Will Mozilla's Fuzzer Break the Web? Or Will It Make It Better? Sean Michael Kerner
The Web browser is the most basic common unit of the Internet experience for much of the global community. It's also one of the most attacked. And it's not just the bad guys breaking the browsers anymore, but also the browser vendors.
On Wednesday, Mozilla will take a massive step forward and explain to an audience at the annual Black Hat show in Las Vegas how to break the browser using tools that Mozilla has developed and is expected to release.
In a session called Building and Breaking the Browser, Mozilla's Chief Security Officer Window Snyder is expected to discuss a number of security tools, including protocol fuzzers for HTTP and FTP and a fuzzer for JavaScript. While the intention is to make Mozilla's Firefox technology even more secure, the tools could potentially also put millions at risk.
Fuzzing is also known as fault-injection testing and is a widely used technique in security circles to try and break down applications and expose flaws. The Black Hat session abstract indicates that at least one of those tools will be released at the Black Hat event.
In a discussion with internetnews.com in March, Snyder indicated that Mozilla already runs the whole spectrum of security testing tools and approaches on its products.
She also said that Mozilla's security effort could also one day lead to a Mozilla open source effort on security tools and information. Snyder noted that when Mozilla makes such tools and information available, they will be part of the balance that Mozilla is striving to seek between functionality, security and disclosure.
Ahead of Black Hat, internetnews.com approached other browsers for any information they might have had on Mozilla's fuzzer, and Opera came up with the most over Microsoft and Google.
Opera spokesman Thomas Ford told internetnews.com via e-mail that Mozilla sent its fuzzer to two Opera developers, and the testing group is now testing it against different products.
A Google spokesperson said that likely contacts at Google were not aware of the Mozilla fuzzer. Google recently revealed its own fuzzer effort called Lemon, though it's not likely to be publicly released.
The Google spokesperson also told internetnews.com that without knowing any details of the Mozilla fuzzer, it is impossible to know whether it would be something that Google would use in addition to Google Lemon.
Microsoft did not directly answer a question about whether it was aware of Mozilla's fuzzer. A Microsoft spokesperson noted, however, that fuzzing is an important part of the security development lifecycle process, and Microsoft is supportive of other companies adopting similar methods to help protect their users.
But Opera's Krogh still had his concerns about how Mozilla's fuzzer could end up being used.
"Any tool given to the public to find ways of exploiting a piece of software is at risk of being misued," Krogh said. "When an organization publishes such tools, it must consider whether that tool can be a disservice to millions of innocent bystanders."
Opera uses fuzzers and other tools, homegrown and otherwise, to secure its browser technology.
"As far as its effect on Opera users specifically, our users know that we work tirelessly to keep our browsers — on PCs, mobile phones, game consoles — secure and our users as safe as we can," Krogh said.
But at least one security expert aggrees that the Mozilla fuzzing effort is likely a very positive thing.
Jacob West, a security researcher with security analysis vendor Fortify, noted that fuzzing is something that should be done by most software vendors. He added that fuzzing is popular because it's good at finding low hanging fruit and it's very easy to deploy.
And Mozilla could make it even easier.
"My gut instinct is it will be a good tool because they build large scale software and fairly high quality software," West told internetnews.com. "Fuzzing tools in particular are a good area for
the commoditization of security tools. Having a lightweight tool that has wide distribution from a company like Mozilla that is well connected in the industry is a real benefit to software developers in general."
