Slashdot Mirror

← Back to Stories (view on slashdot.org)

611 Defects, 71 Vulnerabilities Found In Firefox

Posted by ryuzaki0 on from the rolling-in-bugs dept.

Danny Begonia writes, "Some folks at Klocwork examined the large and complicated code base of the popular open source browser, Firefox. Overall, Firefox is a well written and high quality piece of software. Several builds were performed on the code, culminating in the final analysis of version 1.5.0.6. The analysis resulted in 611 defects and 71 potential security vulnerabilities. The Firefox team has been given the analysis results, and they will determine if or how they will deal with the issues." What are your thoughts — do Firefox and the open source community welcome this kind of analysis?

14 of 434 comments (clear)

  1. Obvious. by keyne9 · · Score: 5, Insightful

    do Firefox and the open source community welcome this kind of analysis?

    Obviously, yes. Otherwise, open source would be closed-source.

    1. Re:Obvious. by legoburner · · Score: 5, Interesting

      Especially now that firefox is so popular. Firefox makes up 10% of users on the general Internet (as counter by thecounter.com), with IE at 85%. My own tech related site has 76.4% of users using firefox, with just 10.1% on IE, and my other more casual site has 23.1% firefox and 64% IE (the rest being safari, opera, konq, etc.)

      --
      Warhammer forums
    2. Re:Obvious. by IAmTheDave · · Score: 5, Funny

      Now, can we get them to run the tests on the Diebold voting machines?

      --
      Excuse my speling.
      Making The Bar Project
  2. Memory leaks by Anonymous Coward · · Score: 5, Interesting

    It seems mainly the problems were to do with memory leaks. Which having seen firefox eat 700mb of ram doesnt surprise me....As long as these probs get fixed i cant complain...Doning this kinda of analysis is much easier with the source code i imagine.

    1. Re:Memory leaks by sharkey · · Score: 5, Funny

      God-damned copy and pasta bug!!!

      What, is it giving you spaghetti when you wanted ravioli?

      --

      --
      "Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
  3. YES! by Total_Wimp · · Score: 5, Insightful
    What are your thoughts -- do Firefox and the open source community welcome this kind of analysis?

    God I hope so. What on earth is the advantage of open source security if they don't get this kind of analysis?

    TW
  4. Why Not? by eldavojohn · · Score: 5, Insightful
    What are your thoughts -- do Firefox and the open source community welcome this kind of analysis?
    And why wouldn't they?

    Seriously, any free testing is better than none. Especially when they point out the problems explicitly and hand them to you. As a developer, you're then given one last chance to fix your product -- if these even need to be fixed. I would expect things like the 134 memory leaks to be fixed and fixed fast. I've known Firefox to occasionally go on a memory splurge at my computer's expense and have expected this to be the problem. As far as some of these other problems that are mild security issues, they might not need to fix them at all.

    Even the article admits that a lot of these "issues" are trivial to fix:
    By far, the majority of the defects reported were null pointer dereferences (446 defects). A large number of defects resulted from the code not checking for null after memory was allocated. In addition, there were many cases where the return value of functions designed to return null were not checked prior to dereferencing.
    Sounds like a two week job of an intern to me. Checking for null and handling it after memory allocation could probably be a cut and paste job. If they mention the line numbers and files, there's your fix.

    Either way, this is the beauty of open source software, anyone can go in and do this. Now, if you found bugs in a proprietary program from some company and sent them a breakdown of problems, you'd get one of two responses. 1) No response and 2) A charge that you are reverse engineering their product and in violation of many anti-piracy laws. If the company still didn't address the issues and you published the bugs, then you're nothing but a software terrorist.

    So let's kick back and watch open source at its best! No software is perfect, but it will be enjoyable to know that a process like this can occur -- with the end result being a better free product on my machine!
    --
    My work here is dung.
  5. Answer: by Anonymous Coward · · Score: 5, Funny

    > What are your thoughts -- do Firefox and the open source community welcome this kind of analysis?

