Linked by Thom Holwerda on Thu 15th Sep 2005 12:20 UTC
Mozilla & Gecko clones The Mozilla Foundation plans to "shortly" release new versions of its Firefox and Mozilla Web browsers to address a recently disclosed serious security bug as well as several additional flaws, a representative said Wednesday.
Order by: Score:
openess
by MikeGA on Thu 15th Sep 2005 12:54 UTC
MikeGA
Member since:
2005-07-22

Well, at least they're being pretty open about the whole thing.

Reply Score: 2

It'd be nice...
by eMagius on Thu 15th Sep 2005 13:01 UTC
eMagius
Member since:
2005-07-06

If the Mozilla devs fixed the other security holes that they (and plenty of hackers) have known about for over a year. http://secunia.com/

Reply Score: 0

RE: It'd be nice...
by orestes on Thu 15th Sep 2005 16:09 UTC in reply to "It'd be nice..."
orestes Member since:
2005-07-06

No argument there.

Reply Score: 0

jesus...
by Anonymous on Thu 15th Sep 2005 13:03 UTC
Anonymous
Member since:
---

Can't we have diffs or something? I'm tired of updating every month.

Reply Score: 0

RE: jesus...
by Anonymous on Thu 15th Sep 2005 13:07 UTC in reply to "jesus..."
Anonymous Member since:
---

Can't we have diffs or something? I'm tired of updating every month.

I feel for you, I really really do. Perhaps you should consider getting an extra 3 hours of sleep every night, that way you will have plenty of energy for when the incredibly tiring Firefox update rolls around. Make sure you rest your index finger too, because you will likely hyperextend it by clicking Next Next Next Next once a month.

:)

Reply Score: 3

RE[2]: jesus...
by tiiim on Thu 15th Sep 2005 13:15 UTC in reply to "RE: jesus..."
tiiim Member since:
2005-09-02

well as the article says there is not the perfect secure browser out their we have all been lead to believe. There will also be another way through. If you travel 20 years in the future the probs we have today will be very tame compared to what they get. (Biological-software implentations brain central virus/hack anyone?)

What is really silly, depsite their obivous problems, everytime IE gets a prob we will happily cause a riot and bashing over it. But when firefox gets a prob we quietly tuck it under the carpet. Even though both companies do release patches.

And no im not being bias i use neither browser.

Reply Score: 2

RE[3]: jesus...
by eMagius on Thu 15th Sep 2005 13:42 UTC in reply to "RE[2]: jesus..."
eMagius Member since:
2005-07-06

While there may not be a 100% safe browser, there are browsers that are much safer than the MSHTML or Mozilla Gecko-based ones.

Reply Score: 1

RE: emagius
by Anonymous on Thu 15th Sep 2005 18:52 UTC in reply to "RE[3]: jesus..."
Anonymous Member since:
---

"While there may not be a 100% safe browser, there are browsers that are much safer than the MSHTML or Mozilla Gecko-based ones."

name one and give proof.

Reply Score: 0

RE[2]: emagius
by butters on Thu 15th Sep 2005 20:06 UTC in reply to "RE: emagius"
butters Member since:
2005-07-08

"there are browsers that are much safer than the MSHTML or Mozilla Gecko-based ones."

"name one and give proof."

links.

No js, css, or rpc features. It does display images, but it uses the standard image handling libraries (libjpeg, etc.), which are pretty mature. Fewer LOC means less chance for unknown vulnerabilities.

Hey, you aksed.

I should also note that Gecko is a rendering engine, and therefore has nothing to do with this URL-parsing vulnerability.

Reply Score: 1

RE[3]: emagius
by Finalzone on Thu 15th Sep 2005 21:08 UTC in reply to "RE[2]: emagius"
Finalzone Member since:
2005-07-06

You talk about elinks, right?

Reply Score: 1

RE[2]: jesus...
by Anonymous on Thu 15th Sep 2005 13:16 UTC in reply to "RE: jesus..."
Anonymous Member since:
---

I feel for you, I really really do. Perhaps you should consider getting an extra 3 hours of sleep every night, that way you will have plenty of energy for when the incredibly tiring Firefox update rolls around. Make sure you rest your index finger too, because you will likely hyperextend it by clicking Next Next Next Next once a month.

Of course, there is the problem where half or more of your extensions break. That is what REALLY makes upgrading Firefox a pain in the ass. Of course, it probably won't happen this itme, but you never can tell ...

Reply Score: 0

RE[3]: jesus...
by Anonymous on Thu 15th Sep 2005 13:35 UTC in reply to "RE[2]: jesus..."
Anonymous Member since:
---

I actually just upgraded to 1.5 and none of my extensions broke. ;)

Reply Score: 0

RE[3]: jesus...
by Sargonas on Thu 15th Sep 2005 16:47 UTC in reply to "RE[2]: jesus..."
Sargonas Member since:
2005-09-15

"Of course, there is the problem where half or more of your extensions break. That is what REALLY makes upgrading Firefox a pain in the ass. Of course, it probably won't happen this itme, but you never can tell ..."

