Using Coverage Data for Security
decoder
We recently started measuring C/C++ code coverage on mozilla-central again and documented the various efforts around it in a new MDN article.
Posts in “Firefox”
Protecting Users Against Java Security Vulnerability
mcoates
Update – Aug 31, 2012 Yesterday Oracle released a patch for the critical vulnerabilities identified within Java. Visit the Mozilla Plugin Check webpage to find out if your Java plugin needs to be updated: https://www.mozilla.org/plugincheck/ Additional information from Oracle can … Continue reading
7 Tips for Fuzzing Firefox More Effectively
decoder
In the past half year I learned quite a lot about the different fuzzing approaches that security researchers and contributors use on Firefox. Although information on the subject should be public, a lot of it seems hard to find for … Continue reading
Why an outdated Java Plugin is so serious
decoder
Recently, Mozilla responded to an imminent threat to Firefox users who have an outdated Java plugin installed: Vulnerable versions of the plugin were blocked automatically (see blog post). Since then, I’ve been asked a few times why this is important; … Continue reading
ADBFuzz – A Fuzz Testing Harness for Firefox Mobile
decoder
Fuzz testing (automated, random testing) is an important part of nearly every application security life cycle. While there are a lot of tools, frameworks and harnesses available for regular desktop platforms/operating systems, there’s still a lot missing in the mobile … Continue reading
Update on Address Sanitizer
decoder
In a previous blog post, I outlined how the memory error detection tool Address Sanitizier (ASan) can be used with Firefox to find memory problems with a high degree of performance and how it can even detect certain errors that … Continue reading
Message to Certificate Authorities about Subordinate CAs
Johnathan Nightingale
Earlier today we sent an email to all certificate authorities in the Mozilla root program to clarify our expectations around certificate issuance. In particular, we made it clear that the issuance of subordinate CA certificates for the purposes of SSL … Continue reading
DigiNotar Removal Follow Up
Johnathan Nightingale
Earlier this week we revoked our trust in the DigiNotar certificate authority from all Mozilla software. This is not a temporary suspension, it is a complete removal from our trusted root program. Complete revocation of trust is a decision we … Continue reading
Comodo Certificate Issue – Follow Up
Johnathan Nightingale
This is a follow-up to the previous Mozilla report about the fraudulent certificates issued by Comodo last week. On 15th March 2011, a RA partner of the Comodo CA suffered an internal security breach (Comodo incident report). The attacker used … Continue reading
Firefox Blocking Fraudulent Certificates
Johnathan Nightingale
Issue Mozilla has been informed about the issuance of several fraudulent SSL certificates for public websites. The certificates have been revoked by their issuer which should protect most users. This is not a Firefox-specific issue. As part of our ongoing … Continue reading