Security researchers that carried out a code analysis of popular open source browser Firefox using automated tools, have discovered scores of potential defects and security vulnerabilities despite coming to the conclusion that the software was generally well written. A former Mozilla developer has criticised the methodology of the analysis and said it provides little help in unearthing real security bugs.
Why all the target on firefox, after all IE is riddled with security flaws for how many years now?
I dont mean to reflect this onto IE but come on, are you saying mozilla are not even aware of these and how do it work in the real world?
Because they can view the source code of Firefox, but not IE or Opera. An automated code review like this couldn’t have been performed (by anyone in public) on anything but Firefox or another open source browser.
Before you get all worked up – keep in mind this is EXACTLY why open-source is better. There are more people able to review the code for errors, and report/fix them, thus it will generally end up being a more secure/stable product in the long run.
The fact that IE/Opera are not open-source, and not submitting their source to anyone willing to criticize the code only ensures they will not ever have the same opportunity to find and fix their problems as effectively.
This type of criticism is healthy!
I understand this but it still looks bad to people on the outside. It’s hardly fair since the other browsers are closed source, kind of makes then look good.
Then think of it this way: “There’s no such thing as bad press”.
People who care are going to understand this, and people who don’t care will learn the hard way
This chicken is $10
This other chicken is of an unknown price.
Which chicken do you want to buy?
This chicken is $10. This other chicken is of an unknown price. Which chicken do you want to buy?
This chicken has 2 grams of toxic materials in it. The other chicken has an unknown amount of toxic materials in it. Most of the world eats the second kind of chicken and lives. Which chicken do you want to buy?
Sure, you and me know that “2 grams” of defects probably isn’t a lot. But this is what it’ll look like to an outsider.
“Before you get all worked up – keep in mind this is EXACTLY why open-source is better. There are more people able to review the code for errors, and report/fix them, thus it will generally end up being a more secure/stable product in the long run.
The fact that IE/Opera are not open-source, and not submitting their source to anyone willing to criticize the code only ensures they will not ever have the same opportunity to find and fix their problems as effectively.
This type of criticism is healthy!
I agree that it is healthy.
OTOH, the part about “only ensures they will not ever have the same opportunity to find and fix their problems as effectively.”, sure but they do have one advantage: they have a team of *paid* engineers working on it, people who can devote 100% of their work time to it. Yes, The Mozilla Foundation does have paid developers (thanks to agreements with Google & others who pay to get put on the search bar, for instance), but not every OSS project has that luxury.
Yes, The Mozilla Foundation does have paid developers (thanks to agreements with Google & others who pay to get put on the search bar, for instance), but not every OSS project has that luxury.
Not yet anyway – I think you’ll find that SERIOUS OSS projects will tend to find commercial support more and more in the future. Companies are finding that supporting OSS projects that support their business model can be good. Look at companies like Novell, Google, Redhat, IBM, and Mozilla – they are providing paid employees with 100% devotion to help contribute and maintain open-source projects that can benefit their business model.
Firefox/Mozilla is one such example, and I expect as the market sways more towards OSS, we’ll see it happening even moreso.
Edited 2006-09-09 03:55
The story is about Firefox, not IE (and pre-7 versions at that). If you so want to compare Firefox to another browser, why not try to compare to Opera or even Konqueror?
Claiming that you’re not as bad as the worst just doesn’t cut it. Nor does claiming that ideology inherently makes a better product. The proof is in the pudding.
Edited 2006-09-08 23:48
IMHO, Not Very.
It’s mostly relative though: it crashes fewer times than Morrowind (on Windows, not wine) and The GiMP, yet more often than xchat and gaim.
I do use FF on regular basis however I do admit it is buggy. I can’t even print web pages properly!
https://bugzilla.mozilla.org//show_bug.cgi?id=154892
can’t even print web pages properly
I’m smiling, let me tell you why, a relative of mine called me a few weeks back to jump in if I have the time to look at his PC, since he every time he tries to print web pages from his browser only parts of the page gets printed, sometimes images are missing, sometimes nothing at all – it was windows, it was ie6, with updates, no adware no viruses. I spent several hours with it, and the only solution I found was to show him Firefox. It’s far from perfect, still, he’s happy with printing, and with the massively reduced amount of ads and popups.
