The Mozilla Foundation plans to “shortly” release new versions of its Firefox and Mozilla Web browsers to address a recently disclosed serious security bug as well as several additional flaws, a representative said Wednesday.
The Mozilla Foundation plans to “shortly” release new versions of its Firefox and Mozilla Web browsers to address a recently disclosed serious security bug as well as several additional flaws, a representative said Wednesday.
Well, at least they’re being pretty open about the whole thing.
If the Mozilla devs fixed the other security holes that they (and plenty of hackers) have known about for over a year. http://secunia.com/
No argument there.
Can’t we have diffs or something? I’m tired of updating every month.
Can’t we have diffs or something? I’m tired of updating every month.
I feel for you, I really really do. Perhaps you should consider getting an extra 3 hours of sleep every night, that way you will have plenty of energy for when the incredibly tiring Firefox update rolls around. Make sure you rest your index finger too, because you will likely hyperextend it by clicking Next Next Next Next once a month.
🙂
well as the article says there is not the perfect secure browser out their we have all been lead to believe. There will also be another way through. If you travel 20 years in the future the probs we have today will be very tame compared to what they get. (Biological-software implentations brain central virus/hack anyone?)
What is really silly, depsite their obivous problems, everytime IE gets a prob we will happily cause a riot and bashing over it. But when firefox gets a prob we quietly tuck it under the carpet. Even though both companies do release patches.
And no im not being bias i use neither browser.
While there may not be a 100% safe browser, there are browsers that are much safer than the MSHTML or Mozilla Gecko-based ones.
“While there may not be a 100% safe browser, there are browsers that are much safer than the MSHTML or Mozilla Gecko-based ones.”
name one and give proof.
“there are browsers that are much safer than the MSHTML or Mozilla Gecko-based ones.”
“name one and give proof.”
links.
No js, css, or rpc features. It does display images, but it uses the standard image handling libraries (libjpeg, etc.), which are pretty mature. Fewer LOC means less chance for unknown vulnerabilities.
Hey, you aksed.
I should also note that Gecko is a rendering engine, and therefore has nothing to do with this URL-parsing vulnerability.
You talk about elinks, right?
I feel for you, I really really do. Perhaps you should consider getting an extra 3 hours of sleep every night, that way you will have plenty of energy for when the incredibly tiring Firefox update rolls around. Make sure you rest your index finger too, because you will likely hyperextend it by clicking Next Next Next Next once a month.
Of course, there is the problem where half or more of your extensions break. That is what REALLY makes upgrading Firefox a pain in the ass. Of course, it probably won’t happen this itme, but you never can tell …
I actually just upgraded to 1.5 and none of my extensions broke.
“Of course, there is the problem where half or more of your extensions break. That is what REALLY makes upgrading Firefox a pain in the ass. Of course, it probably won’t happen this itme, but you never can tell …”
I agree this is my one major problem with Fx. I updated to 1.5b1 and it broke compatability with all but 4 of my 17 extensions. That was when some one clued me into:
http://users.blueprintit.co.uk/~dave/web/firefox/buildid/nightly.ht…
Maybe for Joe Home User it isnt a problem, but when you have 100 machines running Firefox and you are IT support, running around to all the machines to update them is kind of a pain. Soon, hopefully, we will just be able to issue an email to all and tell them to click the red arrow and have it update with a patch. Ahhhhh to dream…
I believe that 1.5 has .diff patch support.
run around to 100 machines to install a patch?
what the hell kind of IT department are you running? Did you know that you can do it all from ONE STATION? I’m not even in IT and I know that.
Prepare to be outsourced.
“run around to 100 machines to install a patch?
what the hell kind of IT department are you running? Did you know that you can do it all from ONE STATION? I’m not even in IT and I know that.
Prepare to be outsourced.”
I know how this could be easily done on Unix, but how would you go about doing this on windows?
I assume it would require some 3rd party software installed on each workstation with admin rights and some ports opening?
Yes, Firefox 1.5 will have diff-like upgrade patches.
Well… I do like Firefox and have been using and spreading it since last year. But these updates are really irritating.
Its become so common now to have Firefox Updates round the corner that is time we named them – YAFU -Yet Another Firefox Update.
Firefox 1.5 will implement a diff-like patch system, so you won’t have to reinstall the whole darn thing.
.. but also mozilla browsers have serious security bugs.
While security remains one of the major reasons,
why users switch to mozilla browsers, the IE
defence will be focused in highlighting that
mozilla and firefox are not 100% secure.
I wonder how secure actually that whole engine is? Seems it’s not far form IE. This is pretty bad for FF and entire Mozilla project, I have read somewhere that FF user numbers are already in decline. Too bad. I guess I won’t look further than Opera.
