Most of the attention has been going to Microsoft and its Internet Explorer web browser for having a severe zero-day security hole fixed, but Microsoft wasn’t the only one hastily fixing its browser. Both Mozilla as well as Opera had to issue quick patches to fix several security flaws in their browsers.
The patches rushed out by Mozilla fix several severe security holes in Firefox 2.x and 3.x. These holes allowed crackers to run malicious code and install software on your machine without any user intervention, according to Mozilla. In addition, Firefox 2.0.0.19 will be the last release in the Firefox 2.x series, so Mozilla urges everyone to update to 3.x. The foundation’s phishing protection service is no longer available for Firefox 2.x users.
Opera also announced an update to its browser that fixes 7 severe security holes affecting all platforms. “The update fixes seven security bugs, some of which were previously known. Version 9.63 of the browser addresses separate code injection risks stemming from flaws in HTML parsing and text inputing, respectively. A critical bug with similar arbitrary code injection risks involving the handling of long host names in files has also been patched. The latest version of the software also lances a cross-site scripting flaw, involving XSLT templates, as well as bugs in feed preview.”
Most of the attention went to Microsoft however, who released a patch for a zero-day vulnerability in Internet Explorer 7 and previous versions. “The vulnerability could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.” The update is being pushed via Windows Update.
So, whatever browser you’re running, chances are you’re going to need to update this week. Enjoy.
It seems that 2.0.0.19 will not be the last release for Firefox 2. Something went wrong and there will be a 2.0.0.20 (what a terrible naming scheme!) released around mid December.
Mozilla has been scheduling the 3.0.5 update for at least 40 days. They certainly didn’t rush anything!
Edited 2008-12-18 11:21 UTC
Just upgraded to Firefox 3.0.5 in Ubuntu. I’ll reboot into XP and upgrade Firefox and the other browsers.
Sorry, but what is the point of your post?
Huh?
Maybe I shouldn’t started a new thread…
… be available on Dec. 18th from mirror sites such as http://ftp.osuosl.org
“So, whatever browser you’re running, chances are you’re going to need to update this week. Enjoy.”
Actually, I’m running Firefox 3.0.4 on OpenSUSE 11.1 – I don’t think that’s affected, or is it?
Edited 2008-12-18 11:27 UTC
…?
I mean since I’m not running it on XP is it crucial to upgrade it right away or not? On the other hand I guess I’ll notice if it shows up in online updates…
The flaws are cross-platform.
Okay, who’s the wise guy who modded Thom down for this? I’m beginning to see the wisdom of non-anonymous modding.
Yes, it is
lets see if there is a security update avalible from Lynx for my browser. hmmm nope
maybe Dillo
I use lynx… it doesn’t support Javascript, very hard to create exploit payloads with a markup language alone.
New with Firefox 3.0.5 is the about:rights page that does away with the EULA when you install Firefox for the first time.
This is an excellent move by Mozilla that I applaud!
I wonder why the Windows version of VLC, for example, treats the GPL as an EULA (i.e., you must agree with the license to use the software).
The General Public License is an end user license so treating it like any other EULA is not too strange. The difference is that the GPL lists a bunch of things that users and developers may do provided they remain within the broad boundaries of the license where the traditional consumer EULA is a long legal document detailing what one is not allowed to do.
Permissive versus oppressive.
An example is comparing Mandriva’s EULA to Mirosoft’s:
Mandriva:
– you can do this
– you can do this
– you can do this
– thank you for trying our distribution
Microsoft:
– you can’t do this
– you can’t do this
– you can’t do this
– we can do this without warning
– we can do this without warning
– we can do this without warning
But what is the GPL EULA doing in a binary package?
I’ve never understood the tendency for Windows versions of GPL-licensed apps to use the GPL as an EULA either. OpenOffice does (or at least, did – I’ve not tried 3.0 on Windows yet) the same thing, except it forces you to scroll through the entire license before you can continue.
As far as I see it, the GPL is a distribution license, not a usage license. In fact, the GPL itself says this:
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
Surely then, the GPL only applies if you’re redistributing GPL-licensed software, whether modified or not. If I’m using a binary package, why should I have to agree to any of the provisions of the GPL? It doesn’t apply to me. I’m not required to do that on any Linux system, for example.
