On Firefox security

On a recent interview to Window Snyder, Mozilla's recently appointed chief security officer, she has revealed that among other strategies for tightening Firefox security they will remove any "death code" (like for unused features) from its source code in order to reduce any attack surface. They will also aim to implement technologies for better memory management that will difficult software exploitation.

This comes after last week Adam Harrison's announcement that Klocwork, a source code scanner, had identified 655 bugs and 71 security vulnerabilities in Firefox 1.5.0.6. Though the numbers have been disputed by Harrison himself and most recently by Robert O'Callahan. The problem is that reports by an automated tool, Klocwork or any other including Coverity (used by Mozilla) must be reviewed by humans to ensure proper identification, and this hasn't been the case with Harrison's report. According to O'Callahan, Firefox developers are working on the list and as of this writing 4 bugs have been reported, 3 of them confirmed.

These news along with yesterday's seventh Firefox update since its latest release in November 2005, outlines much of what makes Firefox apart in the security front: the possibility for anybody to audit the source code and report his findings; these reports are welcomed and reviewed; and as remarked by Snyder: "Mozilla will respond quickly to vulnerabilities, fix all bugs with a security impact, and when we add features we will always look at the security impact."