Buggy or not, just take a moment to think about what your browsing “experience” would be without such alternatives to IE.
I do web dev I had to develop a printer friendly css to get firefox printing the page properly.
I use IE, FF, SF on daily basis. I can assure that I have never had any spyware when I use IE. I am aware that the average user can’t sometimes avoid it. But believe me if you have the right setup for IE you wont get annoyed with spywares. I use FF for a few extensions I use for my dev and also to test compatibility.
EDIT:
And Btw the bug I posted in my 1st comment It was first reported in 2002. No Fix until now?
Edited 2006-09-09 21:56
So they discovered these “anomalies”…that’s why projects like Firefox are Open Source so they can be fixed. I don’t see why the topic had to be worded that way, it smells like flamebait from a mile away. Typical The Register/The Inquirer stuff, though.
Edited 2006-09-08 21:28
“Neither Microsoft nor Opera have released proprietary code for their respective browsers for similar analysis, so no comparisons can be drawn.”
Whether or not these defects are genuine, its safe to say that since Firefox is OSS gives independent research companies the opportunity to test it at their own free will. Furthermore they can communicate their findings back to Mozilla for further analysis.
With IE and Opera being closed sourced, much less unwilling to release their code for researchers to check for potential problems, is a problem within itself.
I appreciate the heads up, but I’ll stick to using Firefox, thank you. Besides Firefox fixes their issues much quicker than IE could ever dream of.
With IE and Opera being closed sourced, much less unwilling to release their code for researchers to check for potential problems, is a problem within itself.
I see your point, with closed source you just don’t know. But this has very little to do with researchers checking for problems and a lot to do with Klocwork selling a product that does static analysis of code. For all we know, Opera and Microsoft have been using K7 for years.
In fact, one could argue that given the limited budget of most OSS projects, they’re LESS likely to do this kind of analysis, simply because there’s nobody to pay the $5000 per user for the software [1].
This whole thing seems like a publicity stunt for Klocwork. What better way to advertise than find a huge number of “bugs” in a really popular OSS project?
[1] – http://www.klocwork.com/company/releases/06_16_05.asp
This whole thing seems like a publicity stunt for Klocwork.
That’s exactly what I also thought. But, if the Firefox developers can get some useful information out of this, I’d be willing to let it go. Anyway, who watches the watchers’ source, whether their analyzer analyzes correctly
“‘To spend smart developers’ time going over long reports of machine-generated lint would be a waste,'”
Sounds like Firefox needs a Janitor project* like the Linux kernel.
*
http://janitor.kernelnewbies.org/
you’ll never see an audit of IE because you’d have to audit the OS that its sits on (the two are interconnected). While not bad press, its not balanced because its impossible to see the competitions code.
Maybe parts of the OS, but I don’t think they would have to audit the entire Windows Operating System, including the kernel and things like Windows Media Player. Perhaps just audit the explorer program and trident rendering engine?
Not really, it would be simple matter of auditing mshtml, the java script, test the permissions on ActiveX and voila, very easy. The amount of code required to be audited would be quite small.
Sidebar: Microsoft is now employing new security proceedures, it takes a while, so Windows Vista will be the first product to go through the programme – it’ll be interesting to see how successful those changes have been.
I’ll drink to that. Even if it does have vulnerabilities, with Firefox, you know *exactly* what you’re getting. With IE? God–I mean, Bill–only knows. Problems that can readily be found can readily be fixed.
No, that’s completely false. 99% don’t know anything about what they are getting. Neither are you.
//No, that’s completely false. 99% don’t know anything about what they are getting. Neither are you.//
No, its completely accurate. 99% would realise that if experts can look at the code and analyse it like this bcause it is open source, then ALL of the users of that code gain a benefit that they don’t get if they use a closed-source browser.
Apparantly, you are one of the 1% where that fact goes completely over your head.
Edited 2006-09-09 02:13
Problems that can readily be found can readily be fixed.
Hahaha. So that’s why it took so long for Mozilla to even admit there is a memory leak let alone fix it? Stop living in the dream world. Go to bugzilla. Some bugs are 3+ years old, but only because the developers for some reason or another, don’t want to fix them, they’re not bugs.
