Mozilla Security Blog

Update – Aug 31, 2012

Yesterday Oracle released a patch for the critical vulnerabilities identified within Java.

Visit the Mozilla Plugin Check webpage to find out if your Java plugin needs to be updated:
https://www.mozilla.org/plugincheck/

Additional information from Oracle can be found here:
https://blogs.oracle.com/security/entry/security_alert_for_cve_20121

Update – Aug 29, 2012:

We’ve been closely monitoring the recent Java security vulnerability and evaluating different options to best protect our users.

Our goal is to provide protection to Firefox users against this actively exploited vulnerability in Java while also leaving the user in control so they can choose to allow Java on important sites that they trust.

We are still working out the implementation details, but our solution will accomplish two primary objectives:

By default, vulnerable versions of Java will be disabled for our Firefox users.
Users will be provided the option to enable Java through a clear and visible message that will be displayed anytime the user views a page using Java.

We’ll provide additional updates when items are finalized. In the interim, we still advise users to disable the Java plugin as described below.

Lastly, starting this week in Aurora and Beta we’ll begin adding the components of click-to-play, a Firefox security control that helps protect users against outdated and vulnerable plugins. We anticipate this new security feature to be fully operational by Firefox 18.

Original Post Aug 28, 2012

Issue

Mozilla is aware of a security vulnerability (CVE-2012-4681) in the current version of Java 7 (version 1.7, updates 0 through 6) that is being actively exploited to compromise users. Firefox users may be vulnerable to this issue if they are running the Java plugin within their browser.

Impact to Users

An attacker could exploit this vulnerability to download and execute malware on to a user’s machine.

We have received reports of this vulnerability being actively used in targeted attacks and the malicious exploit code is also available in common exploit kits indicating the number of attacks may increase.

Status

At this time there is no patch available from Oracle to address the vulnerability within Java. We recommend that users disable the Java plugin within Firefox to ensure they are protected against this vulnerability.

Steps to disable the Java plugin can be found here:
http://support.mozilla.org/kb/How+to+turn+off+Java+applets

Protect Your Machine From Losing Internet Connectivity Due to DNSChanger Virus

Jul 6 2012

jstevensen

On Monday July, 9, 2012, approximately 250,000 internet users may lose access to the internet because of changes made to their computers by a malicious virus. The virus that caused this problem is commonly referred to as “DNSChanger”.

If your computer is infected, your computer may be accessing malicious DNS servers that would give fake answers, alter your searches, and promote fake and dangerous computer products. In addition, an infected computer will show you an altered version of internet sites. There are many ways a machine could have become infected with the DNSChanger virus including not applying operating system, browser, and browser plugin security updates.

On July 9, those malicious servers that your computer may be communicating with will be shut down by the FBI. If you are infected with DNSChanger, you will lose access to the internet.

We’re reaching out to as many internet users as possible in order to avoid any disruptions in internet service Monday. Here are a few things you can do now to see if you will be affected by this.

How can you detect if your computer has been infected with DNSChanger?

There are multiple websites that have been constructed to help users determine if they are infected with DNSChanger. A full list, available in multiple languages, can be found at: http://www.dcwg.org/detect

Each site is designed a little different; however, the site http://www.dns-ok.us will state whether or not your computer is infected by displaying a green or red graphic.

If you see a message like the following:

then you are not affected by DNSChanger and no action is needed.

What can I do if my computer has been infected with DNSChanger?

If the Check-Up Site indicates that you are affected then either follow the instructions on that site or go to the http://www.dcwg.org/fix page. This page contains links to detailed tips, tools, and procedures on removing the effects of the DNSChanger virus.

How do I protect my computer from viruses in the future?

Ensure you are regularly updating your operating system and web browser. It’s also important to ensure your plugins are up to date. Check out the following page to learn about keeping your plugins current: http://www.mozilla.org/en-US/plugincheck

“Subscription Trap” Websites

Jul 5 2012

mcoates

“Subscription trap” websites prey on users who are trying to download
legitimate free software. These sites trick users into paying for
expensive subscriptions for otherwise free software. Some even go as far
as threatening users with collection efforts to compel payment. Such
sites have long been a cause for complaint among Firefox users,
particularly in Germany.

State authorities are starting to take the threat to consumers from such
sites seriously. Recently, a criminal court in Hamburg convicted 7
operators of fraud for the operation of such download websites. Part of
the case was based on the unlawful use and infringement of Mozilla’s
trademarks along with a host of other brand owners.

We provided evidence in the case to assist the prosecutors in
establishing their claims. We hope that this will make the Internet a
safer place for people who want to download Firefox and other free software.

7 Tips for Fuzzing Firefox More Effectively

Jun 20 2012

decoder

In the past half year I learned quite a lot about the different fuzzing approaches that security researchers and contributors use on Firefox. Although information on the subject should be public, a lot of it seems hard to find for people that are new in that area. Here are some tips for making your fuzzing on Firefox more successful, based on the problems that I encountered myself and mistakes that others made that I learned about. Continue reading …

Speeding Up Security Reviews

May 8 2012

yboily

At Mozilla we have a strong commitment to security; unfortunately due to the volume of work underway at Mozilla we sometimes have a bit of a backlog in getting security reviews done.

