Mozilla Security Blog

MD5 Weaknesses Could Lead to Certificate Forgery

12.30.08 - 08:41am

Issue

Researchers have recently found weaknesses in the MD5 hash algorithm, relied on by some SSL certificates. Using these weaknesses, an attacker could obtain fraudulent SSL certificates for websites they don’t legitimately control.

Impact to users

If a user visits an SSL site presenting a fraudulent certificate, there will be no obvious sign of a problem and the connection will appear to be secure. This could result in the user disclosing personal information to the site, believing it to be legitimate. We advise users to exercise caution when interacting with sites that require sensitive information, particularly when using public internet connections.

Status

This is not an attack on a Mozilla product, but we are nevertheless working with affected certificate authorities to ensure that their issuing processes are updated to prevent this threat. Mozilla is not aware of any instances of this attack occurring in the wild.

Microsoft has released their own advisory as well.

Credit

Alexander Sotirov, Marc Stevens, and Jacob Appelbaum presented this work at the 25th Chaos Communication Congress.

Johnathan Nightingale
Human Shield

Category: Security | | 1 Comment »

The Importance of Good Metrics

12.15.08 - 02:48pm

There has been some interest in the last few days about a recent report from a company called Bit9 about application vulnerabilities. While we’re always happy to see stories that focus on educating our users about security, there are some problems with Bit9’s methodology that hinder its ability to draw any meaningful conclusions.

Bit9 says it drew up this list by identifying popular applications that have had a critical vulnerability reported in 2008. This is an ineffective test, as it rewards software companies that conceal their security vulnerabilities. Mozilla focuses a great deal of energy on building world class code, and we stand by our reputation on security; we don’t play games with it.

Mozilla security process involves regularly identifying, fixing, testing, and releasing security updates to keep our users safe, and we do that in a public way so that others can scrutinize our processes and help make them better. To suggest that this openness is a weakness because it means that we have “reported vulnerabilities” is to miss the reality: that software has bugs. A product’s responsiveness to those bugs and its ability to contain them quickly and effectively is a much more meaningful metric than counting them.

Bit9 seems to understand this in its focus on application support for updates, but again it fails to account for the real world experience.  Firefox does not deliver WSUS updates, but our built-in update mechanism requires no user intervention, and we consistently see 90% adoption within six days of a new update being released.

The Firefox vulnerabilities Bit9 discusses are long-since fixed, with the majority of these fixes coming within days of it being announced.  That is the real measure of application security: are known vulnerabilities fixed promptly, tested carefully, and deployed thoroughly? When people have asked that question, Firefox and Mozilla have consistently come out ahead.

Bug counting is unfortunately common because it’s easy, but it should not be a substitute for real security measurement. This is why we’ve continued to work on things like the Mozilla security metrics project, to help people make informed decisions about the security of their software. We invite people who are interested to be a part of that process.

Johnathan Nightingale
Human Shield

Category: Firefox, Press, Security, Vulnerabilities | | Comments Off

Leaving Mozilla

12.10.08 - 12:15pm

I will be leaving Mozilla at the end of the year.  I am sad to be leaving, but I am excited to go work on something I have always been passionate about.  I wish I could tell you about it now, but that will have to wait for a while.

You will still get Mozilla security information here. Johnathan Nightingale, Lucas Adamski, Brandon Sterne and Mike Shaver will all be posting on the Mozilla security blog to keep users informed about security issues and announcements.  I leave you in their very capable hands and wish them the best of luck.

The Mozilla community is an incredible group of dedicated people who are really making a difference in how we experience the Internet.  The contribution you make to the world is tremendous.  I am honored to have been a small part of it for these last few years.

Thank you,
Window

Window Snyder
window@dec.net

Category: Announcements, Uncategorized | | Comments Off

Malicious Firefox Plugin

12.08.08 - 11:07am

Issue

A malicious piece of software masquerading as a legitimate and popular Firefox plugin is spreading.  Trojan.PWS.ChromeInject.A collects a user’s passwords from banking and other sites and forwards them to a remote server.

