Mozilla Security Blog

Mozilla Security Metrics Project

07.02.08 - 05:10pm

Mozilla has been working with security researcher and analyst Rich Mogull for a few months now on a project to develop a metrics model to measure the relative security of Firefox over time. We are trying to develop a model that goes beyond simple bug counts and more accurately reflects both the effectiveness of secure development efforts, and the relative risk to users over time. Our goal in this first phase of the project is to build a baseline model we can evolve over time as we learn what works, and what does not. We do not think any model can define an absolute level of security, so we decided to take the approach of tracking metrics over time so we can track relative improvements (or declines), and identify any problem spots.  This information will support the development of Mozilla projects including future versions of Firefox.

Below is a summary of the project goals, and the xls of the model is posted at http://securosis.com/publications/MozillaProject2.xls.  The same content as a set of .csvs is available here: http://securosis.com/publications/MozillaProject.zip

This is a preliminary version and we are currently looking for feedback. The final version will be a far more descriptive document, but for now we are using a spreadsheet to refine the approach. Feel free to download it, rip it apart, and post your comments. This is an open project and process.  Eventually we will release this to the community at large with the hope that other organizations can adapt it to their own needs.

We would love to get your opinions on this, and if you are not comfortable commenting here you can mail Rich directly at rmogull@securosis.com.  When we have reviewed the feedback, we will post here with findings and continue the effort with your help.

Project Mission:
To develop a metrics based model to track the relative security of Firefox, evaluate the effectiveness of security efforts within the development and testing process, and measure the window of exposure of Firefox users to security vulnerabilities.

Secondary mission:
To develop an open base model that can be standardized and expanded upon for other software development efforts to achieve the same goals.

Detailed goals:
1. Track security trends in the development of Firefox.
2. Measure the effectiveness of various tools, stages and techniques of secure development.
3. Measure the exposure window when new vulnerabilities are discovered- the time to get x% of the user base protected. Will include sub-metrics to measure the efficiency of the process, from initial response, through patch generation, through user base updated.  Correlate by severity of vulnerability.

Category: Announcements, Firefox, Security | | 1 Comment »

Firefox users most likely to run latest version of the browser

07.02.08 - 11:14am

A recent report identified Firefox users as most likely to be running the latest version of the browser at any point in time.  Brian Krebs at the Washington Post comments on it here: Forty Percent of Web Users Surf With Unsafe Browsers

This is great news for Mozilla, since it demonstrates that the work that has gone into the auto update mechanism and the restore session feature has really paid off.  In order to reduce the window of risk for users and minimize the time to deploy, we have put a lot of effort into making sure that it is as easy to install security updates as possible.  This is not the first time we have heard this, but it is great to get more numbers behind what we already know:  Firefox is safer because Mozilla continually works on security improvements, ships updates quickly, and makes it easier to stay up-to-date.

You will be hearing more about our effort to collect meaningful security metrics like these soon.

Asa has a few words to say about this on his blog.

Category: Firefox, Press, Security | | Be the First to Comment »

New Security Issue Under Investigation

06.18.08 - 09:07pm

TippingPoint ZDI notified Mozilla of a vulnerability in Firefox that impacts versions 2.x and 3.0.  This issue is currently under investigation.  To protect our users, the details of the issue will remain closed until a patch is made available.  There is no public exploit, the details are private, and so the current risk to users is minimal.

TippingPoint will also keep the details closed to protect Firefox users.  From their blog post:

While Mozilla is working on a fix, we wont be divulging anything else until a patch is available, adhering to our vulnerability disclosure policy.  Once the issue is patched, we’ll be publishing an advisory here. Working with Mozilla on past security issues, we’ve found them to have a good track record and expect a reasonable turnaround on this issue as well.

At Mozilla we appreciate any report of security issues because that is how we make the browser stronger and more secure.  The best way to keep Firefox users safe is to report the issues directly to Mozilla as TippingPoint has chosen to, and to wait to release details until a fix is available.

Category: Firefox, Security, Vulnerabilities | | 12 Comments »

Clarification on Vietnamese Language Pack Compromise

05.12.08 - 02:16am

As today’s headlines confirm, there is still a lot of confusion about what happened to the Vietnamese language pack, who is impacted, and what that impact really is.

First of all, there is no virus in the Vietnamese language pack. Vietnamese language pack for Firefox users have not been infected with a virus.  The remnant we detected is a line in an html file that would display ads to users.  This does not infect the user’s machine with the virus.  It is a remnant from a virus that most likely infected the language pack developer’s machine. This code remnant is not present in other language packs.  The entire add-ons site has been scanned for malware and viruses and nothing else has been detected. Disabling the language pack in the add-ons dialog disables the code remnant.

Mozilla scans all add-ons for viruses at upload time, but the nature of most anti-virus software is that it only finds the things it knows how to look for.  When this add-on was uploaded there was no signature in the anti-virus software to detect this virus or its remnants.

There have been 16,667 downloads of the Vietnamese language pack since November 2007. It is hard to identify exactly how many users were impacted, but there are on average about 1000 active users.  While the number of users is small, this is still unacceptable.  We take this issue very seriously.  The most likely impact for users was the display of unwanted ads.

These are the steps we have taken to protect users in the future:

•    The add-ons site was immediately scanned for the presence of viruses and other potential malware, and nothing further has been detected.

•    As a response to this issue and to minimize the potential of something similar happening in the future, Mozilla is now scanning all add-ons whenever the signatures for the anti-virus software are updated.

Category: Firefox, Security, Vulnerabilities | | Be the First to Comment »

Compromised file in Vietnamese Language Pack for Firefox 2

05.07.08 - 01:28pm

The Vietnamese language pack for Firefox 2 contains inserted code to load remote content.  This code is the result of a virus infection, but does not contain the virus itself.  This usually results in the user seeing unwanted ads, but may be used for more malicious actions.

