You are at the archive for the Security Category:

Why an outdated Java Plugin is so serious

Recently, Mozilla responded to an imminent threat to Firefox users who have an outdated Java plugin installed: Vulnerable versions of the plugin were blocked automatically (see blog post). Since then, I’ve been asked a few times why this is important; others have complained that their <any large number> corporate/government installations don’t work anymore because they […]

ADBFuzz – A Fuzz Testing Harness for Firefox Mobile

Fuzz testing (automated, random testing) is an important part of nearly every application security life cycle. While there are a lot of tools, frameworks and harnesses available for regular desktop platforms/operating systems, there’s still a lot missing in the mobile sector which is becoming increasingly important. In this article, I will describe the necessary implementation […]

Update on Address Sanitizer

In a previous blog post, I outlined how the memory error detection tool Address Sanitizier (ASan) can be used with Firefox to find memory problems with a high degree of performance and how it can even detect certain errors that conventional tools missed. While it was very complex to build Firefox with ASan support in […]

Mozilla CTF – Challenge 15 Walkthrough

Recently, Mozilla held a CTF (Capture the Flag) contest where teams had to solve a set of challenges from different areas of security. I was asked to create one of these challenges (CH15) and decided to use a real (old) Firefox JS engine vulnerability for that purpose.

Trying new code analysis techniques

Recently, we decided to try two new code analysis techniques for the Mozilla code base, the memory error detector “Address Sanitizer (ASan)” and  a static analysis tool, the “Clang Static Analyzer.”

This blog is protected by Dave\'s Spam Karma 2: 29907 Spams eaten and counting...