[linuxkernelnewbies] Security at Mozilla Security Blog

Wed, 29 Jul 2009 08:23:21 -0700

http://blog.mozilla.com/security/category/security/

URL bar spoofing vulnerability

07.28.09 - 03:40pm

Issue
The URL in the address bar can be spoofed when a new window or tab is opened by a malicious web page.
Impact to users
If a user visits a page hosting this malicious code, a new window or tab can be opened with a faked URL.  There is no way of determining if the URL is [...]

Category: Firefox, Security, Vulnerabilities | | 3 Comments »

Locking up the valuables: Opt-in security with ForceTLS

07.27.09 - 05:17pm

Computers are increasingly mobile and, to serve them, more and more public spaces (cafes, airports, libraries, etc.) offer their customers WiFi access. When a web browser on such a network requests a resource, it is implicitly trusting the hotspot not to interfere with the communication.  A malicious computer hooked up to the network could alter [...]

Category: Firefox, Security | Tags: Firefox, forcetls, https, Security | 13 Comments »

How Mozilla finds crash bugs

07.20.09 - 05:36pm

This Tuesday (2009-07-21), I’m organizing a crash bug triage day where anyone interested can help us classify the swamp of open crash bugs. Join us in #bugday on irc.mozilla.org if you’d like to help.
Crashes and security
Some Firefox crash bugs are severe security bugs. A crash bug is likely to be exploitable if it can [...]

Category: Firefox, Security | | 2 Comments »

milw0rm 9158 “stack overflow” crash not exploitable (CVE-2009-2479)

07.19.09 - 02:44pm

In the last few days, there have been several reports (including one via SANS) of a bug in Firefox related to handling of certain very long Unicode strings. While these strings can result in crashes of some versions of Firefox, the reports by press and various security agencies have incorrectly indicated that this is [...]

Category: Firefox, Security, Vulnerabilities | | 15 Comments »

Critical _javascript_ vulnerability in Firefox 3.5

07.14.09 - 10:15am

Issue
A bug discovered last week in Firefox 3.5’s Just-in-time (JIT) _javascript_ compiler was disclosed publicly yesterday. It is a critical vulnerability that can be used to execute malicious code.
Impact
The vulnerability can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code. The vulnerability can [...]

Category: Firefox, Security, Vulnerabilities | | 80 Comments »

Shutting Down XSS with Content Security Policy

06.19.09 - 03:41pm

For several years, Cross-Site Scripting (XSS) attacks have plagued many of the web’s most popular sites and victimized their users. At Mozilla, we’ve been working for the last year on a new technology called Content Security Policy, designed to shut these attacks down. We wanted to give a bit of background on this [...]

Category: Firefox, Security | | 27 Comments »

Measure What Matters – The SEC Essentials

04.22.09 - 11:06am

People want to know that they are safe when they browse the web. There are important differences between browsers when it comes to security, and so it’s no surprise to see a growing number of groups out there attempting to compare browsers based on their security record. That’s great news; not only does it help [...]

Category: Musings, Security | Tags: metrics | 13 Comments »

CanSecWest 2009 Pwn2Own Exploit and XSL Transform Vulnerability

03.26.09 - 01:55pm

Issue
The pwn2own bug that Nils discovered at CanSecWest 2009 and the XSLT vulnerability recently made public by Guido Landi (http://www.securityfocus.com/bid/34235) are both critical issues that can result in malicious code execution.
Impact
These issues can be exploited by tricking a user into visiting a malicious web page hosting the exploit code. The pwn2own bug can be [...]

Category: Firefox, Press, Security, Vulnerabilities | | 16 Comments »

New CSS Grammar Fuzzer

03.17.09 - 01:24pm

Mozilla’s Jesse Ruderman just blogged about a new CSS grammar fuzzer of his, to go along with the JS fuzzer we announced a while ago.
Fuzzers are a tool that we’ve found incredibly valuable in the past, and continue to employ heavily. A fuzzer’s job is to make your application fail by feeding it surprising inputs. [...]

Category: Security | Tags: fuzzing, Security | 2 Comments »

Beware the Security Metric

03.06.09 - 02:50pm

Security metrics are very difficult to do well, and easy to do poorly. For example, take a look at the recent Secunia “2008 Report” (http://secunia.com/gfx/Secunia2008Report.pdf). It tries to break down vulnerabilities reported by browser, and specifically states:
31 vulnerabilities were reported for Internet Explorer (IE 5.x, 6.x, and 7), including those
publicly disclosed prior to [...]

Category: Firefox, Musings, Security, Uncategorized | | 29 Comments »


Reply via email to