iEntry 10th Anniversary RSS Archive

IT Management Begins With Security
SecurityProNews > News > Security News > Dozens Of Vulnerabilities In Firefox?
Search:
[ news_security_news ]

Dozens Of Vulnerabilities In Firefox?



SecurityProNews
Staff Writer
2006-09-08

SecurityProNews: Insider Reports Insider Reports RSS Feed


Security software company Klocwork's Adam Harrison claims to have uncovered 655 defects and 71 potential security vulnerabilities in Mozilla's Firefox web browser. A Mozilla developer fired back, calling the analysis bogus.

Harrison used his company's K7 static analysis tool to delve into the open source browser's code. Though he praises the overall quality of the software, Harrison says someone with "in-depth knowledge and background" with the Firefox code would have to assess the risk.

The Firefox team was given the analysis results, he says, and would not elaborate on the security vulnerabilities. He did however list the known defects, which range from NULL pointer deference distribution to memory management and uninitialized variable distribution.

Former Firefox developer Alec Flett, who helped architect some of the Mozilla codebase, isn't buying Harrison's assessment. From Flett's comment:

This is really bogus - many people have run code correctness tools on the mozilla/firefox codebase over the last few years and some good has indeed come out of it. There are always a few dangling pointers or missing null checks that could be added here and there. But to claim that there are 611 known, specific, real defects is just wrong.

With most of these tools the signal:noise ratio is very high. For example, most of these "dereferencing null" cases are either handled automatically by C++ template wrappers that do smart pointer management. Many of these "potential" memory leaks are handled automatically by XPCOM's refcounting.

This is not to say there aren't 141 other legitimate memory management defects lurking, but it takes a deeper (human) understanding of the codebase, as well as testing of actual codepaths in use, to flush them out.



Get all the updates in RSS:




About the Author:
SecurityProNews is a daily online and email publication focusing on internet security issues.

More news_security_news Articles

SecurityProNews: Insider Reports Insider Reports RSS Feed

Get Your Site Submitted for Free in the World's Largest B2B Directory!

Email Address:
* URL:
*
*Indicates Mandatory Field

Terms & Conditions

iEntry Featured Services: Jayde Member Services | Forums | Freeware | Advertise with Us

Contact Us | Advertise | Newsletter Archive | Sitemap | Submit an Article | News Feeds
SecurityProNews is an iEntry, Inc.® publication - $line) { echo $line ; } ?> All Rights Reserved | Privacy Policy and Legal		 Join the WebProWorld Forums: Click Here
Virus Warnings

Subscribe to
SecurityProNews FREE!


[ more newsletters ]

Featured On:
article resources
Search Articles:
[advanced search]

WebProWorld.com
Get in-touch with industry experts and leaders
Post your site for review by expert and peers
Ask Security, IT, Development and Design questions

Free Membership: Join Now!

Visit WebProWorld.com

Titan Quest Forum
The #1 Titan Quest forum
Halo 3 Forum
The best Halo, Halo 2, Halo 3 forum
Nintendo Wii
Nintendo Wii news and views
Mac Software
The best in OS X freeware
Graphics Forum
Your source for graphic tutorials
SecurityProNews.com | Breaking eBusiness News Get Your IT Questions Answered - Click Here SecurityProNews News Feeds