Impact

If a user has been tricked into installing this plug-in, or had it installed through a separate vulnerability it may compromise passwords and the user’s accounts.  This trojan is not Greasemonkey, even though it uses some of Greasemonkey’s internal IDs.

Status

To check whether your computer is infected, look for “Basic Example Plugin for Mozilla” in the Plugin list by choosing Add-ons from the Tools menu in Firefox.  Then choose Plugins. If you see this plugin, disable it.

Johnathan Nightingale blogged about it here: http://blog.johnath.com/2008/12/08/firefox-malware/

Credit

This issue was identified in the wild by BitDefender.  Their analysis is here: http://www.bitdefender.com/VIRUS-1000451-en–Trojan.PWS.ChromeInject.B.html

Category: Firefox, Security | | Comments Off

Low Risk Denial of Service in Firefox

07.30.08 - 12:30pm

Issue

A null pointer dereference in the content layout component of Firefox allows an attacker to crash the browser when a user navigates to a malicious page.

Impact

If a user browses to a malicious page that takes advantage of this vulnerability, the browser will crash.  A feature in Firefox called Session Restore will restore the browser session when Firefox is restarted and will likely save user typed content in text areas as well.  This feature is designed to save users’ work in the event of a crash or browser restart.

Status

This issue is currently under investigation.  Mozilla has assigned this bug an initial severity rating of low because of the minimal security risk to users.

Credit

Radware reported this issue to Mozilla.

Category: Firefox, Security, Vulnerabilities | | 5 Comments »

TippingPoint vulnerability patched in Firefox 3.0.1 and 2.0.0.16

07.16.08 - 02:15pm

Issue

A vulnerability in the way Firefox handles CSS allows an attacker to take advantage of an integer overflow and execute arbitrary code.  In order for the attack to be successful a user must browse to a malicious site.  The advisory is available here.

Impact

This critical vulnerability was reported to Mozilla before details were available publicly.  By keeping the details of the issue private until the issue was patched, TippingPoint and Mozilla were able to keep the risk to users minimal.

Status

This issue is patched in Firefox 3.0.1 and 2.0.0.16 which are now available.  Users will be prompted to install the update through the automatic update feature.  If you would like to update now, select “Check for Updates” from the Help menu.

Credit

An anonymous reporter found this vulnerability and reported it to TippingPoint.  TippingPoint reported it to Mozilla.

Category: Firefox, Security, Vulnerabilities | | 3 Comments »

Mozilla Security Metrics Project

07.02.08 - 05:10pm

Mozilla has been working with security researcher and analyst Rich Mogull for a few months now on a project to develop a metrics model to measure the relative security of Firefox over time. We are trying to develop a model that goes beyond simple bug counts and more accurately reflects both the effectiveness of secure development efforts, and the relative risk to users over time. Our goal in this first phase of the project is to build a baseline model we can evolve over time as we learn what works, and what does not. We do not think any model can define an absolute level of security, so we decided to take the approach of tracking metrics over time so we can track relative improvements (or declines), and identify any problem spots.  This information will support the development of Mozilla projects including future versions of Firefox.

Below is a summary of the project goals, and the xls of the model is posted at http://securosis.com/publications/MozillaProject2.xls.  The same content as a set of .csvs is available here: http://securosis.com/publications/MozillaProject.zip [Update] There also a copy for OpenOffice: http://securosis.com/publications/MozillaProject2.ods

This is a preliminary version and we are currently looking for feedback. The final version will be a far more descriptive document, but for now we are using a spreadsheet to refine the approach. Feel free to download it, rip it apart, and post your comments. This is an open project and process.  Eventually we will release this to the community at large with the hope that other organizations can adapt it to their own needs.

We would love to get your opinions on this, and if you are not comfortable commenting here you can mail Rich directly at rmogull@securosis.com.  When we have reviewed the feedback, we will post here with findings and continue the effort with your help.

Project Mission:
To develop a metrics based model to track the relative security of Firefox, evaluate the effectiveness of security efforts within the development and testing process, and measure the window of exposure of Firefox users to security vulnerabilities.

