Review vulnerability history from FF31 to FF45

The Security Slider values were set based on a review of historical vulnerabilities. We should try to skim through https://www.mozilla.org/security/known-vulnerabilities/firefox.html from FF31 to FF38 to see if any new patterns have emerged, and if we should add other prefs to the slider.

If this proves useful, we should also make this part of our rebasing process.

One tricky bit will be untangling all of the "Miscellaneous memory safety hazard" bugs..

added GeorgKoppen201607 TorBrowserTeam201607 component::applications/tor browser owner::gk priority::high resolution::fixed severity::normal sponsor::U status::closed tbb-security tbb-security-slider type::task labels

Trac:
Cc: N/A to gk
Keywords: N/A deleted, tbb-security added

Trac:
Cc: gk to gk, mcs

Trac:
Keywords: TorBrowserTeam201507 deleted, TorBrowserTeam201508 added

We're not likely to change the 5.0 security slider settings, though we still should try to dig through these bugs.

Trac:
Keywords: tbb-5.0 deleted, N/A added

Move remaining August tickets to September.

Trac:
Keywords: TorBrowserTeam201508 deleted, TorBrowserTeam201509 added

Moving Tor Browser tickets to October 2015.

Trac:
Keywords: TorBrowserTeam201509 deleted, TorBrowserTeam201510 added

Trac:
Keywords: TorBrowserTeam201510 deleted, TorBrowserTeam201511 added

Trac:
Keywords: TorBrowserTeam201511 deleted, TorBrowserTeam201512 added

Tickets for Jan 2016.

Trac:
Keywords: TorBrowserTeam201512 deleted, TorBrowserTeam201601 added

Putting stuff on the radar for February.

Trac:
Keywords: TorBrowserTeam201601 deleted, TorBrowserTeam201602 added

Trac:
Sponsor: N/A to N/A
Severity: N/A to Normal
Priority: Medium to High

Trac:
Keywords: TorBrowserTeam201602 deleted, TorBrowserTeam201603 added

Trac:
Keywords: TorBrowserTeam201603 deleted, GeorgKoppen201606, TorBrowserTeam201606 added
Status: new to assigned
Owner: tbb-team to gk
Summary: Review vulnerability history from FF31 to FF38 to Review vulnerability history from FF31 to FF45
Reviewer: N/A to N/A

Trac:
Sponsor: N/A to SponsorU

Trac:
vuln_hist_esr38

Attached is the vulnerability history from June 10 2014 - May 12 2015. (up to and including ESR38)

Moving my tickets

Trac:
Keywords: GeorgKoppen201606 deleted, GeorgKoppen201607 added

Trac:
Keywords: TorBrowserTeam201606 deleted, TorBrowserTeam201607 added

Trac:
vuln_hist_esr45

The one from July 2 2015 - March 8 2016 (up to and including ESR45) got added as well.

Here are the combined results showing the affected components up to and including ESR45. Counted are sec-high and sec-crit rated vulnerabilities. Components with a single issue are omitted. Subcomponents are merged in almost all cases but are visible in the attached documents.

JS (GC + Engine) 57 JS JIT 30 asm.js 3 Grpahics 38 DOM 35 Audio/Video 28 (MSE 2) Web Audio 8 OpenH264 5 WebRTC 20 Networking 14 ImageLib 13 Canvas (WebGL + 2D) 9 Plugins 9 NSS 8 CSS Parsing and Computation 8 Application Update 6 SVG 4 XPConnect 4 XPCOM 4 Document Navigation 3 HTML: Parser 3 Autocomplete 2 NSPR 2 XBL 2 IPC 2 Widget: Gtk 2

Ca. 220 CVEs were looked at.

One interesting find is the Graphics component with 38 vulnerabilities which is missing in the original iSEC report. Maybe that corresponds to the Undetermined 5 or there just have not been any vulnerabilities in that time frame. Anyway, the bulk of those vulnerabilities is related to Graphite (more than 50% of the bugs found in this component are related to that library) which is why we have using that library disabled by default.

Another notable find is that MSEs are affected, too, by critical bugs and should thus be part of our security slider treatment as well (see: #19200 (moved) for the respective bug).

Apart from that I think we are fine with our current security slider settings even though bugs related to it exist, e.g. #19210 (moved).

Trac:
Resolution: N/A to fixed
Status: assigned to closed

Trac:
Keywords: N/A deleted, tbb-security-slider added

closed

mentioned in issue #23409 (moved)

moved to tpo/applications/tor-browser#16652 (closed)