Security News

Issue

A null pointer dereference in the content layout component of Firefox allows an attacker to crash the browser when a user navigates to a malicious page.

Impact

If a user browses to a malicious page that takes advantage of this vulnerability, the browser will crash.  A feature in Firefox called Session Restore will restore the browser session when Firefox is restarted and will likely save user typed content in text areas as well.  This feature is designed to save users’ work in the event of a crash or browser restart.

Status

This issue is currently under investigation.  Mozilla has assigned this bug an initial severity rating of low because of the minimal security risk to users.

Credit

Radware reported this issue to Mozilla.

Issue

A vulnerability in the way Firefox handles CSS allows an attacker to take advantage of an integer overflow and execute arbitrary code.  In order for the attack to be successful a user must browse to a malicious site.  The advisory is available here.

Impact

This critical vulnerability was reported to Mozilla before details were available publicly.  By keeping the details of the issue private until the issue was patched, TippingPoint and Mozilla were able to keep the risk to users minimal.

Status

This issue is patched in Firefox 3.0.1 and 2.0.0.16 which are now available.  Users will be prompted to install the update through the automatic update feature.  If you would like to update now, select “Check for Updates” from the Help menu.

Credit

An anonymous reporter found this vulnerability and reported it to TippingPoint.  TippingPoint reported it to Mozilla.

The sentencing of Robert Soloway, the so-called Seattle “Spam King” who pleaded guilty in March to delivering millions of unwanted emails, has been delayed until next week.

The second version of the iPhone, released Friday, includes faster internet, GPS functionality and an application store — as well as 13 security fixes.

Google and eBay have joined forces to protect users from spam and malicious emails by leveraging an authentication technology called DomainKeys.

Steganography is an established technique to hide secret data inside normal data transmissions, but new techniques are being developed to hide packets inside routine VoIP traffic, and escape detection

The catastrophic loss of information of 25 million UK citizens last year would have been avoided if Her Majesty’s Revenue and Customs had spent a maximum of £15,000 on the extraction of data, but it turned down this expenditure because information security was such a low priority, one of the breach investigators revealed today

The catastrophic loss of information of 25 million UK citizens last year would have been avoided if Her Majesty’s Revenue and Customs had spent a maximum of £15,000 on the extraction of data, but it turned down this expenditure because information security was such a low priority, one of the breach investigators revealed today

The Information Commmissioner’s Office has revealed it has been voluntarily informed of a huge number of security breaches – mostly in Westminster – while it eyes up plans for a new law which could make the reporting of such incidents compulsory

The Information Commmissioner’s Office has revealed it has been voluntarily informed of a huge number of security breaches – mostly in Westminster – while it eyes up plans for a new law which could make the reporting of such incidents compulsory

Mozilla has been working with security researcher and analyst Rich Mogull for a few months now on a project to develop a metrics model to measure the relative security of Firefox over time. We are trying to develop a model that goes beyond simple bug counts and more accurately reflects both the effectiveness of secure development efforts, and the relative risk to users over time. Our goal in this first phase of the project is to build a baseline model we can evolve over time as we learn what works, and what does not. We do not think any model can define an absolute level of security, so we decided to take the approach of tracking metrics over time so we can track relative improvements (or declines), and identify any problem spots.  This information will support the development of Mozilla projects including future versions of Firefox.

Below is a summary of the project goals, and the xls of the model is posted at http://securosis.com/publications/MozillaProject2.xls.  The same content as a set of .csvs is available here: http://securosis.com/publications/MozillaProject.zip [Update] There also a copy for OpenOffice: http://securosis.com/publications/MozillaProject2.ods

This is a preliminary version and we are currently looking for feedback. The final version will be a far more descriptive document, but for now we are using a spreadsheet to refine the approach. Feel free to download it, rip it apart, and post your comments. This is an open project and process.  Eventually we will release this to the community at large with the hope that other organizations can adapt it to their own needs.

We would love to get your opinions on this, and if you are not comfortable commenting here you can mail Rich directly at rmogull@securosis.com.  When we have reviewed the feedback, we will post here with findings and continue the effort with your help.

Project Mission:
To develop a metrics based model to track the relative security of Firefox, evaluate the effectiveness of security efforts within the development and testing process, and measure the window of exposure of Firefox users to security vulnerabilities.

Secondary mission:
To develop an open base model that can be standardized and expanded upon for other software development efforts to achieve the same goals.

Detailed goals:
1. Track security trends in the development of Firefox.
2. Measure the effectiveness of various tools, stages and techniques of secure development.
3. Measure the exposure window when new vulnerabilities are discovered- the time to get x% of the user base protected. Will include sub-metrics to measure the efficiency of the process, from initial response, through patch generation, through user base updated.  Correlate by severity of vulnerability.