Open
Bug 244805
Opened 20 years ago
Updated 2 years ago
Windows Application Verifier warnings and errors
Categories
(Core :: Security, defect)
Tracking
()
NEW
People
(Reporter: hjtoi-bugzilla, Assigned: dveditz)
References
()
Details
Attachments
(1 file)
60.81 KB,
text/plain
|
Details |
Microsoft recently released a Windows Application Verifier application, which does various security and correctness checks of Windows applications. See the URL for a download location. The AppVerifier is part of the Windows Application Compatibility Toolkit. I run AppVerifier 2.5 against Mozilla 1.6 on Windows XP (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113). I enabled all of the test settings (except "Stacks" which it warned against using for normal applications), which made Mozilla pretty slow. I launched Mozilla with the default start page, and clicked one link, then quit the application. It gave me a bunch of warnings and errors, which I will be attaching. There were things like incorrect use of APIs, giving too broad permissions to objects, reading and writing to wrong locations and so forth. There were warnings from gkwidget.dll, fullsoft.dll, mozilla.exe, appcomps.dll, NPOJI610.dll, nspr4.dll, docshell.dll, gkgfxwin.dll, xpcom.dll, i18n.dll, mork.dll and necko.dll. We should get more people running later versions of Mozilla (also Firefox etc.) and exercising different areas of the product. We may not want to fix all of the issues since we probably are not trying to conform to any Windows Logo requirements, but there are some things that might be potential security issues, as well uses of obsolete APIs or incorrect uses of APIs. The tool seems pretty easy to use, and you can also configure it so it will drop you in debugger on errors so if you have a debug version of a program you should be able to find the exact offending lines.
Reporter | ||
Comment 1•20 years ago
|
||
The plain text log file is not the nicest thing to read. The format seems to be such that in the beginning there are commented descriptions of all(?) the things the tool can find. The rest of the file is the actual things that were found. So locate an actual error, check the type of the error/warning (for example "RegistryChecks 17") and find the decription in the comment section of the file. There is a nice viewer in the AppVerifier application itself.
Assignee | ||
Updated•18 years ago
|
Assignee: security-bugs → dveditz
QA Contact: toolkit
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•