Howdy
Erm not really, not all bugs are relevant to the latest version, some get fixed by accident and others get fixed without closing the bug reports.
Feel free to see if the bugs you require fixing are indeed still valid, most often they are not and if they are updating the bug report to say such will attract attention to it.
KDE itself has been having “bug triage” days just to go through and label new bugs are duplicate/verified or closed and you should not underestimate the ammount of work it requires to run bugzilla and to fix reported bugs not including old ones.
Saying on OSAlert ” Some bugs are 3+ years old, but only because the developers for some reason or another, don’t want to fix them, they’re not bugs. “ is kinda retarded, learn how it works before you go and start flaming people.
Edited 2006-09-09 03:58
Erm not really, not all bugs are relevant to the latest version, some get fixed by accident and others get fixed without closing the bug reports.
This is a bug reported in 2004 – still not fixed. I and many people I know get this on a lot of sites.
https://bugzilla.mozilla.org/show_bug.cgi?id=238935
Also; https://bugzilla.mozilla.org/show_bug.cgi?id=275783 – this isn’t a bug, because the developers say so. Even though it happens to many people the devs say it is a JRE bug. Strange how this doesn’t happen with Opera for example. Also, remember the copy/paste bug? It’s still not completely fixed.
Saying on OSAlert ” Some bugs are 3+ years old, but only because the developers for some reason or another, don’t want to fix them, they’re not bugs. ” is kinda retarded, learn how it works before you go and start flaming people.
How the hell if flaming? Maybe you’re the retard here
Go file a bug and report how long did it take for devs to fix it.
I’m not surprised about the above scenario, I’ve filed bugs, only to eithe get abused, find that it is closed because it is ‘unimportant’.
I thought the whole idea of opensource was getting closer to the ‘grass root users’ when it is more just an easier way for programmers to tell users to go screw themselves if there is a problem with a said product.
Everyone of the Mozilla developers need to be sent on a customer care course, and make them realise this; without a good product, they have no customers; if a customer complains about a bug, for all intensive purposes, that bug exists, and it is up to them to solve the problem.
If there is major memory suckage, it doesn’t matter to the user how much the programmer skirts around the issue, making up excuses, the software is still leaking – fix the damn problem, and the customer will be happy.
>> I thought the whole idea of opensource was getting closer to the ‘grass root users’ when it is more just an easier way for programmers to tell users to go screw themselves if there is a problem with a said product.
Which mirrors my experiences as well. Way back on 0.89 I filed a bug report about how whenever you open/close tabs it didn’t release the memory – ESPECIALLY if you save files from those tabs. (saving files seems to excasterbate the problem). Eventually around the 200 meg mark (regardless of how much memory is in the machine) cpu use peaks, and you have to kill the browser using task manager/kill/whatever your host OS uses to off the bugger.
… and when I reported the problem, the best response they could come up with was to try and take me to task for using the term ‘crash’ instead of ‘hang’ – a distinction I’ve not heard in three decades of PROGRAMMING. Even better, six to seven months ago they finally acknowledged the problem – as being a ‘feature’ not a bug. (I’m sure we all had a ‘cringing chuckle’ over that one)
You can TELL the problem is related to the download manager as it STILL does this, including the latest 1.5 stable and the 2.0 beta, meaning to me they’ve done exactly two things about this problem – and Jack left town, took his shit with him…
… and for all the workarounds, patches, the problem is STILL there. Nuetering the cache? Oh yeah, THAT’s desirable; using a plugin to save your state every time a page is opened, so you can reload after the crash? … and this resolves the problem HOW? The ‘config.trim_on_minimize’? Works so long as you don’t save anything – a deal breaker for me being I’m a web developer that has to test links.
Of course, if every stupid little save as wasn’t routed through the download manager it would probably alleviate the problem – Seriously, what in blazes is up with routing every save image as through the download manager – if you can right click to “save image as” you’ve ALREADY downloaded it, and if you look close with larger images, sometimes it actually DOWNLOADS IT AGAIN.
But this brings up the other ‘problem’ – you go to start a download, and if it is from a server that takes a while to handshake (FTP for example, though some http servers can be bad – lord help you on a timeout error) the whole browser locks up until everything times out or the download starts – because they insist on running their own crappy tasking model instead of handing it off to the host OS like everyone else in the world.
