After a series of disastrous headlines, Mozilla said this week that it will release some of its home grown security tools to the open-source community.
Snyder said Firefox developers have created many tools, and though a lot of them are small, special-purpose ones, all of them could be useful to others.
“We want to make the work we’re already doing available to other people and to other products” in the hope that the tools might help developers outside Mozilla spot problems in their code, she said. Snyder sees a direct benefit to Mozilla, too. The more people who bang on the tool, tweak it and modify it, the better the tools should become, she said.
She seemed unconcerned that any tool Mozilla released would prove a significant danger to users. Although hackers also use fuzzers in their vulnerability-sniffing tool kits, “the tool isn't bad or good on its own,” Snyder argued. “They use debuggers all the time. Debuggers aren’t bad” because of that.
Mozilla might have wished it had fuzzed Firefox a bit more over the past three weeks, when it was caught in a name-calling contest between it and Microsoft supporters. Early last month, Danish researcher Thor Larholm found what he said was a critical input-validation bug in Internet Explorer that let the browser pass potentially malicious URLs to other programs, including Firefox. He laid blame on IE, while other security experts said it was Firefox’s fault.
Shortly after that, Snyder hinted that she saw the whole mess as an IE problem, but within days acknowledged that Firefox was guilty of the same behaviour. “We thought this was just a problem with IE,” she said last month. “It turns out, it is a problem with Firefox as well.”
Earlier this week, Snyder said that the very public disagreements between security experts as to which browser was to blame had actually been a good thing. “Debate is healthy,” she said. “And if we’re wrong, we say we’re wrong and move on.”
Mozilla updated Firefox twice in July, first on 17 July with 184.108.40.206, and then earlier this week when it released Version 220.127.116.11. Both updates included fixes for the URL protocol handling bug that started the brouhaha. “We weren’t twiddling our thumbs during all of this,” said Snyder. “We were also on the back-end moving forward with fixes.”