655 FF bugs and 71 security leaks

[polonus]

Hi forum folks,

A researcher has found 655 bugs and 71 possible security leaks in the open source browser Firefox. Adam Harrsion found up these errors using the statical analysis  tool K7. According to Harrison Firefox is a  program that has been written well, and real first class software. What he has found has been turned over to Mozilla

Here a survey of all the problems in FF 1.5.0.6 :
http://www.g2zero.com/2006/09/examining_defects_in_the_firef.html
A lot of mistakes were because the code does not check for null values after mem has been allocated. Also memory managment of Flock is not ideal.

[..::ReVaN::..]

Also memory managment of Flock is not ideal.

You can say that again ...

[polonus]

Hi Mikey,

This is one of these typical null pointer dereferences bugs:
http://lists.grok.org.uk/pipermail/full-disclosure/2006-May/046107.html

Some add-ons bring FF to its knees. Let us say that some coders aren't trained to have these potential problems at mind, race conditions included.
Mangling of code is such a way, here with K7, analysis with dependecy walker, fuzzing etc. can bring a lot of weaknesses to light.
If you are getting the message "Some code is running", you have to seriously start to consider to save your profile and other settings. Also using the browser without session manager plug-in  is unwise.

Why didn't they secure code with splint?, inexpensive and free: http://www.splint.org/

If you are working with a multi-threaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the if statement; and unlock when it has finished.


polonus

[..::ReVaN::..]

Hi Mikey,

This is one of these typical null pointer dereferences bugs:
http://lists.grok.org.uk/pipermail/full-disclosure/2006-May/046107.html

Some add-ons bring FF to its knees. Let us say that some coders aren't trained to have these potential problems at mind, race conditions included.
Mangling of code is such a way, here with K7, analysis with dependecy walker, fuzzing etc. can bring a lot of weaknesses to light.
If you are getting the message "Some code is running", you have to seriously start to consider to save your profile and other settings. Also using the browser without session manager plug-in  is unwise.

polonus

Hmm thanks for the link, i have IE Tab installed over here too and it's good to know how you can make it crash ...
As far as session manager goes , it's the first extension i usually install on Flock/FF

[szc]

I'm just amazed and wondering how can you people wait so long for your Firefox to fire up with all those extensions and stuff. Your Firefox must be 2 tons heavy, lol. I have never installed even one single extension for Firefox in my life, and it works perfectly without some unnecessary stuff on my computer (not saying that all extensions are waste of time, but in general). One day after all those extensions installed, it may happen that your Firefox will start up so slow that will "beat" unbelievable heavy Photoshop 

I personally never had any security related problems, nor even program related issues. IE6 plain as it is, and my Firefox as a backup browser (when checking my web design work) are working as a charm. I just keep them up to date and that's it.

[..::ReVaN::..]

LOL Sasha you don't have to have a ton of extensions installed for FF to open up slowly(slow even without them). It's slow to boot up let's face it(try it in linux though and tell me if you notice a difference ). A little off the topic but since you mention all those extensions i wanted to give my thoughts on all those script blocking extensions Polonus keeps recommending... I don't have NoScript installed because it drives me insane with all that blocking(doing some stuff with javascript myself and i don't have the time to click and click at those popups i just want to see my darn page that's all i want). If i go to a site that has dangerous scripts which crash your browser fine just let it crash no big deal(i'm not gonna cry cause i have Session Manager ) ! BTW hasn't ever happened to me before(only when clicking on links Polonus provides hihihi )! And i don't need any adblocking extension too , infact it seems i am one of the few people that actually doesn't mind looking at some ads now and then(the ones the built in popup blocker desn't block). And blocking Flash? Are you crazy(if you are on dial up i understand)? Flash is one of the BEST things that could have happend to the web(and web design) !!! ...

I said many times if you are worried about all those scripts and flash and who knows what else just use Lynx(it's a real browser yeah) !!!
It's a console web browser(yeah that ugly dos box) and it doesn't display graphics , flash movies , no popups NOTHING! Just plain old text! And it asks you every time if you want to accept cookies.
You see where i am getting here? If you block Flash and Java, Javascript etc. you are not viewing the web page as the author meant it you'll  just be reading some text so you're better off using a text mode browser like Lynx at least it will load faster ...

BTW Sasha all those extensions i have installed are there for a reason and there isn't a single one there that i don't use or is unnecessary(for me at least)



Made some screenshots(lynx in action while browsing THIS forum):





Sasha this is a screenshot of the extensions i use in Flock:





Cheers,


Mikey

[DavidR]

My firefox with 18 extensions takes 8-9 seconds to load, but I'm not in that much of a rush, it only gets loaded once per day.

As M2 said even without extensions it is still slow probably a whole 6 secs on my system, which isn't by any means fast. I think we get a little spoilt with speed, in this instant internet age,  internet pages have to load instantly, we forget what it used to be like on a 8086 CPU computer, 9600 or 14400 modems, windows 3.1, etc. so 9 seconds in the greater scheme of things doesn't make me consider going back to IE (no thanks).

[szc]

No way, going back... I meant on going forward to IE7 

[..::ReVaN::..]

Well Firefox is optimized for Linux(so i have read somewhere) but it would certainly be nice if the developers could optimize it a little more for windows too, so that it starts a little faster(it's really blazing fast on linux) ...

[polonus]

Hi M2,

How can szc state  that all those extensions are making FF or Flock that heavy to fire up, some have 45 kb, the heaviest has a meagre 450 kb. No it must have something to do with the allocation table, and the uneconomical way it does its work. It has to do with the lay-out of the browser, and it has to do with coding (race conditions etc.), idle code running.
As I said in other postings they have to go through the coding with a fine comb and brush, security scanning the codes, run it through a recompiler. Give it the sec consult.
But there is a lot the coders are not to be blamed for. DLL errors, the main route to letting a browser crash, can be a version thing, one version of the DLL has another functionality, or even worse lacks some vital functionality.
An example with the Browzar crapola briwser shell weighing nothing was a MSHTML.DLL error, because you make a call to a redirect in another domain, and some versions of this Microsoft DLL cannot handle that, the shell make IE crash. Also MFC42.DLL import crashes in Browzar are heard of.
FF makes some 73 imports inside the NSPR4.DLL.
 JAR50.DLL can make errors in opening NSPR4.DLL, DLC4.DLL, PLDS4.DLL & XPCOM_CORE.DLL, this leads to errors opening files, allocation errors, profile corruption things cause it.
The thing should  be compiled with a huge memory model.
Extensions can have compatibility issues, not overload issues.


polonus

[dk70]

Mozilla already use Coverity http://gemal.dk/blog/2006/05/18/mozilla_and_coverity/ Not to blame anyone but they are probably aware of most bugs and wont go "THANKS we newer knew... " See Bugzilla. Use that instead of blog of "researcher".

I know up to 50-60 extensions runs just fine but to keep the "original" stability/speed you really need to put more effort in installation than just click away at Add-on site. They do a poor job at informing users that it can go wrong. So is extension developed actively, what are known bugs, does it conflict with FF or other extension and so on. Most of the top 10 or so extensions have had or still have memory leaks or worse problems. Starting to get better thanks to tools like Leak Monitor http://dbaron.org/mozilla/leak-monitor/ (dont run any extension which tricker it - bad QA) but still much "crap" to install. Too bad 1.5.0.x or Flock is part of that "crap"  Try Gmail or any Vbulletin forum just for a start. 2.0 is big step forward I think though it might not appear to be a revolution. That is what bug-hunting is about, being done every day.

Size in kb of extension have nothing to do with memory use or how "heavy" it feels btw.

Someone at Mozillazine wrote in a forumpost that they (Mozilla) should do what his company did. Once in a while they did a version of their whatever software with zero new features - only cleanup and optimizations. Who will disagree with that when it comes to Firefox? Known problem but guess unavoidable due to the way it is made. Patchwork, many inputs from many different people etc. And of course the competition, release demand. I still believe they are on top of things and that espeically 2.0 shows it. The somewhat broken/strange new theme is a minor and probably temporary problem, engine room is more important.

[polonus]

Hi dk70,

Fully agree with you that there can be unknown compatibility problems with some extensions (MacAfee SiteAdvisor was an example recently with all the jar50.dll crashes), and how these add-ons and plug-ins work out on each other. There are also code discrepancies as well, and secure code issues (race conditions).
But I cannot understand the users of the closed software browsers, when they rather like to feel secure not knowing what insecurities they have not heard of (security through obscurity).
With FF or Flock security one is to know more or less where you/we stand. With IE7 you take a blank check on the future.

And when you know where the main vectors are to infect your computer (mainly script and Flash). When you can pre-scan links, or you have some indication of the insecurity of a possible search query hyperlink (GeoTrust, SiteAdvisor), and avast Webshield running inside, the rest of your vulnerability window that is left open is made up by the online risks you run (surfing habits/attitude).
The major problems left are made up by instability issues.
Too much of firefox -p or flock -P?
No I  think honesty is the best policy, and will render best results.

polonus

[szc]

Spending so much time thinking about security deals with paranoia my friend. If users spend all their free time on the internet searching on how to lock their computers and securing themselves from who knows who (maybe Cylons), not much time will left for them to at least try to be creative and do something creative using their computers. Why not simply unplug the internet cable and problem solved ?

Now about the Flash... just because it uses ActiveX (sometimes, not always especially not if developer doesn't want to use it), what damage can my web site possibly give to you or your computer ? Here is one of those I made: www.peepers.ca

[polonus]

Hej Sasha,

Everybody is got to do what he likes to do. You wanna be creative on the Net, others like dk70 and little old me like to delve into security issues, because it is interesting to look for solutions. You want to know why things work or not, and why? You do not have this inclination. If I can see something interesting in a nice patch.
Now in this thread dk70 mentioned mem leaks, then polonus finds that memory leaks in FF can add up to a nice total of 500 MB daily. And we have something to discuss.
That is all the Flash Sasha needs to make some nice Avatars. How many Avatars would that be, Sasha?
I know security has it limits, and that the best firewall runs through the open fireplace, and the best security tool is a pair of pliers. But then everybody is entitled to his or her hobbies, right?

pozdravi,

the old pol

[szc]

Except I could never use Flash to make avatars, simply because this forum doesn't support Flash even though we have INSERT FLASH tag when posting in this forum. Avatars are not my priority nor hobbi, I just do that on people's request to make them happy if possible. I use simple graphic editing tools to create avatars, everyone could do it in no minutes if I show him how... if they would look exactly the same as mine, or better or worse, that depends on individuals.

My work span spreads far more than just simple avatars. When I am really, really, really tired of the primary work I do, then I close my eyes and do some avatars to release the pressure.