So yeah, ****** firefox and the open sores it rode in on. That the programmers apparantly cannot even release a pointer properly (as evidenced by the article) should be a warning sign to anyone who knows ANYTHING about programming to stay the hell away from it.
… it is still pretty stable. No application with such a huge code like Firefox will be 100% bugfree anytime soon, but still I trust Firefox more than Opera or IE. Firefox is Open Source (as explained by others already), thus we know about exploits and what developers do against those vulnerabilities. On other browsers you hardly get any information at all and that is something that I don’t like. It is a bit like: Yeah, buy that car, but we won’t tell you how safe it is and you are not allowed to examine the brakes yourself.
Firefox crashed exactly 2 times this year on me and I use this webbrowser daily. Not so bad imho.
Howdy all
There is no need to worry as this seem more like a publicity stunt rather then something developers allready didn`t know.
Check out http://scan.coverity.com/ , simmilar deal but they do alot of open source projects and for a long time firefox had close to 0 bugs.
Now this isn`t to say there were no bugs because the class of bugs being able to be found using static analysis is rather narrow but it is nice to see any real bugs that get squished from all this.
I`d like to thank coverity (old stanford checker) and Klocwork for providing the information gathered by their tools to everyone, although I don`t like the spin that klocwork have put on their findings.
Problem with these kinds of tests is that there is a huge difference between potential defects and real world security issues.
An uninitialized variable would raise a defect, but in many cases this may not be much of a a security risk. So statistics alone can be misleading and the problem is many end users will draw conclusions that may not be truly fair. (Like many have said, no way to compare to closed source browsers.)
Firefox already has 100s of real security issues.
The ones in this study will show up on Secunia soon enough!
I wouldn’t worry too much about what it means in terms of Firefox quality. I would jump at the chance of someone else scouring over my source code to analyze it for bugs, inefficiency. It is like having someone do work for you for free. Take the data and run with it to make Firefox even better. As long as they stick with the analysis and don’t jump to political statements about which is the best browser then their contribution is useful.
I think the results are really irrelivent. The “bugginess” comes down to user experience. Firefox has crashed significantly less than IE6 ever did for me, and has succumb to vastly less security compromises.
I haven’t really noticed any memory leaks(although I really think they should optimize how past pages are cached in memory).
I think you start noticing bugs when you invite 3rd party software into the mix, like a number of extensions or other plugins. A number of built-in movie players for firefox on linux are notorious for crashing firefox, as well as macromedia flash(to a much lesser extent based on my observation) on linux – I think the bugs reflect on the 3rd party work and not firefox directly, although it’s certainly understandable that having good 3rd party support lends to a good firefox experience.
If you need some machine analysis of the code to determine it’s bugginess, is a testament to firefox’s stability in my opinion. One would have to use a machine because it’s bugginess is not apparent or absent.
I think this highlights one of the main benefits of using OSS… the security researchers may believe they have found bugs in the code, but at least they have access to the code in order to criticise it!
Because there’s a LOT of talk about security errors, but the real meat of the article isn’t so much security, as it is just BAD PROGRAMMING.
Seriously, Firefox’s memory handling is a total train wreck, almost as big a disaster as it’s tasking model – his results using a program designed to find such problems is HARDLY surprising.
“A large number of these flaws resulted from the code not checking for null after memory was allocated or reallocated” – does NOT promote confidence… and having taken a peek myself I’m surprised he only found 141 memory issues.
The ‘criticism’ – “little help in unearthing real security bugs” shows that the ‘former mozilla developer’ misunderstood the intent as much as the person who wrote the article.
Of course, being that I can STILL “hang” every version of firefox and most every other gecko based browser with max CPU use and 200-240 megs of memory use and the only page loaded being GOOGLE, regardless of what host OS in under 20 minutes of use (oh, I’m sorry… HANG – I’m STILL pissed about that one) I cannot even fathom how people use it as their day to day browser. It’s bad enough I have to suffer through using it for site testing.
“I cannot even fathom how people use it as their day to day browser.”
Very simple. Not everyone experiences the problems you do. Most never see them. That’s also what’s made them tricky to find and fix. We’ll see if the Klocwork results are of help.
