(Credit:
Robert Vamosi/CBS Interactive)
Window Snyder, Mozilla's chief security something-or-other (her official title), is leaving Mozilla, effective the end of the year.
"I am sad to be leaving," she wrote in her blog on Wednesday, "but I am excited to go work on something I have always been passionate about. I wish I could tell you about it now, but that will have to wait for a while."
In an interview earlier this year, Snyder stressed to me how she wants to bring open-source practices to the security community. And her background certainly supports that passion.
Snyder is the co-author of Threat Modeling, a book about application security. Her security work started at @Stake (now a part of Symantec) before continuing at Microsoft. Later she helped found Matasano Security before landing at Mozilla in September 2006.
Johnathan Nightingale, Lucas Adamski, Brandon Sterne, and Mike Shaver will continue to blog about security at Mozilla in Snyder's absence.
Window Snyder, Mozilla's chief security something-or-other (her official title), wants to bring open source practices to the security community.
"At a lot of companies," she told me recently, "there's fear around security: you don't want to talk about what you're doing around security because one might deem it not enough--or might want to criticize it." She said most companies have a lot of reasons to keep what you're doing in security quiet, but not Mozilla. "We benefit from being open; it's the model for us and it's been successful for us."
Snyder started her security work at @Stake (now a part of Symantec) then went to Microsoft and later Matasano Security. She describes her journey as moving toward open source with each environment. At Mozilla, makers of the popular Firefox browser, Thunderbird e-mail client, and other open software, she's pretty much at ground zero.
Snyder said the idea of opening up security came about by asking, "What are we doing internally that we can make publicly available to help somebody else in some other project."
They decided to start out small. "We're starting off with secure programs and practices for C and C++. There is a focus on how to make it useful for a browser, but there is of course a general aspect to this. It's training materials, it's syllabi, exercises, it's a workshop-style class. Hopefully we'll be able to do video as well." The idea is that one employee from a company can attend these workshops and then take the training back home to train even more people.
Johnathan Nightingale of Mozilla echoed this. "It's pretty brittle if there's only one person who is the security guy or gal that always solves a problem. It's better to get that knowledge out there--whether it's working on Mozilla or some other project. By working at understanding the good habits and the bad habits, you've made a huge step forward."
In addition to training sessions, Mozilla will be making a variety of tools available. Last year Mozilla released a protocol fuzzer created by Michael Eddington, and a Javascript fuzzer created by Jesse Ruderman. Further, Mozilla admitted that these tools had found vulnerabilities within Firefox. Accepting that openness, Opera reported that the tools had also discovered a flaw within its browser product. Microsoft, maker of Internet Explorer, and Apple, maker of Safari, haven't revealed whether they used the tool to detect any flaws in their products.
Snyder says often the security story isn't that a company created a tool that found 14 vulnerabilities in it own product, it's that there were 14 vulnerabilities in the product in the first place. "Why would they want to share this tool? Maybe they want to demonstrate how successful it was because it found a vulnerability. That's something that we can do that other companies cannot."
In addition to training and tools, Mozilla wants to talk more about security metrics and threat modeling.
In this video, Window Snyder talks about security metrics.
"Threat modeling is a methodology for identifying security vulnerabilities, for identifying the risks of a security vulnerability within that application," Snyder said. "Making a threat model available shows other development environments how a complex application like Firefox gets deconstructed into threats, along with the mitigations that we've implemented to address those specific threats.
"But it also gets us feedback on whether or mitigations are sufficient. It gets the research community engaged in another point in the development process. Instead of looking for vulnerabilities at the end of the lifecycle, they're able to get involved in the threat modeling process which is between design and implementation, ideally. You want to be able to do it early enough in the process so that you can actually change at the architectural level as the result of threat modeling."
The goal, she said, is to remove whole categories of vulnerabilities. "Here's a pattern, and if we implement one architectural change we can eliminate all these vulnerabilities."