If you stuck the GPL as a EULA on a package that installed source code, or development libraries, then I’d understand it.
Well, the GPL-used-like-EULA-for-binaries is valid because you can redistribute the binary and its derivatives, and as such, you will have to abide by it.
“Surely then, the GPL only applies if you’re redistributing GPL-licensed software, whether modified or not.”
What’s not to say that a person who is using GPL’d software will not give a copy to a friend.. aka.. redistribute it?
GPL does not state that it can only be displayed in the source header. It states that the source code must be made available for download. The pogram licensed under the GPL may be, and usually is, distributed as a compiled and installable binary.
.deb, .rpm, .zip/.exe (for the windows folks), .squish (not sure the Apple package type).. those are all packaged binaries.
Now, if you prefer to only download uncompiled GPL’d software then by all means.. go get yourself the tarballs and compile it all up as you like. I’m personally happy to use the precompiled binaries and resort to tarballed source code only when required (and rarely is it required).
Yes, but WHY does VLC et al show it? It’s not shown when I install a binary package on Linux.
“Yes, but WHY does VLC et al show it? It’s not shown when I install a binary package on Linux.”
So you have something to complain about??
I’m guessing that by installing it through your linux repository, the idea that you realize you are using GPL software is assumed. I’m guessing on that one though.
Actually, I don’t know of any of the various packages that presents the GPL. The only *nix installs I’ve seen that do so are binaries packages in tarballs such as the VMware Server install. Unzip the tar.gz, agree to the license, follow the install wizard; no real difference from a win32 installer except for the lack of useless GUI makeup (it is server software after all).
On the other hand, why is it such an issue that the win32 install of VLC does show the license? My personal guess that way would be because showing the license accounts for it being installed on a machine that may not include other software based on the same license.
In either case, you’d have to ask the VLC developers why they chose to present the license during the win32 install. Unless there are members of the VLC project reading the forum, you’ll get nothing more accurate than guesses.
No it isn’t. Refer to the GPL itself & the FSF for more information.
In answer to the original question, it’s because the Microsoft installer tools such as Installshield generally require an EULA to be displayed, and it’s easier to display something even if it’s not quite correct, rather than trying to change the dialog configuration in Installshield to remove the unnecessary EULA dialog.
I see the technical limitation in the windows installer requiring some sort of document to display.
In terms of not being an end user agreement.. does the end user not have to abide by the freedom to redistribute binary or source for programs they use? An end user license does not only have to be a long legal and restrictive document does it?
“I see the technical limitation in the windows installer requiring some sort of document to display. “
What limitation? When I make an installer file using wither the standard windows tools or Installshield, I just check a box not to display anything.
“In answer to the original question, it’s because the Microsoft installer tools such as Installshield generally require an EULA to be displayed”
– Vanders
Then you should talk to Vanders as to why the install packager he/she is using requires it.
Yes it is.
Being directly (and reversably, depending on what compiler options you use) modified from GPL code, compiled code counts as a “covered work” under the GPL, and as such its use is subject to the terms of the GPL.
IE zero day is not properly fixed , and is not the only hole they discovered in IE , Microsoft don’t even admit or acknowledge that , it also run on all it’s browser version on All OS that as IE installed , many other holes are left unfixed and variants of the zero day already exist for the new patch. This is an attack by the “make money with IE hole” group of attacker.
It is misleading to compare IE security hole as similar to Firefox and Opera usual patching of security problems. It wrongly suggest that the security level and threat are similar in all browsers and that all encountered similar problems , because they all released updates.
http://www.mozilla.org/security/known-vulnerabilities/firefox30.htm…
http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx
Unauthorized Remote access and proven trojan insertion is not the same as ” a possibility of elevated privilege in some software or script”.
The Firefox flaws also allow for code execution, it literally says so on the Mozilla advisories. The fact that it’s not being exploited is something completely different, and entirely unrelated to whether or not the vulnerability is as severe as another.
You know there’s something wrong with you when you apply more spin than the organisation/product you’re defending.
But heck, I use Chrome, and I run as a limited user, so for now I’m “safe” anyway.