“Of course, being that I can STILL “hang” every version of firefox and most every other gecko based browser with max CPU use and 200-240 megs of memory use and the only page loaded being GOOGLE, regardless of what host OS in under 20 minutes of use”
Could you provide a more in-depth description of this process?
I cannot even fathom how people use it as their day to day browser. It’s bad enough I have to suffer through using it for site testing.
And you wonder how it is not fixed since the few people who experience this like you come complaining instead of helping out with detailed description of the bug’s circumstances or doing firefox tests which many of us do from time to time ?
… and the above statement about crashing gecko does NOT appear to apply to K-Meleon or Seamonkey – so if we could just get a linux build of gecko that doesn’t leak memory like a steel sieve (the best kind of sieve BTW) we’d be set.
Huh? Seamonkey uses gecko too!
>> Huh? Seamonkey uses gecko too!
<peanut>Markum!!! MARKUM!!! Whoom!!!</peanut>
As does K-Meleon – but both of those FIXED the problems that still plague the rest of the gecko family – the same problem I’ve seen on Mozilla suite to back before Firefox was a twinkle in a OSS fanboy’s eye.
Did they mention the bug which has stopped me using the Mac version of Firefox since I tried out the betas of 1.5 and, to my knowledge, hasn’t been fixed since: the problem of it spontaneously reloading (or at least reloading on keystrokes I couldn’t work out, which don’t involve Ctrl or Alt) web pages while you’re filling out a form (such as writing a blog entry in Movable Type or WordPress), resulting in the loss of everything you wrote? I had this experience in the stable Mac version as well, and have checked the release notes every time there’s a minor release and there’s no reference to it being fixed, which is why I use Camino.
That’s very strange. And annoying of course.
Have you tried this lately? I don’t know about the status with MT, but WordPress throws up a warning dialog anytime I try to do any naviation actions on a post-in-progress. Though the way the bug fires the refresh event might avoid that safety measure anyway.
Axord: I’ve not used WordPress (other than for development purposes related to a blogging client I’m writing) since I moved back to MT in summer 1995 when MT 3.2 came out. I’ve not had the problems in WordPress on the rare occasions I use it; they affect me in MT, which does not have the “navigation guard” feature some blogging services have. I was presuming it affected WordPress as well.
“To spend smart developers’ time going over long reports of machine-generated lint would be a waste”
That response sounds unprofessional and it seems like that particular developer got his tail bitten. FreeBSD, for example, actually does put work into reducing the noise generated by code coverage tools, just so that future code quality reports will be more accurate and actually really useful. And guess what, they’ve fixed a couple of issues while doing so too.
Sure, developer time is all about dividing scarce resources. But in a world where we know the Web is filled with dangerous junk, and people regularly complain about memory leaks, it might just be worth it.
Reasoning has done some analysis too, also comparing some open-source projects with some commercial offerings. I seem to remember that open-source software came out favourably, but I don’t quite recall. Maybe it can be downloaded from here, haven’t checked if this is what I remembered: http://www.reasoning.com/downloads.html
And, of course, there is the analyses by Coverity. Google up .
Edited 2006-09-09 10:27
mmh,
The only one bug I know is the download manager. Start/Stop/Pause doesn’t run.
And the memory is a problem, too.
this week alone, I’m not so sure about Firefox’s stability.
My Windows box has been kinda wonky for the past few days (related to a samba share problem) and I’ve had to force-reboot my box several times, twice with Firefox open. Each time Firefox was open during a force-reboot it would kill my Firefox profile and I’d have to recreate it by importing my saved bookmarks & reinstalling my extensions.
Meh, I can’t say I totally blame Firefox but the disappearing profile is starting to get annoying.
Having written a lot of code to read and re-write source code, I’d like to see how their analyser works against its own source code.
I suspect that it doesn’t find any problems. That should, in itself, signal a problem with the analysis. Simply because a certain code style isn’t the same as yours doesn’t mean that it’s flawed–it’s just different.
This isn’t to say that there aren’t problems with Firefox. There are plenty and some of them have been eliminated in version 2 beta 2. Of course, if the analysis helps eliminate more of them, all the better. I just don’t believe that everything is as black and white as that analysis printed.
Opera is the best web browser IMHO. But… if they made it open source; I believe that Opera would DOMINATE the market after a year or two.