Snyder said Firefox developers have created many tools, and though a lot of them are small, special-purpose ones, all of them could be useful to others.
"We want to make the work we're already doing available to other people and to other products" in the hope that the tools might help developers outside Mozilla spot problems in their code, she said. Snyder sees a direct benefit to Mozilla, too. The more people who bang on the tool, tweak it and modify it, the better the tools should become, she said.
She seemed unconcerned that any tool Mozilla released would prove a significant danger to users. Although hackers also use fuzzers in their vulnerability-sniffing tool kits, "the tool isn't bad or good on its own," Snyder argued. "They use debuggers all the time. Debuggers aren't bad" because of that.
Mozilla might have wished it had fuzzed Firefox a bit more over the past three weeks, when it was caught in a name-calling contest between it and Microsoft Corp. supporters. Early last month, Danish researcher Thor Larholm found what he said was a critical input-validation bug in Internet Explorer that let the browser pass potentially malicious URLs to other programs, including Firefox. He laid blame on IE, while other security experts said it was Firefox's fault.
Shortly after that, Snyder hinted that she saw the whole mess as an IE problem, but within days acknowledged that Firefox was guilty of the same behavior. "We thought this was just a problem with IE," she said July 23. "It turns out, it is a problem with Firefox as well."
Wednesday, she said that the very public disagreements between security experts as to which browser was to blame had actually been a good thing. "Debate is healthy," she said. "And if we're wrong, we say we're wrong and move on."
Mozilla updated Firefox twice in July, first on July 17 with 126.96.36.199, and then Monday when it released Version 188.8.131.52. Both updates included fixes for the URL protocol handling bug that started the brouhaha. "We weren't twiddling our thumbs during all of this," said Snyder. "We were also on the back end moving forward with fixes."
At Black Hat, Snyder and fellow Mozilla executive Mike Shaver, the company's technology strategist, also plan to discuss the new security features of Firefox 3, the major update that currently is in preview testing. Firefox 3 is expected to ship sometime this year.
This story, "Mozilla Giving Away Security Testing Tools" was originally published by Computerworld.