Recently, Mozilla responded to an imminent threat to Firefox users who have an outdated Java plugin installed: Vulnerable versions of the plugin were blocked automatically (see blog post). Since then, … Read more
Mozilla recently implemented a block for older versions of Java (Version 6 Update 30 and below as well as Version 7 Update 2 and below) which are vulnerable to a … Read more
Working in application security can be frustrating. Often you’re working around problems in software you have little control over, making ugly bandaids that must stay in place until a vendor … Read more
Fuzz testing (automated, random testing) is an important part of nearly every application security life cycle. While there are a lot of tools, frameworks and harnesses available for regular desktop … Read more
In a previous blog post, I outlined how the memory error detection tool Address Sanitizier (ASan) can be used with Firefox to find memory problems with a high degree of … Read more
On Monday, February 27, security researcher Brenda Larcom came to Mozilla to present on security threat modeling. This was a discussion on the Trike methodology for threat modeling that she … Read more
On Tuesday 28th February, Mark Goodwin from Mozilla’s Application Security team will be presenting a guest lecture at the University of Warwick. This session will introduce students to web security … Read more
We’ve decided to reorganize our security teams and as part of the change we are going to be using this blog in some new ways. The most notable change is … Read more
Earlier today we sent an email to all certificate authorities in the Mozilla root program to clarify our expectations around certificate issuance. In particular, we made it clear that the … Read more
Issue The libpng graphics library, used by Firefox and Thunderbird as well as many other software packages, contains an exploitable integer overflow bug. An attacker could craft malicious images which … Read more
Issue Entrust, Inc., a certificate authority in Mozilla’s root program, has informed us that one of their subordinate CAs, the Malaysian company DigiCert Sdn. Bhd, has issued 22 certificates with … Read more
UPDATE 10.18.11: Today, Oracle is releasing a patch update to Java SE to address this vulnerability. We recommend that users update their Java plugin to ensure that they have the … Read more