How Mozilla finds crash bugs
This Tuesday (2009-07-21), I’m organizing a crash bug triage day where anyone interested can help us classify the swamp of open crash bugs. Join us in #bugday on irc.mozilla.org if … Read more
Articles in “Firefox”
milw0rm 9158 “stack overflow” crash not exploitable (CVE-2009-2479)
In the last few days, there have been several reports (including one via SANS) of a bug in Firefox related to handling of certain very long Unicode strings. While these … Read more
Critical JavaScript vulnerability in Firefox 3.5
Al Billings
Issue A bug discovered last week in Firefox 3.5’s Just-in-time (JIT) JavaScript compiler was disclosed publicly yesterday. It is a critical vulnerability that can be used to execute malicious code. … Read more
Shutting Down XSS with Content Security Policy
Al Billings
For several years, Cross-Site Scripting (XSS) attacks have plagued many of the web’s most popular sites and victimized their users. At Mozilla, we’ve been working for the last year on … Read more
CanSecWest 2009 Pwn2Own Exploit and XSL Transform Vulnerability
Lucas Adamski
Issue The pwn2own bug that Nils discovered at CanSecWest 2009 and the XSLT vulnerability recently made public by Guido Landi (http://www.securityfocus.com/bid/34235) are both critical issues that can result in malicious … Read more
Beware the Security Metric
Lucas Adamski
Security metrics are very difficult to do well, and easy to do poorly. For example, take a look at the recent Secunia “2008 Report” (http://secunia.com/gfx/Secunia2008Report.pdf). It tries to break down … Read more
The Importance of Good Metrics
Johnathan Nightingale
There has been some interest in the last few days about a recent report from a company called Bit9 about application vulnerabilities. While we’re always happy to see stories that … Read more
Malicious Firefox Plugin
Window Snyder
Issue A malicious piece of software masquerading as a legitimate and popular Firefox plugin is spreading. Trojan.PWS.ChromeInject.A collects a user’s passwords from banking and other sites and forwards them to … Read more
Low Risk Denial of Service in Firefox
Window Snyder
Issue A null pointer dereference in the content layout component of Firefox allows an attacker to crash the browser when a user navigates to a malicious page. Impact If a … Read more
TippingPoint vulnerability patched in Firefox 3.0.1 and 2.0.0.16
Window Snyder
Issue A vulnerability in the way Firefox handles CSS allows an attacker to take advantage of an integer overflow and execute arbitrary code. In order for the attack to be … Read more
Mozilla Security Metrics Project
Window Snyder
Mozilla has been working with security researcher and analyst Rich Mogull for a few months now on a project to develop a metrics model to measure the relative security of … Read more
Firefox users most likely to run latest version of the browser
Window Snyder
A recent report identified Firefox users as most likely to be running the latest version of the browser at any point in time. Brian Krebs at the Washington Post comments … Read more