Open source software may not be malicious, but any bug in them can be exploited. Eg, one in firefox can cause arbitrary code execution on your computer without any security barrier. And let’s be honest, everything written in C is no life time guarantee on correctness.