LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Firefox buffer overflow and full disclosure

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 14:55 UTC (Fri) by KaiRo (subscriber, #1987)
In reply to: Firefox buffer overflow and full disclosure by cventers
Parent article: Firefox buffer overflow and full disclosure

> Firefox is certainly way on the other end of the spectrum, second to only
> Internet Explorer in its number of exploits.

From what I know, the Linux kernel has about as many security flaws getting reported than the whole Mozilla source repository (of which Firefox is only a part, even though it uses a vast majority of it, as the Core code is used by all of Mozilla suite, SeaMonkey, Firefox, Thunderbird etc.) or maybe the kernel has even more.

That doesn't mean the kernel is very insecure, nor does it mean that for the Mozilla codebase. It's just that both a really huge piles of code doing an incredibly large amount of stuff - and yes, even rendering web pages as well as Gecko does is a very large and complex task to do.

It's much easier to create a project that does a fairly simple (even if important) job, such as an SMTP server or, say, a shell, without known security flaws than a system kernel or a sophisticated, modern web browser. Why? Just look at the amount of code involved and the dirty tricks you sometimes need to go thorugh to e.g. work with hardware and userspace (in the case of the kernel) or plugins and scripting (in the browser case).

That said, it's good that there are tools out there that have no really known security issues (yet), believing they'll never have is more dangerous than knowing you have to apply some patches now and then.

(Log in to post comments)

Firefox buffer overflow and full disclosure

Posted Sep 16, 2005 15:08 UTC (Fri) by cventers (subscriber, #31465) [Link]

You're right about the number of vulns in the kernel. It's upsetting.
Thankfully, though, the kernel vulnerabilities tend to apply only in a
very specific situation, and very rarely allow someone without an account
to do anything dangerous. So perhaps comparing the kernel (an operating
system) to Firefox (an Internet browser) is unfair. But I didn't bring up
apples to oranges - the comparison was Firefox and Internet Explorer, and
both have had a very embarrasing security history lately.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds