General discussion

Locked

Mozilla Hires former M$ for New Security Chief

By dmone' ·
Is this crazy or what??? (previously posted in wrong thread, sorry)

Mozilla's New Security Chief: Dump Old Code By Gregg Keizer TechWeb Thu Sep 14, 5:12 PM ET


Mozilla Corp. has hired a former Microsoft security strategist to help secure its open-source software, particularly its Firefox browser.

Window Snyder, whose hiring was announced last week, takes the title of "Chief Security Something" -- that's a working title, and not all that unusual for a company headed by someone who once held the title of "Chief Lizard Wrangler" -- said she has big plans for the group's development efforts.

"We're going to move on a new initiative that takes into account how adding new features impacts security," said Synder. "We want to reduce the overall risk [to Firefox] by evaluating where there are unused features, and then getting rid of that old code."

While at Microsoft, Snyder was responsible for security sign-offs on Windows XP SP2 and Windows Server 2003. Prior to Mozilla's hiring, she was with Matasano Security, a New York City-based company she founded after leaving Microsoft. Before working for the Redmond, Wash. developer, Synder was one of the founding team members for the @stake hacking-group-turned-consultancy, which Symantec acquired in 2004.

"We want Firefox to have a tighter code base, and fewer entry points into the system," Snyder said.

"If we find a parsing routine that was built ages ago to manage file formats rarely used now, where the potential for vulnerability outweighs the value of the feature, we can benefit by getting rid of that code," she said. That doesn't mean Firefox will be regularly torn down and rebuilt from scratch, but it might mean stripping out code or shifting older features to optional installs rather than leaving it in the general code base.

Not to say that Firefox is buggy, said Synder as she defended the browser's security track record.

"Just counting up the bugs is not a good measure of how secure an application is," she argued, referring to some criticisms of the open-source browser when compared to its main rival, Microsoft's Internet Explorer. A year ago, for instance, Symantec tallied the numbers and concluded that Firefox had suffered twice as many vulnerabilities as IE. (In March 2006, Symantec recanted when it changed how it counted up flaws, and found the Firefox vs. IE bug battle a draw.)

"People should be counting the days of risk. How long is the user vulnerable? What's the time between a patch issued and the upgrade installed?" Synder asked. Using those metrics, Mozilla's products win hands down, she said. "We're turning [patches] around in the space of days, not weeks or months."

Microsoft is regularly criticized for its long patch development and test processes; even when an exploit is actively circulating in the wild, Microsoft can take weeks to produce a patch.

Synder admitted that Mozilla has one built-in advantage when it comes to getting patches in place faster than Microsoft. "Most of our users are at home, and with automatic updates turned on by default, we can get 90 percent of our base updated to the next version in about 8 days." Microsoft's patches to IE, on the other hand, often are deployed much slower because its enterprise customers must do internal testing before rolling them out to workers.

Mozilla will also investigate and/or implement other features that can enhance Firefox's security.

"We've already put anti-phishing into [Firefox] 2.0," said Synder. Down the road, she's figuring on new memory management, managed code, and sandbox approaches and technologies. Among the most promising, she said, are technologies in heap management that make it more difficult for an exploit to write to that area of memory. "That can limit the exploitability of a vulnerability," said Synder.

"Mozilla will respond quickly to vulnerabilities, fix all bugs with a security impact, and when we add features we will always look at the security impact," Snyder promised.

Coincidentally, Thursday was scheduled as the release date for Firefox 1.5.0.7, a security update to the browser. As of noon PDT, the update had not yet posted to the Mozilla site, however.

This conversation is currently closed to new comments.

3 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Poor judgement.

by stress junkie In reply to Mozilla Hires former M$ f ...

Just when you thought you could put some product on a pedestal. Darn. I wouldn't hire anyone that had worked at Microsoft. Kill them all and let God sort them out.

What's that comment about turning patches around?
"...Synder admitted that Mozilla has one built-in advantage when it comes to getting patches in place faster than Microsoft. "Most of our users are at home, and with automatic updates turned on by default, we can get 90 percent of our base updated to the next version in about 8 days."

I'm not aware of Mozilla ever having offered patches. It seems like you always have to do a full installation of the new version. Have I missed something?

Collapse -

I don't think...

by TechExec2 In reply to Poor judgement.

"I'm not aware of Mozilla ever having offered patches. It seems like you always have to do a full installation of the new version. Have I missed something?"

I don't think you've missed anything. Mozilla should probably not use the word "patch" because that word implies a modification to an existing executable. You're right. Mozilla essentially reinstalls or updates Firefox components whenever a "fix" (aka "patch") is automatically downloaded and installed by the "Check for Updates..." feature.

edit: clarification

Collapse -

Makes sense to me

by Tony Hopkinson In reply to Mozilla Hires former M$ f ...

Any recommendation made by this perwon, do the exact opposite and you'll be more secure.
Worth every penny.

Maybe this Synder person has had a seen the light on the road to Damascus type manouvre. Now known as an Al Gore.

Back to Desktop Forum
3 total posts (Page 1 of 1)  

Related Discussions

Related Forums