I agree this is my one major problem with Fx. I updated to 1.5b1 and it broke compatability with all but 4 of my 17 extensions. That was when some one clued me into:
http://users.blueprintit.co.uk/~dave/web/firefox/buildid/nightly.ht...

Reply Score: 1

RE[2]: jesus...
by VenomousGecko on Thu 15th Sep 2005 15:33 UTC in reply to "RE: jesus..."
VenomousGecko Member since:
2005-07-06

Maybe for Joe Home User it isnt a problem, but when you have 100 machines running Firefox and you are IT support, running around to all the machines to update them is kind of a pain. Soon, hopefully, we will just be able to issue an email to all and tell them to click the red arrow and have it update with a patch. Ahhhhh to dream...

Reply Score: 1

RE[3]: jesus...
by Anonymous on Thu 15th Sep 2005 15:50 UTC in reply to "RE[2]: jesus..."
Anonymous Member since:
---

I believe that 1.5 has .diff patch support.

Reply Score: 0

RE[4]: jesus...
by Anonymous on Thu 15th Sep 2005 17:34 UTC in reply to "RE[2]: jesus..."
Anonymous Member since:
---

run around to 100 machines to install a patch?

what the hell kind of IT department are you running? Did you know that you can do it all from ONE STATION? I'm not even in IT and I know that.

Prepare to be outsourced.

Reply Score: 0

RE[5]: jesus...
by Anonymous on Thu 15th Sep 2005 17:57 UTC in reply to "RE[4]: jesus..."
Anonymous Member since:
---

"run around to 100 machines to install a patch?

what the hell kind of IT department are you running? Did you know that you can do it all from ONE STATION? I'm not even in IT and I know that.

Prepare to be outsourced."

I know how this could be easily done on Unix, but how would you go about doing this on windows?
I assume it would require some 3rd party software installed on each workstation with admin rights and some ports opening?

Reply Score: 0

RE: jesus...
by Beryllium on Thu 15th Sep 2005 13:32 UTC in reply to "jesus..."
Beryllium Member since:
2005-07-08

Yes, Firefox 1.5 will have diff-like upgrade patches.

Reply Score: 1

YAFU
by ankitmalik on Thu 15th Sep 2005 13:30 UTC
ankitmalik
Member since:
2005-07-06

Well... I do like Firefox and have been using and spreading it since last year. But these updates are really irritating.

Its become so common now to have Firefox Updates round the corner that is time we named them - YAFU -Yet Another Firefox Update.

Reply Score: 1

RE: YAFU
by Beryllium on Thu 15th Sep 2005 13:33 UTC in reply to "YAFU"
Beryllium Member since:
2005-07-08

Firefox 1.5 will implement a diff-like patch system, so you won't have to reinstall the whole darn thing.

Reply Score: 2

v highlighting that not only IE ...
by Anonymous on Thu 15th Sep 2005 13:50 UTC
v Not exactly secure, is it?
by Yogurth on Thu 15th Sep 2005 14:13 UTC
RE: Not exactly secure, is it?
by Anonymous on Thu 15th Sep 2005 15:49 UTC in reply to "Not exactly secure, is it?"
Anonymous Member since:
---

Well, one of the main differences between IE and Firefox is that Firefox is not integrated deeply into the core of an OS. This would mitigate the severity any security issues coming from Firefox, to a certain degree.

Reply Score: 0

RE[2]: Not exactly secure, is it?
by sappyvcv on Thu 15th Sep 2005 18:03 UTC in reply to "RE: Not exactly secure, is it?"
sappyvcv Member since:
2005-07-06

IE doesn't have any more access to "Bad" things than Firefox does. Most users run with administrator accounts, which have almost unlimited control. So a buffer overflow that allowed arbitrary remote code execution on either browser would be just as dangerous.

Reply Score: 1

RE: Not exactly secure, is it?
by raver31 on Thu 15th Sep 2005 20:01 UTC in reply to "Not exactly secure, is it?"
raver31 Member since:
2005-07-06

You sir, are a cabbage.....
and that was a detailed analysis.

I have read somewhere that FF users are in the increase.
I have read somewhere that IE users are in decline.
I have read somewhere that Windows users are in decline.
I have read somewhere that man has not been to the moon.

just because you read something somewhere, does not make it true.

Reply Score: 1

Just give me my zip file back.
by emarkp on Thu 15th Sep 2005 15:01 UTC
emarkp
Member since:
2005-09-10

One of the things I loved about ffox and tbird is that you could download the zip, rename your old folder and unzip to the new folder and voila! Upgraded. Around 1.0 they stopped allowing that and only have installer .exe's. Give me my .zip files back!

