14 DAY TRIAL // Mozilla offered official assurance of the fact that the security tools released for Firefox 2.0 will not impact rival browsers. Internet Explorer, Opera and Safari are not affected by the open source security utilities built especially for Firefox. Furthermore Microsoft, Apple and Opera all gave their O.K. for the release of the JavaScript fuzzer for Firefox 2.0 after Mozilla submitted the tool to its competitors for evaluation. In this manner, Mozilla ensured that the fuzzer would not lead to the discovery of security vulnerabilities and the subsequent exploits in competitor products.
During the "Building and Breaking the Browser" session at Black Hat 2007 in Las Vegas, Window Snyder, chief security officer at Mozilla Corporation together with Mike Shaver, co-founder of the Mozilla project, presented security tools used to bulletproof the open source browser. "We discussed the methods and tools that Mozilla uses to secure the Firefox browser. These tools include a fuzzer for Javascript, which has led to the discovery and resolution of dozens of critical security bugs. Fuzzers are tools that generate a large amount of input in order to test the robustness of a piece of software and can be used to identify potential vulnerabilities. This is the tool we discussed in our presentation, the first in a series of security tools that we intend to make publicly available," Snyder revealed.
Essentially, the fuzzer is designed to build random strings with JavaScript statements and expressions and bombard the JavaScript engine with input. It is important to note that the input, sometimes malformed with syntax errors, is delivered as functions to the engine. The obvious role of the tool is to automate the process of sniffing out security flaws. Microsoft, Apple and Opera all received versions of the fuzzer beforehand.
"The responsible sharing of security tools is an important way to contribute to the overall health of the web. We worked with Microsoft, Apple, and Opera to reduce the possibility that this tool might adversely affect users of those browsers. All of these browser vendors reviewed the tool and let us know that they were okay with the release," Snyder added.