Well, one of the main differences between IE and Firefox is that Firefox is not integrated deeply into the core of an OS. This would mitigate the severity any security issues coming from Firefox, to a certain degree.
IE doesn’t have any more access to “Bad” things than Firefox does. Most users run with administrator accounts, which have almost unlimited control. So a buffer overflow that allowed arbitrary remote code execution on either browser would be just as dangerous.
You sir, are a cabbage…..
and that was a detailed analysis.
I have read somewhere that FF users are in the increase.
I have read somewhere that IE users are in decline.
I have read somewhere that Windows users are in decline.
I have read somewhere that man has not been to the moon.
just because you read something somewhere, does not make it true.
One of the things I loved about ffox and tbird is that you could download the zip, rename your old folder and unzip to the new folder and voila! Upgraded. Around 1.0 they stopped allowing that and only have installer .exe’s. Give me my .zip files back!
I cannot ftp to mozilla.org at the moment, but as of a couple weeks ago you could get zip files from there via ftp.
Security: The Mozilla team just like any other developer release patches for security issues found in their software. The only real difference between say for example Mozilla’s Firefox and Microsoft’s IE is that Mozilla deals with security holes as fast as possible where as with Microsoft they still have several holes in IE that either are ignored or when known take several weeks to months for patches to be released.
Updating: Those complaining about updating Firefox are typically running Windows and even if not seem to forget that this is a third party software application which is also offered for free. The Mozilla team is not forcing anyone to update Firefox. They make the update freely available for users to increase security when issues arise just as any sensible software developer would do. These are not holes known for several months as some would claime but instead new issues that arise due to external factors such as hackers that find new ways to trick browser security. For the Linux community I haven’t had any issues updating Firefox due to I use SUSE Linux in the LAN where the update utility, unlike Windows, is able to update third party software such as Firefox. The good news for Windows users who don’t have this functionality is that Mozilla is working on making a “check for updates” utility as part of Firefox 1.5.
Firefox 1.5 has an autoupdate feature.
1.5 is still in beta, but it’s pretty nice. Personal fav: Error messages are now “friendly” and don’t steal the application focus with a popup while loading in background tabs.
http://www.mozilla.org/products/firefox/releases/1.5beta1.html
Well … nobody says that there exists a perfectly secure browser. But that does not mean that just because firefox has had bugs, its as insecure as Internet Explorer..
Firefox http://secunia.com/product/4227/
Internet Explorer http://secunia.com/product/11/
from 03 to 05, out of only 22 advisories for firefox 14% are unpatched compared to 28% out of 69 vulnerabilties unpatched for internet explorer during the same period.
For firefox 23% very highly critical and 0% extremely critical, compared to 29% highly critical and 14% extremely critical in Internet Explorer.
Gets the Facts … !
even an Internet Explorer developer has switched to Firefox!!! :^)
http://www.scottberkun.com/blog/?p=115
found it on /.
firefox is not an os why the fuck is it on osnews
We can agree that web browsers are complex and that by their very nature, they allow remote parties to make inputs to your computer. This makes them a target for malicious agents. This is what all web browsers have in common.
But the difference between firefox vulnerabilities and IE vulnerabilities is that the latter are found through blindly attacking the system as if it were a black box. If you get some unexpected behavior when clicking on a particularly formatted link or displaying a particularly contructed image, then explore variations until you find the pattern.
Firefox vulnerabilities are most often found through code inspection and/or automated analysis. You can write a perl script to look for candidate buffer overflow situations in any language that allows them. Or you can use more powerful tools like Uno (Uninitialized variables, Null dereferences, and buffer Overflows).
Security researchers (that’s what they call hackers these days) do more harm that good when they act like this guy did. If you discover a vulnerability, you shouldn’t write about it on your blog and post a proof-of-concept exploit until you give the software developers a reasonable amount of time to fix the problem. As we’ve seen, Mozilla was able to respond very quickly to this vulnerability, issuing a workaround within 24 hours and testing a new release within a few days. I can understand acting this way in response to developers ignoring your reported vulnerability for over a month, but this was not the case.
At the end of the day, Firefox developers should be looking for these buffer overflows. However, publicizing vulnerabilities before the developers have a chance to respond runs contrary to the advancement of computing, whether they be in open or proprietary software.
Novell/SUSE has already issued a patched version that disables IDN in Firefox 1.0.6. Not a real fix but it closes the vulnerability.
Red Hat published security updates within 20 hours.
http://lwn.net/Articles/151218/
http://www.advogato.org/person/mjcox/