Secondary mission:
To develop an open base model that can be standardized and expanded upon for other software development efforts to achieve the same goals.

Detailed goals:
1. Track security trends in the development of Firefox.
2. Measure the effectiveness of various tools, stages and techniques of secure development.
3. Measure the exposure window when new vulnerabilities are discovered- the time to get x% of the user base protected. Will include sub-metrics to measure the efficiency of the process, from initial response, through patch generation, through user base updated.  Correlate by severity of vulnerability.

Category: Announcements, Firefox, Security | | 14 Comments »

Firefox users most likely to run latest version of the browser

07.02.08 - 11:14am

A recent report identified Firefox users as most likely to be running the latest version of the browser at any point in time.  Brian Krebs at the Washington Post comments on it here: Forty Percent of Web Users Surf With Unsafe Browsers

This is great news for Mozilla, since it demonstrates that the work that has gone into the auto update mechanism and the restore session feature has really paid off.  In order to reduce the window of risk for users and minimize the time to deploy, we have put a lot of effort into making sure that it is as easy to install security updates as possible.  This is not the first time we have heard this, but it is great to get more numbers behind what we already know:  Firefox is safer because Mozilla continually works on security improvements, ships updates quickly, and makes it easier to stay up-to-date.

You will be hearing more about our effort to collect meaningful security metrics like these soon.

Asa has a few words to say about this on his blog.

Category: Firefox, Press, Security | | 3 Comments »

New Security Issue Under Investigation

06.18.08 - 09:07pm

TippingPoint ZDI notified Mozilla of a vulnerability in Firefox that impacts versions 2.x and 3.0.  This issue is currently under investigation.  To protect our users, the details of the issue will remain closed until a patch is made available.  There is no public exploit, the details are private, and so the current risk to users is minimal.

TippingPoint will also keep the details closed to protect Firefox users.  From their blog post:

While Mozilla is working on a fix, we wont be divulging anything else until a patch is available, adhering to our vulnerability disclosure policy.  Once the issue is patched, we’ll be publishing an advisory here. Working with Mozilla on past security issues, we’ve found them to have a good track record and expect a reasonable turnaround on this issue as well.

At Mozilla we appreciate any report of security issues because that is how we make the browser stronger and more secure.  The best way to keep Firefox users safe is to report the issues directly to Mozilla as TippingPoint has chosen to, and to wait to release details until a fix is available.

Category: Firefox, Security, Vulnerabilities | | 15 Comments »

Clarification on Vietnamese Language Pack Compromise

05.12.08 - 02:16am

As today’s headlines confirm, there is still a lot of confusion about what happened to the Vietnamese language pack, who is impacted, and what that impact really is.

First of all, there is no virus in the Vietnamese language pack. Vietnamese language pack for Firefox users have not been infected with a virus.  The remnant we detected is a line in an html file that would display ads to users.  This does not infect the user’s machine with the virus.  It is a remnant from a virus that most likely infected the language pack developer’s machine. This code remnant is not present in other language packs.  The entire add-ons site has been scanned for malware and viruses and nothing else has been detected. Disabling the language pack in the add-ons dialog disables the code remnant.

Mozilla scans all add-ons for viruses at upload time, but the nature of most anti-virus software is that it only finds the things it knows how to look for.  When this add-on was uploaded there was no signature in the anti-virus software to detect this virus or its remnants.

There have been 16,667 downloads of the Vietnamese language pack since November 2007. It is hard to identify exactly how many users were impacted, but there are on average about 1000 active users.  While the number of users is small, this is still unacceptable.  We take this issue very seriously.  The most likely impact for users was the display of unwanted ads.

These are the steps we have taken to protect users in the future:

•    The add-ons site was immediately scanned for the presence of viruses and other potential malware, and nothing further has been detected.

•    As a response to this issue and to minimize the potential of something similar happening in the future, Mozilla is now scanning all add-ons whenever the signatures for the anti-virus software are updated.

Category: Firefox, Security, Vulnerabilities | | Be the First to Comment »