Mozilla Aims To Warn Users About Dangerous Sites

With the number of malicious Web pages mushrooming over the past several months, the Mozilla Foundation is looking to help users defend themselves. Window Snyder, who is Mozilla's "chief security something-or-other," says the company is taking a two-pronged approach.

First, Mozilla developers are working on giving Firefox 3.0, the next version of the open source browser due later this year, the ability to detect malicious code on Web sites that users are trying to access. "In Firefox 2, there's no mechanism that identifies if malware is present," says Snyder.

Second, developers are working on creating an interface that will warn users that the pages they're trying to call up are dangerous. "We don't want to just pop up an alert that gives them an OK or cancel option," says Snyder. "We want to create a warning that users won't mistake. ... It's going to be a different kind of warning, and it's not going to be a click-through."

Security company Sophos reported last month that the number of malicious Web sites has skyrocketed over the past few months, from 5,000 new ones a day in April to nearly 30,000 a day in early July. One reason, according to Sophos researchers, is that hackers are increasingly turning away from e-mail as their preferred method of spreading malware and putting their focus on malicious sites. In some cases, they're creating their own sites, but in most cases they're hacking into legitimate sites and embedding malware into them.

The mock-up of the alert appears as a red-letter warning that doesn't have a click-through option, and the malicious page wouldn't be able to load. It's still a work in progress, and it could change dramatically before Firefox 3.0 ships, Snyder says. Technicians are debating whether there should be an override mechanism that lets users go to malicious pages regardless of the danger.

One of the most difficult aspects of implementing something like this is making sure the interface communicates clearly to the user, that it's "the sort of thing users won't be able to sail through without a real context change," Snyder says.

Mozilla programmers are rewriting a lot of the Firefox code for the upcoming version release, Snyder says. They're replacing much of the older code to increase performance and make the code base more modular, able to handle new security threats like phishing. In a previous interview, Snyder said some of the browser's components that are written in native code are being rewritten in managed code to reduce memory management flaws, like buffer overflow vulnerabilities. Managed code executes in a virtual machine, so there's less space for memory management problems.

10 DAYS
Meanwhile, Mozilla faced another security-related issue recently, one of its own making. An executive appeared to suggest the company could patch any known security vulnerability within 10 days. Snyder, who was quick to try to clear up what Mozilla says was a muddled message, says on her blog that Mozilla doesn't set such parameters: "We do not think security is a game, nor do we issue challenges or ultimatums."

That's not what it sounded like at the Black Hat security conference two weeks ago in Las Vegas. Mike Shaver, director of ecosystem development at Mozilla, passed a business card to security researcher Robert Hansen, known as RSnake, with "ten [expletive] days" written on it. Hansen wrote on his blog that Shaver was claiming that, with responsible disclosure, Mozilla could patch any critical hole in that amount of time. Wrote Hansen, "I told him I would post his card--and he didn't flinch. No, he wasn't drunk. He's serious."

Snyder says Shaver meant that, since Mozilla got a recent security update out in only 10 days, there's no reason security researchers should post details of a vulnerability before a patch is available. But security bloggers pounced on what sure sounded like a challenge. Admits Snyder, "His statement has taken on a life of its own."