer.”