Want to speed up your security review request? You can dramatically increase the turn around time for your security review request by providing the information below. In addition to this, we are working to expand our overall security review process documentation; you can follow those efforts here.

1. Architecture Diagram

An architecture diagram illustrates how the various components of the service communicate with one another. This information allows the individual doing the security review to understand which services are required, how and where data is stored, and provides a general understanding of how the application or service works. Producing an architecture diagram is a good practice as it allows anyone to get a rapid view of how complex a system is, and can inform how much time it will take to work through a review of the system.

Examples

Note that these are just examples; the architecture diagram is intended to help the reviewer visualize what they are assessing. It doesn’t have to be a fancy diagram, and our team has worked from camera shots of whiteboards from meetings!

Marketplace Architecture

2. Detailed Application Diagram

A Detailed Application Diagram is essentially a Dataflow diagram; a data flow diagram enumerates each application or service that is a component of a system, and provides a list of the paths that data can flow through. A dataflow diagram helps the security reviewer to understand how data moves through the system, how different operations are performed, and if detailed enough, how different roles within the system access different operations.

While there are a number of different opinions on the “best way” to do a DFD, it is more helpful to have the information than it is to focus on presenting the information “the right way”.

Examples

3. Data flow enumeration

An enumeration of data flows in the application explains how and what data moves between various components. Note that this doesn’t need to be a rigorous explanation of fields; in this case we want a general description of the message, the origin of the message (browser, third party, service, database, etc), the general contents (e.g. “description of the add-on”, “content to be shared”, etc), and a list of sensitive fields.

Examples

BrowserID Dataflow Enumeration

4. Threat Analysis

The next step is reviewing all of this information to build out a list of the threats to an application. The important bit here is that you, as a developer or contributor, know how an application or system works. You know what a good set of the failure modes of the application are, and you understand the ‘business logic’ of the application. Many developers have a working knowledge of vulnerabilities, and can identify these types of issues.

In order to properly perform a threat analysis a reviewer needs to understand how the various components of the system work, what threats exist, and be able to identify what mitigating controls have been put into place.

Here is an example of what a threat analysis might look like (links below):

The threat analysis should contain, at a minimum the following information:

ID – a identifier for the threat
Title – a concise description of the threat
Threat – a description of the threat
Mitigations – a recommendation for a control that can be implemented
Threat Agent – a list of the potential actors considered that would exploit a vulnerability
Notes – Related comments that contribute to the analysis, but don’t belong in other columns
Rating – A qualitative scoring for a vulnerability in the context of this application
Impact – A qualitative score representing the impact should a vulnerability be exploited
Likelihood – A qualitative score representing the likelihood of a vulnerability being exploited

Additional information on how we assess and rate threats will be published as part of the documentation for our risk rating and security review processes.

Examples

Help us help you!

Part of determining the scope of a security review is understanding how an application works and what the risks are; the documentation described in this post helps us to understand this and will ensure that we can complete a security review as quickly as possible. Beyond that, as teams understand how security reviews are performed it gives them the opportunity to take ownership of security and build it more effectively into their own processes.

As with other Mozilla teams we are actively pursuing better community engagement and always welcome feedback.

Why an outdated Java Plugin is so serious

Apr 6 2012

decoder

Recently, Mozilla responded to an imminent threat to Firefox users who have an outdated Java plugin installed: Vulnerable versions of the plugin were blocked automatically (see blog post). Since then, I’ve been asked a few times why this is important; others have complained that their <any large number> corporate/government installations don’t work anymore because they depend on an outdated Java version (note that some of these problems/complaints were probably caused by a bug in the initial deployment of the blocklisting entry itself that is now fixed). While we all understand that an operational Java Plugin is absolutely crucial for some users, I’d like to emphasize how critical the situation requiring the block is by providing more details concerning this incident and why it is indeed more serious than some people might think.

What’s wrong with the blocked version of Java?

With the most recent Java update, Oracle fixed quite a few security vulnerabilities (see advisory page), including a vulnerability listed as CVE-2012-0507. Up to this point, this isn’t really unusual, as most of these updates fix one or more security problems.

However, not even 6 weeks after the release of the Java update, the Microsoft Malware Protection Center received malware samples that exploit the specified vulnerability in a very reliable way and use it to install a well known trojan, called the ZeuS bot. There was now evidence that the vulnerability was not just theoretical, and had become a practical avenue to infect machines with malware. You can read the full blog post from Microsoft here (this is a technical post, so it’s likely only interesting to you if you have a technical background).

