“Mozilla is having a nightmarish security week. The company released a security-fix version of its Thunderbird email client late yesterday after updating its Firefox browser, a Firefox Google toolbar extension, and its SeaMonkey web application suite – all within the last six days. The new Thunderbird 1.5.0.12 replaces 1.5.0.10.”
Again?
Well, Security is an ongoing process…
If anybody came up with a final fix for security, I’m sure Symantic or McAffe would have them assassinated pretty soon.
That was a pretty fast patch, ~48 hours?
Hopefully the builds will trickle out today so I can update my systems.
– chrish
Here we go again…
Microsoft sucks!! open source sucks!! patched quickly!! hole shouldn’t have existed in the first place!! open source no more secure than closed source!! closed source has less eyes so less secure!! mine is bigger than yours!!
<ARGH!>
All software has bugs and problems. This bad run of luck is no different to Microsoft patch Tuesday. It’ll happen again, as will patch Tuesday.
You don’t get the point.
When Microsoft/Apple correct security holes, they suck.
BUT, when it’s open source, they do NOT suck: they are just patching security holes to make the system more secure than before…
That’s about as inaccurate a statement as “Being closed source is more secure”. It’s you who really doesn’t get the point.
@duffman :
Its not a question of open vs closed or commercial vs free. It’s just that microsoft has a very different way of advertising their products, they are very agressive and sometime fail to deliver what they promised. So people have great expectations, and when something goes wrong or a promised feature is not there they get angry, that’s simple, it’s the side effect of over-promising.
You could observe the same reactions of the public when nintendo and sony launched the wii and the ps3. Those are two big (bad ) corporations but people were a lot more indulgent with nintendo because they delivered exactly what they promised at the price they promised at the time they promised. If you looked at the ps3 forums at that time, people were just angry about anything.
(edit: grammar)
Edited 2007-06-06 14:02
…not to mention that its so hard to stay mad at the Wii. Its just so dang cute…
“””
Here we go again…
Microsoft sucks!! open source sucks!! patched quickly!! hole shouldn’t have existed in the first place!! open source no more secure than closed source!! closed source has less eyes so less secure!! mine is bigger than yours!!
“””
You’ve done this before! 😉
I guess we all have.
So let me put my votes in for:
1. OpenSource, in general, is more secure.
2. The holes shouldn’t have existed in the first place.
And I will add a couple of predictions:
2a. 3rd party extensions are going to be the Achilles’ Heel of Firefox and Mozilla Corp will deal with the issue by passing the blame to the 3rd parties, like MS does with drivers, etc.
2b. Mozilla Corp has worked out this scenario and already has a plan in place.
I can’t help but feel that Mozilla Corp, like Microsoft before it, recognizes the value of the PR department regarding security issues.
Edited 2007-06-06 18:07
Dup. Sorry. ISP weirdness, today.
Edited 2007-06-06 18:04
This is one of the reasons I like to use distributions which quickly put the latest software and/or patches in their repositories… some distro’s I installed 2 months ago or so still had Firefox 1.5.x as the default… :=|
Edited 2007-06-06 13:26
number of security flaws found in your code increases.
The same holds true for almost all the software including Linux etc.
Is anyone surprised by this btw? May be you are because OSS fanboys must be telling you all along how secure FF is (when it is really not)
So next time they tell you how secure Linux is…please do yourself a favor and ask them to STFU. Use a software which fulfill your needs rather than giving into propaganda spread by the OSS zealots.
Edited 2007-06-06 14:01
Just because something gets security patches now and again, it doesn’t make it wholly “insecure”.
In that vein, Windows is as secure as Linux- because they both have security flaws.
This clearly isn’t actually the case.
“As the usage increases…” so does the FUD.
I guess you just proved your point.
I’m not spreading FUD. So I didn’t prove anything. =P
You’re just not being used enough yet, then… or did I misunderstand anything ?
I’m a skeptic tank. All the FUD comes in, but only gets flushed out once a month.
Use a software which fulfill your needs rather than giving into propaganda spread by the OSS zealots.
Or, use software that everyone knows is broken out of the box
I wouldn’t call OSS broken out of the box… you have to enable that functionality (or lack thereof) in a text config file first.
ha, that actually made me chuckle out loud.
I was not talking about OSS, I was of course talking about Windows…..
However, you did make a very funny point about OSS !
🙂
“””
As the usage increases
…
number of security flaws found in your code increases.
“””
CrazyDude0,
You are glossing over the very important point that here, today, in the real world, it is IE that is being targeted by real exploits, living in the wild. It does not matter why. What matters most is that it is.
