Mozilla's New Security Chief: Dump Old Code

Window Snyder, whose hiring was announced last week, takes the title of "Chief Security Something" -- that's a working title, and not all that unusual for a company headed by someone who once held the title of "Chief Lizard Wrangler" -- said she has big plans for the group's development efforts.

"We want to reduce the overall risk [to Firefox] by evaluating where there are unused features, and then getting rid of that old code," said Snyder.

While at Microsoft, Snyder was responsible for security sign-offs on Windows XP SP2 and Windows Server 2003. Prior to Mozilla's hiring, she was with Matasano Security, a New York City-based company she founded after leaving Microsoft. Before working for the Redmond, Wash. developer, Snyder was one of the founding team members for the @stake hacking-group-turned-consultancy, which Symantec acquired in 2004.

"We want Firefox to have a tighter code base, and fewer entry points into the system," Snyder said.

"If we find a parsing routine that was built ages ago to manage file formats rarely used now, where the potential for vulnerability outweighs the value of the feature, we can benefit by getting rid of that code," she said. That doesn't mean Firefox will be regularly torn down and rebuilt from scratch, but it might mean stripping out code or shifting older features to optional installs rather than leaving it in the general code base.

Not to say that Firefox is buggy, said Snyder as she defended the browser's security track record.

"Just counting up the bugs is not a good measure of how secure an application is," she argued, referring to some criticisms of the open-source browser when compared to its main rival, Microsoft's Internet Explorer. A year ago, for instance, Symantec tallied the numbers and concluded that Firefox had suffered twice as many vulnerabilities as IE. (In March 2006, Symantec recanted when it changed how it counted up flaws, and found the Firefox vs. IE bug battle a draw.)

"People should be counting the days of risk. How long is the user vulnerable? What's the time between a patch issued and the upgrade installed?" Snyder asked. Using those metrics, Mozilla's products win hands down, she said. "We're turning [patches] around in the space of days, not weeks or months."

Microsoft is regularly criticized for its long patch development and test processes; even when an exploit is actively circulating in the wild, Microsoft can take weeks to produce a patch.

Snyder admitted that Mozilla has one built-in advantage when it comes to getting patches in place faster than Microsoft. "Most of our users are at home, and with automatic updates turned on by default, we can get 90 percent of our base updated to the next version in about 8 days." Microsoft's patches to IE, on the other hand, often are deployed much slower because its enterprise customers must do internal testing before rolling them out to workers.

Mozilla will also investigate and/or implement other features that can enhance Firefox's security.

"We've already put anti-phishing into [Firefox] 2.0," said Snyder. Down the road, she's figuring on new memory management, managed code, and sandbox approaches and technologies. Changes in heap management, for example, can make it more difficult for an exploit to write to that area of memory. "That can limit the exploitability of a vulnerability," said Synder. "That can limit the exploitability of a vulnerability," said Snyder.

"Mozilla will respond quickly to vulnerabilities, fix all bugs with a security impact, and when we add features we will always look at the security impact," Snyder promised.

Coincidentally, Thursday was scheduled as the release date for Firefox 1.5.0.7, a security update to the browser. As of noon PDT, the update had not yet posted to the Mozilla site, however.