Just how buggy is Firefox?

[ben1390]

Clicky

Quote:

Security researchers that carried out a code analysis of popular open source browser Firefox using automated tools, have discovered scores of potential defects and security vulnerabilities despite coming to the conclusion that the software was generally well written.

A former Mozilla developer has criticised the methodology of the analysis and said it provides little help in unearthing real security bugs.

Several versions of the software were put through their paces by Adam Harrsion of Klocwork using Klocwork's K7 analysis tool. The analysis, which culminated in an examination of Firefox version 1.5.0.6 unearthed 611 defects and 71 potential security bugs.

A large number of these flaws resulted from the code not checking for null after memory was allocated or reallocated. Memory management issues accounted for the next highest defect count (141 flaws). Failure to check the execution path of code also frequently cropped up as a potential error.

Firefox developers have been sent the analysis results, which Harrsion concedes is preliminary. "Only someone with in-depth knowledge and background of the Firefox code could judge the danger of a particular security vulnerability," he writes.

It's unclear how many, if any, of the potential defects identified by Klocwork's tool are exploitable, the most important consideration.

Neither Microsoft nor Opera have released proprietary code for their respective browsers for similar analysis, so no comparisons can be drawn.

Alec Fleet, a former developer on the Mozilla Project, said that running code analysis tools has some benefit, but he criticised Klocwork's conclusions as incomplete and potentially misleading.

"To claim that there are 611 known, specific, real defects is just wrong. With most of these tools the signal to noise ratio is very high," he writes.

"This is not to say there aren't 141 other legitimate memory management defects lurking, but it takes a deeper (human) understanding of the codebase, as well as testing of actual codepaths in use, to flush them out. To spend smart developers' time going over long reports of machine-generated lint would be a waste," Fleet adds.

Harrsion defended the quality of his analysis against these criticisms. "Although this analysis was automated, the level of analysis is more sophisticated then a traditional lint-type tool. In this particular analysis we reviewed the entire results to verify the correctness of the defects... [but] as with any analysis only the developers can be the final judge on the severity of these problems," he said.

[bmxbandit]

run any piece of software through an analysis like that, and it'll come up similarly. doesn't sound like a lot of (potential) problems to me, for such a large and complex amount of code...

[ADd]

Unfortunately I believe we will not be able to achieve 100% security, this is a product of the fact code is written by humans - who are fallible. I have found the main downside of IE is that the browser is constantly targetted by malware writers, because it is the most popular Windows browser (as it comes pre-installed). I find the free extensions you can get for Firefox make it more adaptable, and sometimes more secure. Once of these extensions is NoScript, which can save you from many java exploits (and there are many) through the browser. The lack of Active X functionality is also a huge advantage when surfing the web. In addition the philosophy behind the FF project, open source is a great idea and deserves support IMO, this open nature allows many minds to become involved in the project, which can only be an advantage. A rival to IE is definately necessary, as it keeps M$ on their toes, would IE 7 have tabbed browsing without FF, Opera and the like ?

quote
A former Mozilla developer has criticised the methodology of the analysis and said it provides little help in unearthing real security bugs.
unquote

A politician's answer - sounds like he was answering the question, but didn't, and cast doubts on the methodology.

[punky]

Quote:

Originally Posted by foreverwar

quote
A former Mozilla developer has criticised the methodology of the analysis and said it provides little help in unearthing real security bugs.
unquote

A politician's answer - sounds like he was answering the question, but didn't, and cast doubts on the methodology.

No its not like that. This tool hasn't found 611 exploits, its found 611 instances that memory isn't checked after an operation. This can lead to a exploit, but only if the surrounding code and function calls allow it. All these defects show that it could be liable to crash, or eat up memory without releasing it until the process is terminated. The guy is scare mongering.

Its no secret Firefox has memory issues, they have tried to be fixed since it was built.

Put it this way, Firefox is open-source. That makes exploit finding extremely easy. Much easier than trial-and-error with IE. The fact that very little has been found, says something. Also, being open-source problems are more likely to be found, and fixed, than being being found and used underground.

[mart44]

Articles similar to this one arise about Firefox from time to time. Some of the points might be well founded. However, I've been using Firefox for such a long time now that I tend to judge it from practical experience, rather than worry overly about the points such articles talk about.

When all said and done, Firefox works pretty well after a bit of setting up. I've never picked up any malware while using it. Any flaws/defects that get mentioned never seem to stop it doing the basic job it's supposed to do.

[Graham M]

Quote:

Originally Posted by punky

No its not like that. This tool hasn't found 611 exploits, its found 611 instances that memory isn't checked after an operation. This can lead to a exploit, but only if the surrounding code and function calls allow it. All these defects show that it could be liable to crash, or eat up memory without releasing it until the process is terminated. The guy is scare mongering.

Its no secret Firefox has memory issues, they have tried to be fixed since it was built.

Put it this way, Firefox is open-source. That makes exploit finding extremely easy. Much easier than trial-and-error with IE. The fact that very little has been found, says something. Also, being open-source problems are more likely to be found, and fixed, than being being found and used underground.

Well done Punky, you read my mind

[Halcyon]

Firefox is very good.
Ofcourse if you download the beta version you may find a few errors like with any beta software.
Download the last official version and you should have no issues. I use it all the time.

[howard.bates]

It would be interesting to know who commissioned the "research".

Automated source code tools have no knowledge of the real world, they tell you about your source code, not about the finished executable; there's a whole world of compilers and linkers in-between. Not only that, they typically treat all problems they find as being of equal severity. To make effective use of the tools requires considerable knowledge of both source code and the development tools, which no outside agency is likely to have.

I use both Firefox and Opera - I have found them both to be very stable and reliable, which is a lot more than can be said for Internet Exploder.