I’m intentionally not addressing which browser is more secure, intrinsically. Not because I do not have an opinion on the matter, but because it is irrelevant to the point I am making.
Assuming, for the sake of argument, that FF and IE are equally insecure, on an intrinsic level… IE’s users are still in far greater danger, from a practical perspective.
And that’s a fact.
Edited 2007-06-06 18:39
.. actually been bitten by a firefox/thunderbird security issue? Ex: some nasty website/email caused havoc with your system due to a security hole.
I know that I’ve been bitten on IE in the past. Back then firefox’s market share was too low to be a target, so IE was targeted, but with firefox sitting at ~20% I would think that someone would have crafted a successful attack by now.
“
”
I’ve had a few attacks when visiting website of an adult nature *coughs*. I believe the majorety of them were down to JPEGs with malicious code built into them.
Avast AV protected me on each and every occation though.
That you know of buddy… that you know of..
Maybe, but without going into the specifics of my set up, any security breach (short of a professional hacker manually accessing my system) would have been at least reported at some point (even if it’s just from the hardware proxy reporting on the packets sent/recieved).
Not quite an attack but have had the NSIS Media malware on my system which caused popups in firefox every 5 minutes or so.
There’s a number of Spyware toolbars for Firefox now, something many people saw coming a long time ago
“.. actually been bitten by a firefox/thunderbird security issue?”
Does spyware count? That was one of FF’s big promises…no more spyware which is certainly not the case. That being said it’s a small price to pay for all of FF’s other capabilities.
Nightmarish week? Wooot O_o ?
It’s just a security fix for the old branch fixing pretty much the same theoretical issues in all the variations of Gecko.
But haven’t you updated yet to 2.x? I do believe using 1.5.x equals using IE7…
Using IE 7 would more equal using Fx 1.0x at best.
At least feature-wise. I’m not so sure about security, since Fx 1.0x is no longer officially supported and computer security was never my best subject. I think the only non-security-related feature IE7 has on Fx 1.0x is Quick Tabs.
Before the flames engulf me, allow me to say that I am by no means a Fx fanboy–hell, I’m a proud Opera user.
There’s so many factual inaccuracies in this thread I don’t even know where to start :S
1) Open source is no more or less secure than closed source.
2) Firefox is more secure than IE but (according to benchmarks) less secure then some other browsers such as Opera
3) A regular patch release does look bad from a perspective that there’s holes to patch, but at least Mozilla are patching the holes. Some companies take months to get round to fixing security issues.
4) Firefox has bugger all to do with OS fanboy-isum as Firefox runs on most of the desktop OSs out there.
5) Firefox /is/ getting targeted more because of it’s popularity. that doesn’t make it less secure, just a bigger target – which in turn (hopefully) means people are more mindful about ensuring Firefox’s security is up to date.
6) increased usage in software /will/ show up more security holes, but that doesn’t mean that all software is equally secure or insecure. It just means that the existing security flaws become more apparent.
Quite frankly I’m surprised at the number of comments in this thread that are way off the mark given the usual standard set on OSNews.
Edited 2007-06-06 14:52
“Quite frankly I’m surprised at the number of comments in this thread that are way off the mark given the usual standard set on OSNews.”
Can I read your OSNews? I think I get one from a different reality
Seriously. Guy’s gotta have his comment threshold on five or have some kind of amazing, never-before-seen stupidity filter. Or both.
It’s simple: using the Digg API, you diff the Digg comments with OSNews, thus filtering out all the inane, moronic, trolls
“
”
Maybe I just usually stop reading threads when they start turning into stupid flame wars or maybe I’ve just been lucky when discriminating against the threads I haven’t read – but usually I find OSNews to be quite informative.
Since when is it “nightmarish” when many security holes are found and patched?
My idea of “nightmarish” would be security holes that go unpatched for long periods of time. I don’t care how many holes are in the software I use, as long as they’re all patched before they can be exploited, which is exactly what the Mozilla team is doing.
…without any facts or figures.
Would I love a serious OSS vs Proprietary security comparison. I would love one, but this isn’t it.
Is anyone showing a serious amount; severity; time-to-patch comparison. I know these figures can be heavily massaged to interpret anything, but at least opinions can be offered.
On a side note.
http://marketshare.hitslink.com/report.aspx?qprid=6
People should be aware that the largest browser on the market today is IE6. I think what is surprising is the amount of people on Firefox1.5 considering 2.0 is free in every sense of the word.