Threat modeling is more theoretical; it's abstract. "So, instead of saying concretely if you do this that and the other thing, that will result in an actual vulnerability, threat modeling, says there is no input validation mechanism, for example. If you send a request this way, you end up bypassing the input validation mechanism and you're sending content, unvalidated to this audio decoder. That would be scary. So the threat would be unvalidated content is being passed directly to the audio decoder if it comes in this way. A vulnerability would be there's an overflow in the audio decoder that an attacker is able to trigger if they craft a URL this way, and because it bypasses the input validation mechanism, all these other mechanisms that would have protected from an exploit are bypassed as well."
She concludes that the training, the tools, and the threat modeling is "good for peer reviews, it's good for testers, it's good for developers." She sees it as delivering on a promise to "to make the Web more secure."
Mozilla has been steadily demonstrating how open source projects can make money without betraying their community goals. At Mozilla, she says "we absorb the costs in criticism and we tolerate that in security because the benefit for us far outweighs everything else."
On Thursday, Opera released version 9.51. The new version fixes a few security vulnerabilities and resolves some stability issues. One of the fixes addresses an arbitrary code execution vulnerability that was not previously made public.
Meanwhile, Mozilla released Firefox 2.0.15 with a dozen security fixes, including a few remote-execution vulnerabilities.
Current Firefox 2 users should, however, upgrade to Firefox 3, which includes antimalware protection and other security features.
On Wednesday, Microsoft announced new security features within the upcoming release of Internet Explorer 8 Beta 2. The features are designed to combat the rising tide of drive-by downloads and malicious scripts contained within carefully crafted links embedded in e-mail and Web pages. Most of the new features require systems to be running Windows Vista SP1 or Windows XP SP3.
Perhaps the most anticipated addition is Internet Explorer's new antimalware protection. Opera 9.5 and Firefox 3 both recently added antimalware protection. Safari has so far not announced plans for similar protection. Using mostly its own antimalware technology, Microsoft will block emerging threats by masking the entire IE 8 browser screen with a warning to users. The addition of malware protection to the existing antiphishing protection will be re-branded as the Microsoft SmartScreen filter.
IE 8 Beta 2 will have a Cross Site Scripting (XSS) filter, preventing scripts within a link from executing on the browser.
Previously announced features include highlighting domain names from the rest of the URL (so you can visually see that you are on eBay.com, not some other site), and extended verification SSL.
Using Data Execution Protection (DEP) within Windows XP SP3 and Windows Vista SP1, IE 8 will scan downloads and block any that it deems dangerous.
(Credit: Microsoft)IE 8 Beta 1 has already introduced several changes when handling ActiveX components. Components will be installed per user, which eliminates the need for everyone to have administrator privileges. In addition, you must acknowledge or opt-in for the component to run, eliminating drive-by downloads. Components will be per site and will only be available from site of origin. Finally, site developers can request killbits from Microsoft which can be sent via Windows Update to terminate risky or outdated components.
For developers, Microsoft is including improvements for better communication between the client browser and Web server. Cross Domain Requests (CDR) is a more secure way for the browser to pull data from other domains; and Cross Domain Messaging (XDM) is a more secure means for a browser to send a message across a domain. Microsoft says it is working with other browser vendors to standardize these.
The public Beta 2 for Internet Explorer is expected sometime in August 2008.
A group of researches on Tuesday said 637 million Web users are surfing with outdated Internet browsers and therefore at greater risk of Web-based attacks.
Using data collected from Google Web searches and security firm Secunia, the researchers, Stefan Frei (of ETH, Zurich), Thomas Dübendorfer (Google), Gunter Ollmann (IBM ISS), and Martin May (ETH, Zurich), analyzed the browsers used in a new report (PDF). They did so in an effort to understand why so many recent attacks by criminal hackers have been aimed at the browser, and why those attacks have been so successful.
Overall the authors found that roughly 40 percent of users were using insecure versions of Web browsers. Among the least compliant were users of Internet Explorer, which currently dominates the Internet browser market.
