Mozilla to extend security in major Firefox update

LAS VEGAS -- The next major release of the popular Firefox browser will include a number of significant security upgrades designed to protect users from both attackers and from themselves.

In the long term, we'd like to be known for making the Web a safer place. Mike Shaver, director of ecosystem developmentMozilla

The most visible changes will be the additions of new anti-phishing and anti-malware capabilities that are designed to prevent users from endangering themselves by visiting malicious sites. The phishing protection takes the form of a red icon in the address bar and an accompanying pop-up dialog box warning the user that the site he's visiting is a suspected phishing site. The user will have the option of closing the box and continuing on to the suspicious site or being redirected away from it, said Window Snyder, head of the security group at the Mozilla Foundation, which maintains Firefox. Snyder, along with Mike Shaver, director of ecosystem development and one of the founders of the Mozilla project, described the new security tools in a presentation at the Black Hat USA Briefings here last week.

The new anti-malware function in Firefox is much more aggressive than the anti-phishing tool. Instead of giving users the choice of visiting a suspected malicious site, when Firefox 3 encounters a site that is known or suspected of hosting malware, it will prevent the user from actually connecting to the site. It also will throw up a full-page warning that tells the user that the site is known to be an attack/malware-hosting site and Firefox is preventing the user from connecting to it. Firefox 3 also will allow users to report suspect sites that the browser doesn't yet recognize as being malicious.

Window Snyder

Snyder and Shaver emphasized that Firefox 3 is still in development and it's not yet certain whether all of the currently planned features and tools will end up making it into the final version of the browser. But the clear motivation behind all of the security upgrades is making it as simple as possible for ordinary Web surfers to avoid unsafe content without having to become security experts.

"In the long term, we'd like to be known for making the Web a safer place," Shaver said.

That's an ambitious goal, to be sure, and it's one that a number of other organizations and companies are trying to help Mozilla achieve. The guts behind the new anti-phishing and anti-malware capabilities in Firefox 3 come from Google Inc.'s ongoing project to index all of the known or suspected malicious sites on the Internet.

True to its open-source roots, Mozilla uses a completely open development process, from tapping the development skills of contributors around the world to holding open conference calls on the status of various projects. Mozilla also uses a number of outside security firms, including Matasano Security, IO Active, Leviathan Security Group and iSEC Partners, to help evaluate various portions of the software.

Snyder, who helped develop Microsoft Corp.'s threat-modeling process when she worked at the Redmond, Wash., software maker, said Mozilla has adopted many of those practices as well, and also puts its software through code reviews and both manual and automated penetration tests. Although Mozilla has come under a bit of public scrutiny lately for the back-and-forth with Microsoft over the URI protocol-handling vulnerability, Snyder and Shaver both said the group remains committed to getting security fixes into the hands of users as quickly as possible once a problem is confirmed. And that goes for vulnerabilities that Mozilla finds internally, as well, Snyder said.

"The thing we've figured out that some other vendors seem not to have yet, is that just because something was discovered internally doesn't mean it's not known externally too," Snyder said. "If it's a fix and not a feature, it's something that should probably be shipped to everyone and not something you make them pay for."

Snyder also announced during the talk that Mozilla will be releasing a pair of fuzzing tools that the group has developed recently. The first, a JavaScript fuzzer, is available now on the group's Bugzilla site. Jesse Ruderman, a Mozilla developer who wrote the JavaScript tool, said he'd used it to find 280 bugs in Firefox, 27 of which were exploitable. The second new tool is a protocol fuzzer designed to find problems in FTP and HTTP, which was developed in conjunction with Matasanao and Leviathan. It will be available later this year.