    No, they're going to sweep this under the rug and disappear anyone else who audits their code. What the fuck do you think?

  6. Of course it does by Dark+Paladin · · Score: 5, Insightful

    Does Open Source encourage this kind of analysis and input? Absolutely. I'll take it two steps further. As of now, the Firefox team can:

    1. Ignore the data.
    2. Use the data to make a better product.
    3. Look at the data, decide what is a true security issue/bug or not, and proceed on.

    And, then there's also the option for the users:

    1. Use Firefox as it is.
    2. Make their own version.

    The very idea of Open Source would, if there is a truly serious bug/security flaw that Firefox ignores, allow another group of people to fix the issue and release their own version - which could compete and even surplant the current Firefox version with the user base should people decide that's what they want.

    So, without appearing rude, I would state that the question is a silly one. Yes, Open Source encourages this kind of analysis of all kinds. It just has a built in process that allows action to be taken - even if the primary code developer does not want to.

    Of course, this is all just my opinion. I could be wrong.

    --
    52 Weeks, 52 Religions with John Hummel
  7. Tools like this produce lots of false positives by Jimmy_B · · Score: 5, Informative

    Static analysis tools like the one used to produce this list tend to produce lots of false positives, because they can't make as many assumptions as a programmer who knows what's going on, and they can't follow most interactions between different modules. So the headline should be "611 *possible* defects, 71 *possible* vulnerabilities" found. More likely, a small handful of those will turn out to be real (but minor) bugs, and the rest will be bogus.

  8. Speaking of which... (Was Re:Obvious.) by Billosaur · · Score: 5, Insightful

    Obviously, yes. Otherwise, open source would be closed-source.

    The numbers look large given that Firefox is supposed to be the superior browser, but can you imagine what those same numbers would look like for IE? Think Gates & Co. would care to give up the source code to do a head-to-head comparison? I'll bet the folks in Redmond are looking at these numbers and wondering just how to get IE's numbers that low.

    --
    GetOuttaMySpace - The Anti-Social Network
    1. Re:Speaking of which... (Was Re:Obvious.) by rucs_hack · · Score: 5, Interesting

      slightly OT I know, but relevent:

      Back when I was a nurse, in the days before programming sucked me in, I was a manager in a private elderly care home for people with dimentia.

      We kept excruciatingly detailed records of every scratch, cut and injury, serious or otherwise, that happened to our clients. So much so that on paper our accident record look awful compared to other homes, who tended not to be so open. We actually had fewer such incidents then other homes in our region, but we documented *everything*.

      However, come official inspection day, the health authority inspectors were always very pleased with our records, and always passed us with a very high grade.

      The reason? Instead of hunting around for hidden evidence that had been concealed, they just had to consult our records.
      We were open about problems, and always sought solutions. We were also, because of our policy on recording everything, able more easily to identify problems with patients who were more likely to get cut, and work to alter their environment or diet to try and help.

      The result was that we ended up being the top specialist care home in our region.

      When I moved into computer science, the only software model that I would work with was open source. Again there is nothing gained from hiding problems with code, and it's much easier to identify issues. I discovered remarkable similarities with my old nursing practices and the Open Source method.

      I realise the comparison may seem odd, but my point is that being open about problems is a far better way to reach solutions, whatever field it is applied to.

  9. Security reviews are _the_ push for OSS by msobkow · · Score: 5, Insightful

    The biggest push I've heard given to corps over the years is not that OSS can be modified, enhanced, integrated, or reused, but that it can be inspected, reviewed, and fixed.

    If there is anyone working in OSS who doesn't appreciate receiving such an analysis of potential bugs, then they shouldn't be programming anywhere. Whether for fun or profit, fixing the bugs and adding features is what the "job" is.

    --
    I do not fail; I succeed at finding out what does not work.
  10. Re:which one of those bugs was the by ThePlague · · Score: 5, Funny

    That's not a bug, it's a feature.