The data was collected in mid-June 2008. The users were scattered among 78 percent Internet Explorer users, 16 percent Firefox, 3 percent Safari, and 0.8 percent for Opera. Of these, 52 percent were running the latest version of Internet Explorer, 92 percent for Firefox, 70 percent for Apple, and 90 percent for Opera.
The authors note that it has taken IE 7, the current Internet Explorer release, 19 months to gain only 52 percent of the entire Internet Explorer audience. Forty-eight percent of the users in the study were either using an old version of IE 7 or still had IE 6 installed.
Some of this has to do with how the respective vendors provide updates. IE 7 is currently offered as an auto-update with each monthly set of Microsoft security patches, yet a number of people are opting out of the upgrade and still running IE 6.
The study did not include use of insecure browser add-ons, such as older versions of Adobe Reader, because the data from Google contained only the browser info.
For mitigation, the study used comparisons to the food industry, arguing that people understand the need to buy the safest foods, why not browsers? People understand that food is perishable, so why not make Internet browsers display expiration dates? The authors provided an example of a browser that displayed in red in the upper right hand corner "145 days expired, 3 updates missed."
But unlike the food industry there is no liability for software vendors. And, the authors note, software vendors are not legally obligated to provide software updates.
Imagine if the food industry was not accountable for selling spoiled milk.
Apple on Thursday released a new version of Safari for Windows that includes a security fix for a high-profile carpet-bombing desktop attack vulnerability previously dismissed by the Cupertino vendor. The Safari update is only for Windows users, not Mac OSX versions. Version 3.1.2 of Safari for Windows can be downloaded and installed from Apple Downloads, or you can download Safari 3.1 here.
BMP or GIF image memory error
This patch only affects users of Windows XP or Vista. The update addresses CVE-2008-1573, an out-of-bounds memory read vulnerability. The error may occur in the handling of BMP and GIF images, which may lead to the disclosure of memory contents. Apple credits Gynvael Coldwind of Hispasec for reporting the vulnerability.
Carpet bombing attack
This patch only affects users of Windows XP or Vista. The update addresses CVE-2008-2540, a vulnerability in how Windows desktop handles executable files. Apple explains: "Saving an untrusted file to the Windows desktop may trigger the issue, and lead to the execution of arbitrary code. Web browsers are a means by which files may be saved to the desktop. To help mitigate this issue, the Safari browser has been updated to prompt the user prior to saving a download file. Also, the default download location is changed to the user's Downloads folder on Windows Vista, and to the user's Documents folder on Windows XP." Apple credits Aviv Raff for reporting the vulnerability.
Internet Explorer 7
This patch only affects users of Windows XP or Vista. The update addresses CVE-2008-2306 which is an Internet Explorer 7 vulnerability. Apple explains: "If a Web site is in an Internet Explorer 7 zone with the 'Launching applications and unsafe files' setting set to 'Enable,' or if a Web site is in the Internet Explorer 6 'Local intranet' or 'Trusted sites' zone, Safari will automatically launch executable files that are downloaded from the site. This update addresses the issue by not automatically launching downloaded executable files, and by prompting the user before downloading a file if the 'always prompt' setting is enabled." Apple credits Will Dormann of CERT/CC for reporting the vulnerability.
WebKit Javascript array
This patch only affects users of Windows XP or Vista. The update addresses CVE-2008-2307, which is a memory corruption vulnerability. An error exists in WebKit's handling of JavaScript arrays, so visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. Apple credits James Urquhart for reporting the vulnerability.
According to Tipping Point's Zero Day Initiative, the vulnerability, which it rates as critical, was reported within the first five hours of Firefox 3's release.
"Once the vulnerability was verified in TippingPoint's DVLabs and acquired from the researcher, the vulnerability was promptly reported to the Mozilla security team," said a representative.
Although the Zero Day Initiative team does not offer specifics until the vendor has a chance to patch it, the blog post did say this vulnerability, which also affects Firefox 2, requires user interaction and could result in an attacker executing arbitrary code.
Mozilla is reported to be working on a fix.
The Zero Day Initiative has been criticized in the past for paying researchers who find vulnerabilities.
