It’s been an interesting few days for Mozilla. Code analysis vendor Klockwork analyzed the Mozilla Firefox source and found “655 defects and 71 potential security vulnerabilities.” using their K7 product. That post drew a large number of comments, in part due to the analysis being picked up by Slashdot. As it turns out this was overhyped. The Mozilla team was able to find 2 or 3 verifiable bugs. A more detailed rebuttal from Robert O’Callahan can be found here.
Continuing down the bad news trail, several new vulnerabilities were reported in Firefox. One appears to be a real nasty XSS bug and another is related to the problem with the RSA signature verification. Since the Network Security Service (NSS) in Mozilla products use RSA algorithms Thunderbird, Firefox and SeaMonkey are all affected.
Now for some hopefully good news. Mozilla Corp has hired Window Snyder as their Chief Security Something. Window has quite a track record in security. She was a co-founder of @Stake (now part of Symantec), founder of Matasano Security and was a Security Strategist at Microsoft. She says that one of her first initiatives is to analyze the Mozilla source and remove any unused code.
Best of luck Window.
–Chris
Technorati Tags: Mozilla, Firefox, Klockwork, Window Snyder, @stake, Matasano
Leave a Reply