Antivirus

Antivirus software vendors are terrible; don't buy antivirus software, and uninstall it if you already have it (except for Microsoft's).

This is how Robert "Roc" O'Callahan, a former Mozilla bigwig engineer started a blog post today, in which he details a long list of issues that antivirus software have caused to browser vendors.

O'Callahan's post criticizes antivirus vendors for a series of problems that he experienced first hand while working at Mozilla, but also through his interaction with other employees at other browser vendors. Here are some of his gripes:

  • AV vendors don't follow standard security practices, which leads to many security bugs affecting the AV itself. To prove his point, O'Callahan points his readers to the Google Project Zero project, and especially to the activity of Google security researcher Tavis Ormandy, who in the past two years has discovered gaping security holes in the software of many anti-virus vendors, which in many cases led to a complete takeover of the affected system.
  • AV products poison the software ecosystem because their invasive and poorly-implemented code makes it difficult for browser vendors and other developers to improve their own security. O'Callahan remembers that when Firefox implemented ASLR on Windows, AV vendors broke the feature by injecting rogue DLLs into the browser's process. Furthermore, several AV products blocked Firefox security updates for no apparent reason.
  • It's hard for software vendors to speak out about these problems because they need cooperation from the AV vendors. O'Callahan cites his own experience when he called out an AV vendor about injecting code in Firefox APIs, only to be silenced by Mozilla's PR team, who feared that antivirus vendors might flag Firefox as insecure, as payback, or blame the browser for the user's malware infections.

The only ones for whom O'Callahan seems to have any respect are Microsoft engineers, who he calls "generally competent" and is somewhat accepting to their AV product.

AV vendors blasted by Chrome's security engineer

Previous to O'Callahan's scorching criticism of AV vendor, Justin Schuh, a security engineer for Google Chrome, has also blasted AV vendors in a long line of tweets.

In the past, O'Callahan has been one of Mozilla's biggest influencers and outspoken voices.

Roc, who received the award of Mozilla Distinguished Engineer, but who left the organization in March 2016, has been critical of many things in the past, even browser vendor themselves, revealing that besides Mozilla, most have business interests they need to take care of, even above web standards.

Similarly, in 2014, O'Callahan urged users to stop using Chrome, otherwise, they won't have a choice of using Firefox in the future, appealing to some users' fear of a Google-dominated web.

In 2013, O'Callahan critiqued Google because of Blink, Chrome's new engine, arguing that many of Chrome's technologies contradict's Google's reasons for developing Blink in the first place.

In 2010, he and other Mozilla engineers had a public spat with Microsoft, calling the company out when the Redmond giant tried to brag about IE being the only browser that supports full hardware acceleration.

Just before leaving Mozilla, O'Callahan urged Mozilla to rewrite everything in Rust, a programming language sponsored by the Foundation, which focuses on eliminating many memory security bugs that often appear in C and C++ software.