I recently spoke with Johnathan Nightingale, Mozilla's "Human Shield," the man who designed the security interface within Firefox 3. One of the big changes is how Firefox communicates the authenticity of a given site. Located on the left hand side of the address bar is a tiny icon associated with the site. Sites using Extended Verification Secure Socket Layers (EV SSL) go an additional step.
Nightingale explains: "If you go to PayPal.com, for instance, that will expand out and it'll say PayPal Inc USA because PayPal is a site that presents this enhanced identity information and so, because they're presenting it to the browser we can present it our users and if you click that button and you get a bunch of more information. You get this little site identity pop up basically. It'll tell you that this PayPal Inc is located in such and such a place in the United States, and there's even a 'more information' button that'll talk about your history with that site; how many times have you visited it before; all in an effort to help you understand whether this is the site you think it is and what the state of your relationship with that site is.
"Now, as for how Larry figures into all of that--the icon we chose to communicate this identity checking is a passport officer. When you click this icon, which is available on any Web site, whether it has completely verified identity information or no information at all, you can always click the button and find out more about the Web sites that you're interacting with. You'll always see the little passport officer to indicate that we're checking identity credentials right; we're looking into the site; we're trying to verify the information so we can present it to you so that you can make an informed decision about the sites that you're interacting with.
"A lot of sites these days aren't providing any identity information and that's okay. If you don't need to trust them, if you don't need to exchange any confidential information with them, then maybe you don't care if they're identifying themselves. But sites like banks or even government sites for that matter, we're hoping that as more and more of them deploy this extended identity information our users will have a much better sense of who they're interacting with and will develop a confidence that they're on the site they appear to be on."
So how did Larry get his name?
"I was doing the initial designs we had this passport guy in there and I was trying to find a way to introduce him to people and to talk about him and stuff. It gets sort of cumbersome to keep talking about the AIGA public domain icons or passport officer. He just seemed like a friendly guy to me and Larry seemed like a friendly name. I mean he's approachable, he's there to watch out for you, so it just made sense. It's not named after anyone in particular, although if there's Larry out there that wants to claim the title they're welcome to do so."
My entire interview with Johnathan Nightingale can be heard here.
Correction at 7:50 a.m. PDT: The spelling of Johnathan Nightingale has been fixed.
At least one security feature won't make it into the final release of Firefox 3 on June 17, Mozilla confirmed again Thursday.
The feature, Private Browsing, would have disabled all caching, cookie downloads, history records, and form data used during the current session. In essence, you could surf the Web and leave no fingerprints.
"It basically said to the browser: I would like what I'm about to do to not be logged anywhere," said Johnathan Nightingale, Mozilla's "human shield," aka its security user interface designer.
He described the private browsing process as this: you hit a button and everything past that point isn't logged. Then, at some point in the future, you hit the button again and it's as though what you just did never happened.
One possible use might be when someone other than the computer owner uses the browser.
"We looked at ways to do this, but the problem is that it touches a lot of code," Nightingale said. "Because there are such rich interactions with Web sites and mashups and things like that, we didn't want to put in something that was half baked."
You can hear more of my interview with Nightingale on my Security Bites podcast here.
Correction on June 13: The spelling of Johnathan Nightingale has been fixed.
On Wednesday, Mozilla announced next Tuesday, June 17, as "Download Day" for Firefox 3. The company also released Firefox 3 release candidate 3 as a final step toward full release.
With Firefox 3, Mozilla is attempting to set a Guinness Book of World Records for the largest number of software downloads within a 24-hour period. There is currently no Guinness Book record for that accomplishment.
Firefox 3 includes a new rendering engine, so pages load faster. It also uses fewer system resources, addressing a complaint in earlier versions.
On this week's Security Bites podcast, I spoke with Johnathan Nightingale, Mozilla's "human shield," about the security features within Firefox 3, including its antimalware protection and support for Extended Verification SSL.
The current Firefox 3 release candidate, version 3, can be downloaded for Windows, Portable, Mac, and Linux systems.