Reply Score: 5

RE: Just give me my zip file back.
by Anonymous on Thu 15th Sep 2005 17:56 UTC in reply to "Just give me my zip file back."
Anonymous Member since:
---

I cannot ftp to mozilla.org at the moment, but as of a couple weeks ago you could get zip files from there via ftp.

Reply Score: 0

Security and Update issues
by Dark_Knight on Thu 15th Sep 2005 15:23 UTC
Dark_Knight
Member since:
2005-07-10

Security: The Mozilla team just like any other developer release patches for security issues found in their software. The only real difference between say for example Mozilla's Firefox and Microsoft's IE is that Mozilla deals with security holes as fast as possible where as with Microsoft they still have several holes in IE that either are ignored or when known take several weeks to months for patches to be released.

Updating: Those complaining about updating Firefox are typically running Windows and even if not seem to forget that this is a third party software application which is also offered for free. The Mozilla team is not forcing anyone to update Firefox. They make the update freely available for users to increase security when issues arise just as any sensible software developer would do. These are not holes known for several months as some would claime but instead new issues that arise due to external factors such as hackers that find new ways to trick browser security. For the Linux community I haven't had any issues updating Firefox due to I use SUSE Linux in the LAN where the update utility, unlike Windows, is able to update third party software such as Firefox. The good news for Windows users who don't have this functionality is that Mozilla is working on making a "check for updates" utility as part of Firefox 1.5.

Reply Score: 2

re: jesus
by Anonymous on Thu 15th Sep 2005 17:33 UTC
Anonymous
Member since:
---

Firefox 1.5 has an autoupdate feature.

1.5 is still in beta, but it's pretty nice. Personal fav: Error messages are now "friendly" and don't steal the application focus with a popup while loading in background tabs.

http://www.mozilla.org/products/firefox/releases/1.5beta1.html

Reply Score: 0

empirical evidence ...
by Anonymous on Thu 15th Sep 2005 18:39 UTC
Anonymous
Member since:
---

Well ... nobody says that there exists a perfectly secure browser. But that does not mean that just because firefox has had bugs, its as insecure as Internet Explorer..

Firefox http://secunia.com/product/4227/
Internet Explorer http://secunia.com/product/11/

from 03 to 05, out of only 22 advisories for firefox 14% are unpatched compared to 28% out of 69 vulnerabilties unpatched for internet explorer during the same period.

For firefox 23% very highly critical and 0% extremely critical, compared to 29% highly critical and 14% extremely critical in Internet Explorer.

Gets the Facts ... !

Reply Score: 4

ha ha
by Anonymous on Thu 15th Sep 2005 19:47 UTC
Anonymous
Member since:
---

even an Internet Explorer developer has switched to Firefox!!! :^)

http://www.scottberkun.com/blog/?p=115

found it on /.

Reply Score: 0

v firefox
by Anonymous on Thu 15th Sep 2005 19:57 UTC
insecurity by
by butters on Thu 15th Sep 2005 20:00 UTC
butters
Member since:
2005-07-08

We can agree that web browsers are complex and that by their very nature, they allow remote parties to make inputs to your computer. This makes them a target for malicious agents. This is what all web browsers have in common.

But the difference between firefox vulnerabilities and IE vulnerabilities is that the latter are found through blindly attacking the system as if it were a black box. If you get some unexpected behavior when clicking on a particularly formatted link or displaying a particularly contructed image, then explore variations until you find the pattern.

Firefox vulnerabilities are most often found through code inspection and/or automated analysis. You can write a perl script to look for candidate buffer overflow situations in any language that allows them. Or you can use more powerful tools like Uno (Uninitialized variables, Null dereferences, and buffer Overflows).

Security researchers (that's what they call hackers these days) do more harm that good when they act like this guy did. If you discover a vulnerability, you shouldn't write about it on your blog and post a proof-of-concept exploit until you give the software developers a reasonable amount of time to fix the problem. As we've seen, Mozilla was able to respond very quickly to this vulnerability, issuing a workaround within 24 hours and testing a new release within a few days. I can understand acting this way in response to developers ignoring your reported vulnerability for over a month, but this was not the case.

At the end of the day, Firefox developers should be looking for these buffer overflows. However, publicizing vulnerabilities before the developers have a chance to respond runs contrary to the advancement of computing, whether they be in open or proprietary software.

Reply Score: 0

Novell/SUSE patch
by pilotgi on Thu 15th Sep 2005 20:58 UTC
pilotgi
Member since:
2005-07-06

Novell/SUSE has already issued a patched version that disables IDN in Firefox 1.0.6. Not a real fix but it closes the vulnerability.

Reply Score: 2

Red Hat has security updates
by Rahul on Fri 16th Sep 2005 01:10 UTC
Rahul
Member since:
2005-07-06

Red Hat published security updates within 20 hours.

http://lwn.net/Articles/151218/
http://www.advogato.org/person/mjcox/

Reply Score: 1