At the Blackhat conference, Window Snyder and Mike Shaver of Mozilla released new tools for testing their browser--Firefox--and other popular browsers, such as Microsoft Internet Explorer, Apple Safari and Opera.
The tools include a protocol fuzzer by Michael Eddington and a Javascript fuzzer by Jesse Ruderman. Fuzzing is a method by which researchers randomly simulate common conditions under which most browsers fail.
Preceding the announcement, Mozilla used the opportunity to discuss what are vulnerabilities, how vendors approach fixing them and--more importantly--how quickly they can get the fix into the hands of users. Snyder quoted Brian Krebs of The Washington Post, who said that Microsoft allowed a known vulnerability to exist in the pre-IE7 version of its browser for a total of 284 days, while Mozilla's longest stretch without a patch was a mere 9 days.
In an interview before the presentation, Snyder said that Firefox enjoys a community of users in the millions worldwide. Of these, there are about 10,000 users who regularly download what are called nightly builds. Whenever the Mozilla security team puts out new fixes in the nightly builds, it's these 10,000 users who test the fixes on a wide variety of machines and under a wide variety of circumstances. Thus, Mozilla is able to roll out its security patches faster and with fewer headaches.
Because Mozilla enjoys a very enthusiastic community of users, it decided to put out tools in the hands of its users that'll help make future releases of Firefox even stronger. After thinking about it, it decided the tools could be used on all browsers, not just its own because many similar vulnerabilities affect other browsers as well. In May, Snyder says Mozilla sent the tools to Microsoft and Opera but did not hear back.
This article was originally a blog posted on CNET News.com
Play video
Please get your facts right. Opera did respond. Check out their Desktop Team blog: my.opera.com...
Posted by anonymous on Saturday, August 04 2007 03:37 PM