Open Bug 244805 Opened 20 years ago Updated 2 years ago

Windows Application Verifier warnings and errors

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Windows XP
Type:
defect

Tracking

()

People

(Reporter: hjtoi-bugzilla, Assigned: dveditz)

References

(
URL
)

Details

Attachments

(1 file)

mozilla log
60.81 KB, text/plain
Details 
Microsoft recently released a Windows Application Verifier application, which
does various security and correctness checks of Windows applications. See the
URL for a download location. The AppVerifier is part of the Windows Application
Compatibility Toolkit.

I run AppVerifier 2.5 against Mozilla 1.6 on Windows XP (Mozilla/5.0 (Windows;
U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113). I enabled all of the test
settings (except "Stacks" which it warned against using for normal
applications), which made Mozilla pretty slow.

I launched Mozilla with the default start page, and clicked one link, then quit
the application.

It gave me a bunch of warnings and errors, which I will be attaching. There were
things like incorrect use of APIs, giving too broad permissions to objects,
reading and writing to wrong locations and so forth. There were warnings from
gkwidget.dll, fullsoft.dll, mozilla.exe, appcomps.dll, NPOJI610.dll, nspr4.dll,
docshell.dll, gkgfxwin.dll, xpcom.dll, i18n.dll, mork.dll and necko.dll. 

We should get more people running later versions of Mozilla (also Firefox etc.)
and exercising different areas of the product. 

We may not want to fix all of the issues since we probably are not trying to
conform to any Windows Logo requirements, but there are some things that might
be potential security issues, as well uses of obsolete APIs or incorrect uses of
APIs.

The tool seems pretty easy to use, and you can also configure it so it will drop
you in debugger on errors so if you have a debug version of a program you should
be able to find the exact offending lines.
Attached file mozilla log 
The plain text log file is not the nicest thing to read. The format seems to be
such that in the beginning there are commented descriptions of all(?) the
things the tool can find. The rest of the file is the actual things that were
found. So locate an actual error, check the type of the error/warning (for
example "RegistryChecks 17") and find the decription in the comment section of
the file. There is a nice viewer in the AppVerifier application itself.
Assignee: security-bugs → dveditz
QA Contact: toolkit
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: