655 defects in Firefox source code - theoretically
Klocwork, developers of the static source code analysis tool K7, are currently looking for defective code and security vulnerabilities in major open source projects. In the most prominent such open source project, Firefox, the analysis has unearthed 655 defects and 71 potential security vulnerabilities.
The majority of the flaws were 'null pointer dereferences', in which an attempt to access free memory leads the program to crash. In second place were memory leaks. Klocwork is choosing not to give further details of the security vulnerabilities, however the developers have been informed.
According to Mozilla security team member Ben Bucksch, the team received the data from Klocwork one or two weeks ago. The data has so far not shown up any actual security vulnerabilities. It is too early to say whether the static analysis tool has found a vulnerability or has simply triggered a false alarm, "the real work is to check these points in the code, and that can, as for any code review, take some time," according to Bucksch. The Mozilla security team is also working its way through a similar list from Klocwork rival Coverity.
Klocwork stresses that "Firefox is a very well written, high quality piece of software". The company let its tool loose on other open source projects, including XMMS, Amanda and Samba, back in June.