Starting with the upcoming releases of Firefox 3.5.3 and Firefox 3.0.14, Mozilla will warn users if their version of the popular Adobe Flash Player plugin is out of date. Old … Read more
The best way for users to stay safe online is to use an updated browser. While most Firefox users get updated quickly, some fall behind for various reasons. We’re looking … Read more
Issue The URL in the address bar can be spoofed when a new window or tab is opened by a malicious web page. Impact to users If a user visits … Read more
Computers are increasingly mobile and, to serve them, more and more public spaces (cafes, airports, libraries, etc.) offer their customers WiFi access. When a web browser on such a network … Read more
This Tuesday (2009-07-21), I’m organizing a crash bug triage day where anyone interested can help us classify the swamp of open crash bugs. Join us in #bugday on irc.mozilla.org if … Read more
In the last few days, there have been several reports (including one via SANS) of a bug in Firefox related to handling of certain very long Unicode strings. While these … Read more
Issue A bug discovered last week in Firefox 3.5’s Just-in-time (JIT) JavaScript compiler was disclosed publicly yesterday. It is a critical vulnerability that can be used to execute malicious code. … Read more
For several years, Cross-Site Scripting (XSS) attacks have plagued many of the web’s most popular sites and victimized their users. At Mozilla, we’ve been working for the last year on … Read more
Issue The pwn2own bug that Nils discovered at CanSecWest 2009 and the XSLT vulnerability recently made public by Guido Landi (http://www.securityfocus.com/bid/34235) are both critical issues that can result in malicious … Read more
Security metrics are very difficult to do well, and easy to do poorly. For example, take a look at the recent Secunia “2008 Report” (http://secunia.com/gfx/Secunia2008Report.pdf). It tries to break down … Read more
There has been some interest in the last few days about a recent report from a company called Bit9 about application vulnerabilities. While we’re always happy to see stories that … Read more
Issue A malicious piece of software masquerading as a legitimate and popular Firefox plugin is spreading. Trojan.PWS.ChromeInject.A collects a user’s passwords from banking and other sites and forwards them to … Read more