Will Mozilla’s Fuzzer Break The Web?

UPDATED: The Web browser is the most basic common unit of the Internet experience for
much of the global community. It’s also one of the most attacked. And it’s not just the bad guys breaking the browsers anymore, but also the browser vendors.

On Wednesday, Mozilla will take a massive step forward and explain to an audience at the annual
Black Hat show in Las Vegas how to break the browser using tools that Mozilla
has developed and is expected to release.

In a session called Building and Breaking the Browser, Mozilla’s Chief
Security Officer Window Snyder is expected to discuss a number of security
tools, including protocol fuzzers for HTTP and FTP and a fuzzer for
JavaScript. While the intention is to make
Mozilla’s Firefox technology even more secure, the tools could potentially
also put millions at risk.

Fuzzing is also known as fault-injection testing and is a widely
used technique in security circles to try and break down applications and
expose flaws. The Black Hat session abstract indicates that at least one of
those tools will be released at the Black Hat event.

In a discussion with internetnews.com in March, Snyder indicated that
Mozilla already runs the whole spectrum of security testing tools and
approaches on its products.

She also said that Mozilla’s
security effort could also one day lead to a Mozilla open source effort on
security tools and information. Snyder noted that when Mozilla makes such tools and information available, they will be part of the balance that Mozilla is striving to seek between functionality, security and

Ahead of Black Hat, internetnews.com approached other browsers for any information they might have had on Mozilla’s fuzzer, and Opera came up with the most over Microsoft and Google.

Opera spokesman Thomas Ford told internetnews.com via e-mail that Mozilla sent its fuzzer to two Opera developers, and the testing group is now testing it against different products.

A Google spokesperson said that likely contacts at Google were not aware of the Mozilla fuzzer.
Google recently revealed its own fuzzer effort called Lemon, though it’s not likely to be publicly

The Google spokesperson also told internetnews.com that without knowing any
details of the Mozilla fuzzer, it is impossible to know whether it
would be something that Google would use in addition to Google Lemon.

Microsoft did not directly answer a question about whether it was aware
of Mozilla’s fuzzer. A Microsoft spokesperson noted, however, that fuzzing
is an important part of the security development lifecycle process, and
Microsoft is supportive of other companies adopting similar methods to help
protect their users.

But Opera’s Krogh still had his concerns about how Mozilla’s fuzzer
could end up being used.

“Any tool given to the public to find ways of exploiting a piece of
software is at risk of being misued,” Krogh said. “When an organization
publishes such tools, it must consider whether that tool can be a disservice
to millions of innocent bystanders.”

Opera uses fuzzers and other tools, homegrown and otherwise,
to secure its browser technology.

“As far as its effect on Opera users specifically, our users know that we
work tirelessly to keep our browsers — on PCs, mobile phones, game
consoles — secure and our users as safe as we can,” Krogh said.

But at least one security expert aggrees that the Mozilla fuzzing
effort is likely a very positive thing.

Jacob West, a security researcher with
security analysis vendor Fortify, noted that fuzzing is something that should
be done by most software vendors. He added that fuzzing is popular because
it’s good at finding low hanging fruit and it’s very easy to deploy.

And Mozilla could make it even easier.

“My gut instinct is it will be a good tool because they build large scale
software and fairly high quality software,” West told
internetnews.com. “Fuzzing tools in particular are a good area for
the commoditization of security tools. Having a lightweight tool that has
wide distribution from a company like Mozilla that is well connected in the
industry is a real benefit to software developers in general.”

News Around the Web