UPDATED: The Web browser is the most basic common unit of the Internet experience for
much of the global community. It’s also one of the most attacked. And it’s not just the bad guys breaking the browsers anymore, but also the browser vendors.
On Wednesday, Mozilla will take a massive step forward and explain to an audience at the annual
Black Hat show in Las Vegas how to break the browser using tools that Mozilla
has developed and is expected to release.
In a session called Building and Breaking the Browser, Mozilla’s Chief
Security Officer Window Snyder is expected to discuss a number of security
tools, including protocol fuzzers for HTTP and FTP and a fuzzer for
JavaScript. While the intention is to make
Mozilla’s Firefox technology even more secure, the tools could potentially
also put millions at risk.
Fuzzing is also known as fault-injection testing and is a widely
used technique in security circles to try and break down applications and
expose flaws. The Black Hat session abstract indicates that at least one of
those tools will be released at the Black Hat event.
In a discussion with internetnews.com in March, Snyder indicated that
Mozilla already runs the whole spectrum of security testing tools and
approaches on its products.
She also said that Mozilla’s
security effort could also one day lead to a Mozilla open source effort on
security tools and information. Snyder noted that when Mozilla makes such tools and information available, they will be part of the balance that Mozilla is striving to seek between functionality, security and
disclosure.
Ahead of Black Hat, internetnews.com approached other browsers for any information they might have had on Mozilla’s fuzzer, and Opera came up with the most over Microsoft and Google.
Opera spokesman Thomas Ford told internetnews.com via e-mail that Mozilla sent its fuzzer to two Opera developers, and the testing group is now testing it against different products.
A Google spokesperson said that likely contacts at Google were not aware of the Mozilla fuzzer.
Google recently revealed its own fuzzer effort called Lemon, though it’s not likely to be publicly
released.
The Google spokesperson also told internetnews.com that without knowing any
details of the Mozilla fuzzer, it is impossible to know whether it
would be something that Google would use in addition to Google Lemon.
Microsoft did not directly answer a question about whether it was aware
of Mozilla’s fuzzer. A Microsoft spokesperson noted, however, that fuzzing
is an important part of the security development lifecycle process, and
Microsoft is supportive of other companies adopting similar methods to help
protect their users.
But Opera’s Krogh still had his concerns about how Mozilla’s fuzzer
could end up being used.
“Any tool given to the public to find ways of exploiting a piece of
software is at risk of being misued,” Krogh said. “When an organization
publishes such tools, it must consider whether that tool can be a disservice
to millions of innocent bystanders.”
Opera uses fuzzers and other tools, homegrown and otherwise,
to secure its browser technology.
This article was first published on InternetNews.com. To read the full article, click here.