“I’m not getting attacked anyway”

Shortly after the Microsoft post, Brian Krebs published a blog post on the topic, stating that the exploit is now being integrated into well known exploit kits, e.g. the Blackhole exploit kit. These kits can be purchased on the black market and are usually integrated invisibly into hacked websites or indirectly served on websites through hacked content providers (imagine the number of vulnerable users you can reach when you break into an advertisement server and include your malware into banners served to other sites). With this step, the threat became more serious: Unless you just don’t browse the Internet at all, the risk of getting infected is very real. Of course there might be a minority of users that only ever browses a corporate intranet which will mitigate the risk, but this isn’t really the common use case for a web browser. If a user absolutely needs the older, vulnerable version of Java, they can still bypass the warning.

“I have a Mac, I’m safe”

While this might have been true at some point in the past, the threat landscape for Mac/OS X has changed quite a bit in the last few years. As the popularity of the Mac platform has grown so has its attactiveness as a target for attackers. Only a few days ago, F-Secure announced that the Flashback trojan, a well known piece of Mac malware, is now exploiting the very same vulnerability we’ve been discussing so far. You can read the post here to get all the technical details about it. According to recent reports, the number of infected Mac/OS X machines recently grew rapidly over half a million and is still growing. As such the threat to Mac users is evident and imminent, thus prompting our response on all platforms. Note that Apple has recently released a Java update as well that addresses this vulnerability.

Summary

In reviewing the actions and threats for this Java vulnerability, or, for that matter, any security issue, we take the balance of security vs. usability very seriously. This situation is an instance where we felt the balance had tipped towards taking a security action that has a minor adverse affect to the user community as a whole. The desired goal is to protect our users, to encourage them to upgrade to more recent, secure versions of plug-ins and to maintain our history of thoughtful security action.

Acknowledgements

Thanks to the various people involved in getting the proper blocks in place so quickly, that was an amazing job. Thanks also to Curtis Koenig, Dan Veditz and Ian Melven for reviewing/editing this post

Blocklisting Older Versions of Java

Apr 3 2012

Lucas Adamski

Mozilla recently implemented a block for older versions of Java (Version 6 Update 30 and below as well as Version 7 Update 2 and below) which are vulnerable to a critical security issue.

For additional details, please see https://blog.mozilla.org/addons/2012/04/02/blocking-java/

Make Things Better (or, how I learned to stop worrying and love security again)

Mar 16 2012

mgoodwin

Working in application security can be frustrating. Often you’re working around problems in software you have little control over, making ugly bandaids that must stay in place until a vendor wakes up to an issue.

Perhaps this is why security folk, as a community, have gotten into the habit of complaining about how things are broken and leaving it there; how often have you attended a presentation where a vendor is criticised for making a mistake, but no solution is suggested, or help offered?

This frustration is one of the reasons I was really excited about coming to Mozilla. “Finally! I can make a difference!”, I thought. It didn’t take long for me to realise I’d missed something important; there was nothing stopping me before. You don’t need to be a Mozilla employee to contribute.

Why?

Because Mozilla is open. Not ‘open’ as in “here’s this neat thing we built behind closed doors (and here’s the source)”, rather, the kind of open that allows anyone with good ideas and talent to make a difference. We develop everything in the open so you can contribute ideas, patches and security guidance too.

I didn’t realise that I could contribute in all of these ways; had it occurred to me, some of the things I’m working on now could have been in the browser I used years ago. Has it occurred to you?

So what can you do?

Get involved in security reviews (wiki page, calendar)
Join discussions on mailing lists (mailing lists, Google Groups)
Participate in our bug bounty program

We’re going to be giving some additional ideas of areas where you can get involved over the coming weeks; watch this space!

– Mark Goodwin
Twitter: @mr_goodwin

ADBFuzz – A Fuzz Testing Harness for Firefox Mobile

Mar 9 2012

decoder

Fuzz testing (automated, random testing) is an important part of nearly every application security life cycle. While there are a lot of tools, frameworks and harnesses available for regular desktop platforms/operating systems, there’s still a lot missing in the mobile sector which is becoming increasingly important.

In this article, I will describe the necessary implementation steps for a mobile fuzzing harness and provide a proof-of-concept implementation called ADBFuzz that allows anyone to run fuzzers written in Javascript in Firefox Mobile on Android. In the near future, we will also likely release internal fuzzers that can be used with this harness. Continue reading …

Update on Address Sanitizer

Mar 8 2012

decoder

In a previous blog post, I outlined how the memory error detection tool Address Sanitizier (ASan) can be used with Firefox to find memory problems with a high degree of performance and how it can even detect certain errors that conventional tools missed.

While it was very complex to build Firefox with ASan support in the past, we now provide a much easier way (achieved by landing bug 727445). One of the most important changes is that from now on, no patching of Clang/LLVM is required anymore. Secondly, no further patches to Firefox are required for building, only a custom build configuration must be used. The build manual has been updated accordingly to reflect these changes. We hope that this encourages more people to try this tool and help us to improve Firefox.

- Christian Holler
Security Engineer