Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Mozilla to Release JavaScript Fuzzer for Firefox



 By: Lisa Vaas
2007-08-01
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
The home-brewed JavaScript fuzzer used to poke holes in Firefox is the first in a series of tools for the open-source community.

Mozilla has distilled what its learned from pounding its Firefox browser and will release its home-brewed knowledge in a series of open-source tools, the first of which is a JavaScript fuzzer that will be released at the Black Hat conference in Las Vegas Aug. 2.

Security chief Window Snyder will detail the "gory details" of how Mozilla gets security done—something you dont get out of a traditional vendor, she told eWEEK in an interview. "[At] Mozilla, the whole worlds watching—we couldnt hide if we wanted to," Snyder said.

Before she came to work for Mozilla, Snyder was a security consultant. She said she saw people constantly reinventing the wheel in terms of security testing processes, tools or how to get a baseline. One thing she came away with: Smaller environments that cant afford a human security professional are struggling to get security information.

So when she got to Mozilla, Snyder decided to make things better for those frantic people. "At Mozilla, since the whole world can see what were doing, [we thought] maybe we can package it up, make it available, get some feedback on it, have people contribute, and have other projects use them," she said.

Resource Library:
The JavaScript fuzzer Mozilla plans to release Aug. 2 has found dozens of vulnerabilities in Firefox. The tool can be modified, built on and used with any technology that employs JavaScript, Snyder said.

"Thats our hope, that people might find it useful," Snyder said.

A fuzzer is a tool that sends data to an application in ways that the application might not expect. A fuzzer can run through test cases—in some cases millions of test cases—with combinations of data and fields manipulated in many ways. The tool by itself isnt dangerous, but it can be used to find where unexpected behavior is in input validation—a useful clue to identifying a vulnerability.

Mozilla also plans to release a protocol fuzzer for HTTP on the client side and a fuzzer for FTP, also from the client side, in a few months, and still more tools after that.

Click here to read about serious URI-handling holes in Firefox that, if left unpatched, leave a system open to hijacking.

Mozilla already shared the JavaScript fuzzer in May with companies whose products Mozilla thinks are vulnerable from relevant risks, wanting to get it into the big vendors hands before letting the world know what it knows about how to bring their products down. That includes Apple, Microsoft and Opera.

Only one company thanked the open-source foundation. None has given Mozilla the feedback it would be grateful to hear regarding whether the tool was useful, Snyder said.

At her Black Hat presentation, Snyder will give more details on the JavaScript fuzzer, including a description of the process Mozilla goes through and how the security team weeds out bugs. Snyder also plans to detail the security features of the upcoming Firefox 3.0 release, due in the fall.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.



  Reader Comments: Mozilla to Release JavaScript Fuzzer for Firefox
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Lisa Vaas
 


