New security director at Mozilla: Remove the old source
Mozilla Corp. has hired a former Microsoft security strategist to help secure open source software, especially the FireFox browser.
Window Snyder - newly hired - has been officially recognized as the 'Chief Security Something' last week. Nothing is unusual if a company has a leader with the title 'Chief Lizard Wrangler' - Window said. She also stated that she currently has some big plans in her effort to develop her security group.
' We will move to a new initiative, putting a way to add a security impact component to the account ,' Synder said. ' We want to reduce the overall risk (for Firefox) by identifying places that do not need to use a certain component and removing all the old source code .'
At Microsoft, Snyder was responsible for sign-offs security on Windows XP SP2 and Windows Server 2003. Before Mozilla, she worked with Matasano Security, a New York-based company, the first company after Snyder leave Microsoft. Synder was also one of the founding members of the group @stake hacking-group-turned-consultancy, acquired by Symantec in 2004.
' We want Firefox to have a more basic source code and fewer access points ,' Snyder said.
' If we find any decomposition routines that were built years ago to manage files that are now hardly used, we will remove them immediately. That is the germ that has holes that are heavier than the value of the component '. That does not mean that Firefox will often be cut source code and rebuilt from scratch. We only remove the code or turn the old component into an installation option, not leave it in the common base code.
' We are not saying that Firefox has a lot of bugs, ' Synder said as she protected the browser's secure track record.
' Only counting errors cannot accurately assess the security level of an application ,' Synder argued against some criticism of open source browsers when compared to Microsoft's main competitor Internet Explorer. A year ago Symatec tested it and concluded that Firefox had twice as many vulnerabilities as IE.
' People should count the number of dangerous days. How long does a user's vulnerability last? What is the time between providing patches and upgrades? '. If this direction is followed, Mozollia products will surely win in hand. ' We are changing (patches) day by day rather than by week or month '.
Microsoft is often criticized for developing patches and testing programs for too long. Even when a vandalism is already widespread, Microsoft takes weeks to provide a patch.
Synder admits that Mozilla has an advanced built-in program when it comes to executing a patch. That's much faster than Microsoft. 'Most of our users are at home. With updates made by default, we can collect 90% of the base updates for the next version in about 8 days. ' While Microsoft versions and bugs for IE are often developed much slower. Because their business customers have to self-check before giving back information to the company.
Mozilla also investigated and implemented other components to improve Firefox security features.
' We are ready to put an anti-phishing program (Firefox) 2.0 '. Now Synder is considering new memory management, management, and sandbox methods and techniques. The most promising program is the heap management development, making the memory sector recording more difficult to exploit. ' That may limit the ability to exploit vulnerabilities ', Synder said.
' Mozilla will respond quickly to vulnerabilities, fix all security impact flaws. When we add components, we will always consider security issues , "Synder promised.
However, according to the plan, Thursday is the release date of Firefox 1.5.0.7, security update for the browser. However, until noon (PDT time) the same day, this update has never been posted on Mozilla's website.
T.Thu
- Mozilla patched a series of product security bugs
- Mozilla patched 20 critical vulnerabilities in Firefox and Thunderbird
- Mozilla: 'Firefox 1.5 doesn't make a mistake?'
- Netscape fixes browser security errors
- Mozilla recommends that users upgrade Firefox
- Adobe offers scripting source code for Mozilla
- Mozilla released a patch for Firefox
- Mozilla last upgraded for Firefox 1.5
- Mozilla launched Firefox 1.5.0.1
- Mozilla accelerates Firefox 3
- Mozilla Firefox browser is exploited
- Mozilla warned of the first bug in Firefox 1.5