There have been plenty of serious security issues with Firefox products over the years, according to the recent study entitled "25 Years of Vulnerabilities" done by security firm Sourcefire, which analyzed both open-source and proprietary vulnerabilities reported to two public databases. The Mozilla Firefox browser stood out as having the largest number of high-severity vulnerabilities, second only to Microsoft Windows XP [see graphic].
Firefox had 433 vulnerabilities rated high severity and critical based on the Common Vulnerabilities and Exposures (CVE) database and the second source, the National Vulnerability Database from the National Institute of Standards and Technology. High-severity vulnerabilities mean attackers can potentially fully compromise the user's machine. And in general, three Mozilla products earned the dubious distinction of making the Sourcefire report's list for "Top 10 Products with Critical Severity Vulnerabilities."
"In fact, the top three spots for critical vulnerabilities are held by products from Mozilla," the Sourcefire report states. The Sourcefire report also indicated that in comparing Linux to Windows or the Mac OS in terms of products, Linux scores at 1,752 vulnerabilities in comparison to 1,114 for Windows and 827 for the Mac OS versions.
As with proprietary software, there are plenty of serious vulnerabilities to be discovered. In open source, according to some researchers, the bigger problem is that there is now a widespread use of flawed open-source code. And some say it's often way too hard to even find out what the security issues are.
Ryan Berg, chief security officer at Sonatype, said it's not just serious problems like the severity of the Spring Framework "expression-language" flaw that are of deep concern.
"To me, the bigger issue is it's extremely difficult to ascertain the security of open-source components," he says. "We're seeing an unprecedented amount of usage of flawed open-source software."
Sonatype is a company that provides component lifecycle management products, and it also operates the Central Repository for open-source components. It houses more than 400,000 components, serving up more than 5 billion requests per year for 60,000 organizations.
The open-source community needs to make it simpler and more transparent to report issues and publish findings about security in a way that's more discernible, says Sonatype's Berg.
"We get the CVE feeds, but there are unreported issues," he says, noting that the dark side is that vulnerabilities are being discovered but remain generally unknown. But the demand for open source is so strong that developers just keep downloading and downloading it, and it's become a vital part of enterprise code development and commercial products as well.
Downloading flawed open-source code brings with it "issues from a legal perspective," says Rami Sass, CEO of WhiteSource Software, a company that offers open-source lifecycle management software used by vendors and enterprises to track their usage of open-source libraries and legal status to adhere to internal corporate policy.
Sign up for CIO Asia eNewsletters.