xkw(yVC I`.60LyK I[<˳?Ʒu"sN& }~G%\ؚnX#riS{ޠ^HR}gݻևCǵ(Ȑԭe Pmw4FV-3OL> \?g=,Q :#:UGP1|1Բ1Fԓo͍a21XMK'0+zZA'Ag&e(EJy%vH<4* ʛtږ/yW*E8ܑa/De) #r$*F0u/h=^0/P<{U+nx͎Hߴw@S֠(v2%v!6^:2ș}5Qz$թd#;3{R'͑w2I| Ӿm e8r lvapJ)JP&tGs 'fIu!PؖgT'ç^bARxf`R/*!1lpa#üp'Ae[t^䖡_ֽkio@׾6ҏ5wǾ,v1'l$R ?q5oLa}K:خE.2ؗ#YnOaF.gQ_wռZ,+R-Ja <<< K<ӰNeؓwZ_;JIs:z}S-Ƒ״|!Cq:iwg]rܼx/뷼;AZW@m&foDbJBug" ؂fYv^ZǗ5(醭-o[ y%_dJuf1;Qd>XIC/YTU9Df9n5򳹥ym\ߴ:Mmߴg>3fP|̐?(]i/ȏƀzU5m}!gr:ivSI:dj~R|[kU[lxmuH|x䞺540RR<dO'/M2 H|[8){yA 麚-4SW }!g#{#?",+}=Úy > md©$|ϺzN Ԏ,!o4}G_HP_#X] p3Z&jT23\jMH5ņ])!eW^\—V.(!_.jJ|*(qf){΀ӣ BDԑ?C:C8Q%Kuu7pS:Ǡfyќ(/Ӆ]Wfuw^CL\zmgFMtW6~lv:MxH18,0]ev|`\\67ad:V)BɃJ**R-b(7ZXgL-,5,;LtMM?y㇩?y` h vڄ?jIYV,5}t>GACA4i#Ţh _ rӇv4@ξ dz\`.H rXzB$ƄzN-?=H]6(Zl׃`j#ˆME&@B㞂9۽ޚ@QΒҾqjR*~hS͇mdM= w@Lߣ1#k L<ĥt@ }t(~9-RocS2t)%EҵEEKy3@ $hԏaz6πmbI~ܑvZ<["'9Xt{B#=X|,̈́Ń=*%nqR%f 930YNbL=? e 򍜐=B`&Qea*0pLKak`FX<8Pa4Mh% 1tA.μSI`0u|rHC";Nt3APO}ѡ!n~tl:f3,35?0q}aY kktմyJÂI|B] H8lz:9iP=G>j0k8;rnۂfXi8ȃ=3p rTfѬ||=厬m? |,&](TuΩHJ&k2HLY3j-vss d O,s1r@i?᧔p,9S?ǰCODolO(^HSОjG9zѧl)?ΖUkͲZ^ӛA/~uba_,Hom_¼xu陎ZZE"JM`}.,yKg/0~(9pcʻg[K50_{ܰ퀡[UV፡LYsXWhKx;2ʸA%XSPQ_ق2Iz?:uOlk%8`۱泹ԶO~P9SQ,C*"R*ma5)jEa&s(Ḡ'6a`K9ߝ98[98f/ Ysq]ؖRB|vlN .(HgTfha84Ll?3n[HySI_**UH?~1:2.eX PY΀5mIemӴ 'jYf$8piEriXSH`H[E3OB$`DP;rM %QadàuvaQF wd`{>70M}LKw59>Ȥ2~2jsp!< _p9cm77 {.}Q{һ^K>snW6f}K>9N-nj-h'^)0 *J2B~Nhw\rR+tå`~Ɋd1C]#@$/zjxڹ86??}~nʃS8ȑYe:@ݐ+J^U-~, {]0rAG5h0qH؃ “681S!uW:+jSĵV(tu< `_{3nMO]=׆C$*X 4a25U)V *~mN[5^,?CQX^ Sf;NW'wWm$R*8g7eMH]aym $L},S(O{Û7MOOа4>S'}&Mno^{y7Ӟ9rN7dZJp|]avKre+H˷Bgfj3o騙Kǃ1/rhy2j>_auhSYlp灟08#=[V), 3?t\+ +tx{z&;wԑO1@^eC-oC<@V1`;7==!(4OQ`d6PÒ Z[zOd!>k3-&?SOR)4ssܭ7=R*Ũ 2=ctzێ1dmjĩ7N۳UUz!a,0r]1SLL.s]/$(Rd-*qg@Rf2U>(KEۚ;,(T &RrC5E3r5­7 ɯfٍG~T>U@U%mpP.բS?YTAtU'ǸNB֢%3WJZ5;e HsB5x)`f%qhʈg xdRb u k(&7 uYx\3XҌd;yX^5tP"HNVCU._JAR+ϢpӁ9tOFl~N@( DGuRDR{{+hzp|a`|7izOHƙA>=b[.Kw;? 