Firefox buffer overflow and full disclosure
Posted Sep 16, 2005 14:55 UTC (Fri) by KaiRo
In reply to: Firefox buffer overflow and full disclosure
Parent article: Firefox buffer overflow and full disclosure
> Firefox is certainly way on the other end of the spectrum, second to only
> Internet Explorer in its number of exploits.
From what I know, the Linux kernel has about as many security flaws getting reported than the whole Mozilla source repository (of which Firefox is only a part, even though it uses a vast majority of it, as the Core code is used by all of Mozilla suite, SeaMonkey, Firefox, Thunderbird etc.) or maybe the kernel has even more.
That doesn't mean the kernel is very insecure, nor does it mean that for the Mozilla codebase. It's just that both a really huge piles of code doing an incredibly large amount of stuff - and yes, even rendering web pages as well as Gecko does is a very large and complex task to do.
It's much easier to create a project that does a fairly simple (even if important) job, such as an SMTP server or, say, a shell, without known security flaws than a system kernel or a sophisticated, modern web browser. Why? Just look at the amount of code involved and the dirty tricks you sometimes need to go thorugh to e.g. work with hardware and userspace (in the case of the kernel) or plugins and scripting (in the browser case).
That said, it's good that there are tools out there that have no really known security issues (yet), believing they'll never have is more dangerous than knowing you have to apply some patches now and then.
to post comments)