LAS VEGAS -- The next major release of the popular Firefox
browser will include a number of significant security upgrades
designed to protect users from both attackers and from
themselves.
 | | | | | In the long term, we'd like to be
known for making the Web a safer place.
Mike Shaver,
director of ecosystem
developmentMozilla |
| | | | | |
| |
|
The most visible changes will be the additions of new
anti-phishing and anti-malware capabilities that are designed to
prevent users from endangering themselves by visiting malicious
sites. The phishing protection takes the form of a red icon in the
address bar and an accompanying pop-up dialog box warning the user
that the site he's visiting is a suspected phishing site. The user
will have the option of closing the box and continuing on to the
suspicious site or being redirected away from it, said Window
Snyder, head of the security group at the Mozilla Foundation, which
maintains Firefox. Snyder, along with Mike Shaver, director of
ecosystem development and one of the founders of the Mozilla
project, described the new security tools in a presentation at the
Black Hat USA Briefings here last week.
The new anti-malware function in Firefox is much more aggressive
than the anti-phishing tool. Instead of giving users the choice of
visiting a suspected malicious site, when Firefox 3 encounters a
site that is known or suspected of hosting malware, it will prevent
the user from actually connecting to the site. It also will throw
up a full-page warning that tells the user that the site is known
to be an attack/malware-hosting site and Firefox is preventing the
user from connecting to it. Firefox 3 also will allow users to
report suspect sites that the browser doesn't yet recognize as
being malicious.
Snyder and Shaver emphasized that Firefox 3 is still in
development and it's not yet certain whether all of the currently
planned features and tools will end up making it into the final
version of the browser. But the clear motivation behind all of the
security upgrades is making it as simple as possible for ordinary
Web surfers to avoid unsafe content without having to become
security experts.
"In the long term, we'd like to be known for making the Web a
safer place," Shaver said.
@40846
That's an ambitious goal, to be sure, and it's one that a number
of other organizations and companies are trying to help Mozilla
achieve. The guts behind the new anti-phishing and anti-malware
capabilities in Firefox 3 come from Google Inc.'s ongoing project
to index all of the known or suspected malicious sites on the
Internet.
True to its open-source roots, Mozilla uses a completely open
development process, from tapping the development skills of
contributors around the world to holding open conference calls on
the status of various projects. Mozilla also uses a number of
outside security firms, including Matasano Security, IO Active,
Leviathan Security Group and iSEC Partners, to help evaluate
various portions of the software.
Snyder, who helped develop Microsoft Corp.'s threat-modeling
process when she worked at the Redmond, Wash., software maker, said
Mozilla has adopted many of those practices as well, and also puts
its software through code reviews and both manual and automated
penetration tests. Although Mozilla has come under a bit of public
scrutiny lately for the back-and-forth with Microsoft over the URI
protocol-handling vulnerability, Snyder and Shaver both said the
group remains committed to getting security fixes into the hands of
users as quickly as possible once a problem is confirmed. And that
goes for vulnerabilities that Mozilla finds internally, as well,
Snyder said.
"The thing we've figured out that some other vendors seem not to
have yet, is that just because something was discovered internally
doesn't mean it's not known externally too," Snyder said. "If it's
a fix and not a feature, it's something that should probably be
shipped to everyone and not something you make them pay for."
Snyder also announced during the talk that Mozilla will be
releasing a pair of fuzzing tools that the group has developed
recently. The first, a JavaScript fuzzer, is available now on the
group's Bugzilla site. Jesse Ruderman, a Mozilla developer who
wrote the JavaScript tool, said he'd used it to find 280 bugs in
Firefox, 27 of which were exploitable. The second new tool is a
protocol fuzzer designed to find problems in FTP and HTTP, which
was developed in conjunction with Matasanao and Leviathan. It will
be available later this year.