1KCG\0|rP<}2p);"y ?xi3RI)`WTdP%@BZNbxœo =$M '7ta+{c7o^&R}$ |Q`bB\:LξY^pgiu[# [%n~ǝ?J LЇ_i#RXTj]6>6`-{&:%2}m&A.dRýW%Ik}uuQuAE`A8Av۾p.7[WK' W%u۾܉WG, YF#<^9h6nOM1+0fhR`ǹV}ͳ1z Ai0Dq4fV, T1 KLG:/{ntE$ bT1J/ԟRBMQV=#Di}Lw S):*9Q;_QעA}ǭN[Ib󃗉 NAV~hr_SUb.A)H6ܼN="cCשrJ`":h hw)~ڰO0;p8耒ALQ<ބq?Ic6uٱfJlx4aN9H蔀'C8 z>RB'+'q^V㲞P6T$3 Qˣ?%$;+B(lA:׍ Jcmfyj.?n6V")WAv\d Ґ`qm4.@P1V- ^lj9l0 ޲y>pA\#rSst+aYbeS55kvdlQ;xZ1̿nG8Z7𿲘\tak:orڵ:X2[݉*)d9/;B\'eYA3Pu2:9z/Cv $mea1?1 4;`~er8) Z'4*,JdUk/iM4qQm~95 LIf#1AW6cCv#ohe/詍 P肸GPI8zRwl5tu&5tݶ< DE:'Lx±ݙT,, 0?~E#" \`#7BX#k@+^Ob5Cf@h1sQn/,&PeT0Aóe뻸5&VWY`ο8__ 90*R0>ӑC!)>OM<EόGI("Z 25O&\5?Ė<H<[x)e锂Aj;hW"$JG.9yxo.K`UroK'EO^ 'pg!k"(|D ՟Qy{M?ؔk^\K.5P{{[>Xԇ]Jgtpg$f(^@I зTA, EuUI)nʂŧ8DbXx]bdTy1r oJDQiqs|-f D_^w mGe`MRl*j̾?[,V ؈K),7MF \ߠ [0Uf {Rf),lC3ԩtnS㻔g0AJJqs123׋Ds5Gxs##{+R%VQpkI)W^}i}|<['V&7\}ut-0*Oby3Z(oFmi%\Z(+* ` G&߮pb[ 1uznV eOZFU |l \:ǦFrmLVEr=gGDco#,RiΒQ̿(^s2F`uCD}!NǵQ BE+7$ 4nj 0)Ah+&3XڀvƟٷ0OZەߐ*Zn[[)v%z0u4#$BxP^3t#0lA8FKjϦV V}>TݟV (E]Ls 1a121"ayDJVx5zA?_d2K_ѳ©ڥ/HS?i4w3}+ jEU#~>ǧƽǦ۱CMAd`hV+N'ߏc|*!'L43Kqșuu=|ױ#98Z O\@~vϳYm>ۆ@V?ռ䳎ʿH T[޷(&X ̋0e=?D #(hALHm޽xv1TO;yQXC[6:>6{<CX$ p|e_ln׬g+hT,gV@1#0Xm}"u[`d|V{pOeug@amID)$|“~fSW lQCu&bO~*j߿ c ޱ,N= jo><:OɨQ?wNH7`TxU uD*@"?#ZA]sJ9-(| ("n?-|C~tbGTg$PcbsA"֞<6,~i9F?P㻝M};|eNs{">4i4>(C^P^ ’gM`Ϙ F=PVϗGYAX!cKYOt,R KhzAE!t:]&G6 ͸NE(@$:TCQM)|4hXO5-%נ-6Ƿ$3#6J=!v$vX5Xں q1yK,y-J8sc5/||1nCt0*np:q.{n!"xAFslMk_7䃔Ip,C7D{-}~@h+r E;k|}3]t-RWT01.axɪ^KAHP,D$07_jw_}8{|n$q5@={k襅ڕGq$0rև5o{^ڋjD6 "|qN&S+'tbhG&v*& to|;HH-gZk[~1~":S\YrVfh ͬͱ-j9&F$9F-Rd 3s,CL5_N#bu#ϯR~#r#Fq{Re9U!7,e6iMh)&MFV(ph |jy&G?cLW<00t#pf&ٝ7vY?ewa 'In$[ yO}7 > l \R-:q4pDwZ盫r0u~>L-hXqED#PhbGDC&/7nrlƄ[%Œ 5"<$b\r_IA _] 50lFNOgG/b |n?[' T6CĊ1gKi.#@Σ@T7<)v'(aUd 7T[Pk,(pk4ĦH0\|1gjbԑ 6X`kT燋+ymTwe~tjtk0MZz`kPk7 6tQ(b8KM5ۇӟz{+ۺ9P\bHT֏IL uX\FB(<'<,D`gOGIv]a]'#}M=VbeU]=zJ7KHןz+I)s ?e| ٥ WPɼdtxu1vǚu1So\__|!g g7&|:ܴ9n^oo*[u}}uռi]uYQlB[d _T L, rvոl2;eJq('ڣIB"rKx" /%Lqx&#͚=Vb D(/b^@ :/O!