Sunday, August 05, 2007

Mozilla says critical patches in “Ten #$%*ing Days”

Update 08062007: Window Snyder and Mike Shaver in RSnake's post clarified the comment. As expected, this was Mike's personal commitment to the remediation process and not Mozilla's official security policy. Still that's plenty cool with me. Having seriously dedicated people on our side can be just as good as any lip service policy statement.

Web Browsers are under serious attack and the security of the Web hangs in the balance. Over 1 billon people use the Web and no one but the most security conscious power users have any chance at protecting themselves - and sometimes not even them. We REALLY need browsers to be significantly improved because the security of the entire Web depends on it. Consider how many security/privacy extensions you have installed and the behavioral traits you’ve learned along the way. What percentage of the people on the Web do you think possess this level of knowledge?

During Black Hat RSnake and I got to talking a lot with several members of the Mozilla security team. They are all really good guys and gal (Window Synder) working to establish solid working relationships with the security community. This is a good thing, a very good thing, and something I’ve been asking them to do for a while. They’ve listened. Mozilla invited us to their cookies & milk after party, gave us some free T-Shirts, and even bought us an expensive sushi dinner at Caesars. Can’t beat that! By their actions Mozilla clearly wants to get engaged with the industry, voice their commitment to improving the current situation, and hear the ideas of others. But here’s where it gets really interesting.

Apparently during one of the Black Hat after parties, RSnake and Mike Shaver, Mozilla’s Director of Ecosystem Development, discussed the speed of the browser’s critical patch release cycle. Mr. Shaver claimed Mozilla could roll critical patches out in ten days. RSnake quickly challenged the remark, to which Mike whipped out his business card and hand wrote “Ten #$%*ing Days” demonstrating his seriousness. Now, I didn’t witness this take place first hand so I can’t say for sure how many drinks RSnake handed Mr. Shaver over the course of the conversation. This was after all late at night in Las Vegas during Black Hat so anything is possible, but I’ll RSnake at his word that he was coherent, though I’d expect Mozilla to provide clarification.

Whether or not you think Mozilla can make good on the claim, what I like is that there are people over there passionate and ballsy enough willing to stick their neck out because ours already is. Also, it’s important to understand the difference between traditional vulnerabilities like buffer overflows, which Mr. Shaver was probably talking about, and long standing attack techniques such as intranet port scanning and history stealing. These types of attacks and the dozens of others like them take longer to fix because they are more fundamental to the overall browser security model. Unfortunately according to my sources, restricting intranet connections from public IPs will probably not come until Firefox version 3 and content restrictions being even further out. Ugh.

Still the good news is contacts and relationships are being made. Mozilla is listening and reading the research posted across the web security industry in blogs, mailing lists, and message boards. Progress will take time, but we’re moving forward. Perhaps those with the necessary desire, software development skills, and time can help Mozilla create what they need and kick start the effort sooner, especially on the content restrictions front.


Anonymous said...

So you were bribed with swag and sushi and that "earn(s) them some responsible disclosure points"?

Glad to see that the ethics of appsec is in such good health.

Jeremiah Grossman said...

Chris_B, you actually had me questioning my ethics for a moment. I even went and double-checked with some friends just to make sure I wasn’t the one out of the line. I think it comes down to confusion in my text. Or, maybe you’re the type of person who holds grudges forever. Do you shun people who offers to buy you dinner to make up for something they’ve done wrong, return a favor, or who are attempting to establish a relationship? Would you refuse to accept a free gift as compensation from a business that did you a disservice? You may call these actions “bribery”, but in Mozilla’s case, I call it extending an olive branch. I think everyone at the table saw it the same way.

If Mozilla wants to build some bridges by buying people (it wasn’t only me) food and offering conversation as a sign of good faith and effort, I’m open to it and hope to return the courtesy. By their actions Mozilla clearly wants to get engaged with the industry. I personally appreciate their effort, and find it odd that you not would see that. You of course should feel free to continue on as you have been holding a grudge against whatever vendor that ticked you off. By the way, who in the “appsec industry” was that?

Either way though I’ll clarify my post to so it’s less confusing.

Nic said...

This should be interesting. Either way, at least someone has the b***s to step up to the plate.

Jeremiah Grossman said...

Heya Nic, I definitely with ya there!

Anonymous said...

OK I understand your explanation. Maybe I was just reading what wasnt intented.