Everyone who downloaded the most recent Vietnamese language pack since February 18, 2008 got an infected copy.  While we cannot determine the exact number of compromised downloads, there have been 16,667 total downloads of the Vietnamese language pack since November 2007, so we anticipate the impact on users to be limited.

Mozilla does virus scans at upload time but the virus scanner did not catch this issue until several months after the upload.  We are also adding after-the-fact scans of everything to address this sort of case in the future.

A new language pack will be available shortly.  Until then, Vietnamese language pack users should disable this package using the add-ons dialog on the Tools menu.

More information is available in bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=432406

Category: Firefox, Security, Vulnerabilities | | 3 Comments »

Firefox 2.0.0.12 is now available

02.08.08 - 06:38am

Firefox 2.0.0.12 is now available. This security update addresses the directory traversal issue described here and here. Details for this release are available at: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.12

Category: Uncategorized | | Be the First to Comment »

Status update for Chrome Protocol Directory Traversal issue

01.29.08 - 05:33pm

Background on this issue is available here.

Impact

An attacker can use this vulnerability to collect session information, including session cookies and session history.  Firefox is not vulnerable by default.  Only users that have installed “flat” packed add-ons are at risk.  Discussion about “flat” packaged add-ons is here.  A partial list of “flat” packed add-ons is available here.  If you are an author of any of these add-ons, please release an update to your add-on that uses .jar packaging.

This bug is tracking the additional information:

https://bugzilla.mozilla.org/show_bug.cgi?id=413451

Status

Based on this new information Mozilla has changed the security severity rating to high.  A fix is included in Firefox 2.0.0.12 which be available shortly.

Category: Firefox, Security, Security Updates, Vulnerabilities | | 3 Comments »

chrome protocol directory traversal

01.22.08 - 04:06pm

Issue
A vulnerability in the chrome protocol scheme allows directory traversal when a “flat” add-on is present resulting in potential information disclosure.

Impact
When a chrome package is “flat” rather than contained in a .jar the directory traversal allows escaping the extensions directory and reading files in a predictable location on the disk.  Many add-ons are packaged in this way.

A visited attacking page is able to load images, scripts, or stylesheets from known locations on the disk.  Attackers may use this method to detect the presence of files which may give an attacker information about which applications are installed.  This information may be used to profile the system for a different kind of attack.

Some extensions may store information in Javascript files and an attacker may be able to retrieve those.  Greasemonkey user scripts may be retrieved using this method.  Session storage and preferences are not readable through this technique.

Users are only at risk if they have one of the “flat” packaged add-on installed.  Examples of popular add-ons that are vulnerable include: Download Statusbar and Greasemonkey.

Status

Mozilla is currently investigating this information disclosure issue and has assigned it an initial severity rating of low.  Details are available at:  https://bugzilla.mozilla.org/show_bug.cgi?id=413250

Credit

Gerry Eisenhaur first posted details of this issue along with proof of concept code at http://www.hiredhacker.com/2008/01/19/firefox-chrome-url-handling-directory-traversal/.

Category: Firefox, Security, Vulnerabilities | | 3 Comments »

Read past the headlines - Firefox is fixed faster

01.17.08 - 06:29pm

Secunia released a report this week that discusses a few aspects of the security landscape for 2007.  Techworld ran a story based on this report with this headline: “Red Hat and Firefox more buggy than Microsoft.”  While the headline is misleading, the Techworld article actually tells an interesting story.

Counting security vulnerabilities to compare the security of different software projects is flawed.  It is only a useful metric if you are comparing a project to itself over time.  I’ve discussed this topic here and here.  It’s even more ridiculous to try and compare an open source bug count to a closed source project because you can see all the bugs in an open source project.  You can only see the publicly found security issues for a closed source product, like Internet Explorer.

So what is interesting in the Techworld article is the measures of real risk to users:

“‘[Z]ero-day’ security bugs in Firefox were patched more quickly than in Microsoft Internet Explorer…”

“[I]n an examination of zero-day flaws - reported by third parties before a patch was available - Secunia found that Firefox tended to get more patches, sooner, compared to IE.”

“Out of eight zero-day bugs reported for Firefox in 2007, five have been patched, three of those in just over a week. Out of 10 zero-day IE bugs, only three were patched and the shortest patch time was 85 days.”

At Mozilla we work as hard as we can to ship fixes as soon as possible to minimize the exposure to our users.  It is great to see that the efforts we are making to minimize risk to users are paying off.

Category: Musings, Press, Security | | 3 Comments »

BasicAuth dialog realm value spoofing

01.04.08 - 02:58pm

Issue

The realm value in a basic authentication dialog may be spoofed by a attacker to trick users into thinking the authentication request is coming from a different, trusted site.

Impact

When displaying the basic authentication dialog, Firefox displays the actual source of the request at the end of the dialog text.  Some other browsers display the request source at the very beginning of the dialog text or as part of the pop-up window’s title bar, which may be less likely to be confused.

This may allow an attacker to craft basic authentication dialogs that are confusing to users and may result in users sending website credentials to phishing websites.

Status

Mozilla is currently investigating this issue and has assigned it an initial security severity rating of low.  You can follow this issue here: https://bugzilla.mozilla.org/show_bug.cgi?id=244273

Credit

The issue was reported to the full-disclosure and bugtraq mailing lists by Aviv Raff.

http://aviv.raffon.net/2008/01/02/YetAnotherDialogSpoofingFirefoxBasicAuthentication.aspx

Category: Firefox, Security, Vulnerabilities | | 1 Comment »