~өpZ/kJ:ٝ%b&{#M/}eʜ4V0684ħEKWL=0yX}Qqx3+7O6SӻO͔?Y9KGǔV矷2i:MɇRUJ>;ϝ/euH]2e|./e|e }/>)/SLKDJ3N?AR/!2%*e|@~R *evJ۠) _?S_ԿIIwRuS :ק )}}N-ߦަ--m :IJ "gk\8=9N/f)R,H_yJˇ%YJ!賒)+z;_KNs;Я"%ߗenldں>iR+ ]a%|^}%ksJ1jt}G{1>Wi K{#68xEqj& 3l?v@X{#uO'NW|7ﹺsd^1Wsr>V=Tb%d̙;=*5Ȟ6qLugDd'hV .ős_]j0QAVLG؟a=PΛ.vٸ)no5epK{y`ʍ=Rio'^nGp~k;ُkw~2kUե |3/߆z/jN\Lv<~hW_,l̯pV73/&X<gU~ oG2p@tL8P2b'q̶Tr@>`OyS Ә-L&-\ʠaCs؂9Nij[\';m=1:S_4ǭaFr1#oSUޣQGWâR g yO'#Ձo2.23M{Q * NZex7Q@LNؒ1d1$QUE dH2n2K,3]I8# b=d#xap(Q`w@\x,1!K1hBLk]w:/vvmDLG_f]eV]>bWОf@L V(>&m X#&[~o 96ū2aўYòg-3 B=/a۰܉iOu ZL}. ,)wz1w17L-sm{tlk xwYW-ej@@|Ķå ?5fB~Ξ.7a X/?&kN,Lӟ eF`O]vBaI3yyL39L$.~6gik-=x%Ǝ$L)9}{PN`>x((" Ͷ U^{#E3d z<RHy 傾]#rF33/1#qyY ЙW8T"?OcLm% 1o!b9*F*((ǘ@DV_Dv~-"Sp|"DgART~sB]*P=eښSOZm v",d/+~EE3`AQ^|eD$g tn#T3tr! 󠶓3ZE?-;wiF)f'VFp)N}q=٢ u ׸6Vx}Ƴ;B7,nG1Su .Ыv,>cx 'Ll> 0}nJ UƷf2KH'3h 볏m-ISj,yN=r:5{`kLBa2\Xdx kYoc3gz3{<=v;s}K_<ҶyDcV|BrX}P7):OOgsZe<Hg,tݔnzTU^X ( # Lsި^Rlãƍ5,cr3Do@ͽŵ]Ac*!R0yvx}P 89]/>%Ӭe~v3Okċ-MMAW_ă|CNlΠg'x{wƐF#:П^8{UD| ׿˾ėxb1j폗ݎq?vQe^g0!OpI)@5X<jqdu5Pb#t;QwP o3Uy@9 rnÉwQSy5r\h,gOA>qgwK*{Zdx Uc]=Rep󧮕  H0\55MFe18Ct@{/f?H4FwVXb1`dH}Ò9`o,#,j?:SRA):^+KSS+ KGմ])m{k'z'fh7-ǫMtNn*bQ<`V:`߂*1*竱7x/x9Ww^cf:q}<iQM]HT5h"E+gV % OA,e4hun0M$ Q M~Q8]?Hl GbQɅK6="TŗsK˗jlLXGt/ 1LGWXs LfO,5+ےZM.Y/@BDJ&&VI8ī_^ V~B2`jfabfݤ/ oԱU$;st2c|Pn]| QZh0N@\d;Gd=eljvl$^9eQeě^ g]m1v3<^apeqc@*7mL4!|{Vk|kB MČQQ#!1&T{cgjR+@{`s$8o@߅gZlnуrE19[v"IсI ~.L'p"}om : &ܹ 9dG$eT$JMPnXA"0a5EgwHTNԄD}Kv%nFJpxjny0TF^fܶ5$PB/1|ӈ1:/wòģJþ@ }بќv7Kv˲}ٴk͇M -N∁8"Ɵb{dE/xonnA.En ,[^fkwqt ނLsǢe9'"ۿ[Ip}QKM̨1->8 BBwy`ێZv}B$<:e( Rk^odf#_$/qMLYu⠅:JtAZ&؛/A z)%2 F=/pn9~UI\yUNޅWX[ዷ0C XLK尜걫 ytpǑ2>A0A^g;OnȀWŐTARX|PΗ[Q EB\f4iǯcӦ$sw # tb,e9M/f KX2Mf?Wdg<=kK<}h-ق.א}Օ/GVWB:zU֯ͣ(a20Wre6[ϻGKO훣#\qǛS)(h"(nъ2f{n> +fˬmPSEFG ]'>p/˱h"$ro5AZ3&cx|P90nh! #.C|}̆mJz_Uf̷\SK7W )}j9E: 3Kqf-#+L _^57