Domain: mozilla.org
Stories and comments across the archive that link to mozilla.org.
Comments · 17,579
-
Re:What is THIS?!
"nyah, nyah, my hands are covering my eyes so the exploit can't harm you!"
Firefox also follows the same method.
Several of the bugs are marked hidden.
https://bugzilla.mozilla.org/show_bug.cgi?id=30693 9 [mozilla.org]
https://bugzilla.mozilla.org/show_bug.cgi?id=30694 0 [mozilla.org]
https://bugzilla.mozilla.org/show_bug.cgi?id=30703 1 [mozilla.org]
https://bugzilla.mozilla.org/show_bug.cgi?id=30704 0 [mozilla.org]
https://bugzilla.mozilla.org/show_bug.cgi?id=30708 4 [mozilla.org]
https://bugzilla.mozilla.org/show_bug.cgi?id=30708 7 [mozilla.org] -
Re:What is THIS?!
"nyah, nyah, my hands are covering my eyes so the exploit can't harm you!"
Firefox also follows the same method.
Several of the bugs are marked hidden.
https://bugzilla.mozilla.org/show_bug.cgi?id=30693 9 [mozilla.org]
https://bugzilla.mozilla.org/show_bug.cgi?id=30694 0 [mozilla.org]
https://bugzilla.mozilla.org/show_bug.cgi?id=30703 1 [mozilla.org]
https://bugzilla.mozilla.org/show_bug.cgi?id=30704 0 [mozilla.org]
https://bugzilla.mozilla.org/show_bug.cgi?id=30708 4 [mozilla.org]
https://bugzilla.mozilla.org/show_bug.cgi?id=30708 7 [mozilla.org] -
Re:What is THIS?!
"nyah, nyah, my hands are covering my eyes so the exploit can't harm you!"
Firefox also follows the same method.
Several of the bugs are marked hidden.
https://bugzilla.mozilla.org/show_bug.cgi?id=30693 9 [mozilla.org]
https://bugzilla.mozilla.org/show_bug.cgi?id=30694 0 [mozilla.org]
https://bugzilla.mozilla.org/show_bug.cgi?id=30703 1 [mozilla.org]
https://bugzilla.mozilla.org/show_bug.cgi?id=30704 0 [mozilla.org]
https://bugzilla.mozilla.org/show_bug.cgi?id=30708 4 [mozilla.org]
https://bugzilla.mozilla.org/show_bug.cgi?id=30708 7 [mozilla.org] -
But this has already been patched...
Download the patch here.
-
Re:Why contaminate?Maybe I misunderstand all of this, but isn't there already a cross platform XML + ECMAScript layout language, that many of us use daily, that has been around for a few years now, and which many applications use already for the interface?
Yes, I'm talking about the interface stuff from Mozilla. XUL.XUL (pronounced "zool") is Mozilla's XML-based User interface Language that lets you build feature-rich cross platform applications that can run connected or disconnected from the Internet. These applications are easily customized with alternative text, graphics and layout so they can be readily branded or localized for various markets. Web developers already familiar with Dynamic HTML (DHTML) will learn XUL quickly and can start building applications right away.
XUL is an XML language based on W3C standard XML 1.0. Applications written in XUL are based on additional W3C standard technologies featuring HTML 4.0; Cascading Style Sheets (CSS) 1 and 2; Document Object Model (DOM) Levels 1 and 2; JavaScript 1.5, including ECMA-262 Edition 3 (ECMAscript); XML 1.0.
mozilla.org is going a step further by seeking W3C standardization for the eXtensible Binding Language (XBL) (see "Supporting Technologies", below).
If you want to write an application that runs on Windows, Linux, *BSD and Mac OS X, that utilises a common interface across all these platforms, and if you want to write it today, then use XUL.
We should all bow down to Microsoft's reinvention of the wheel. -
Re:How can you vouche for the security of this?
It really wouldn't surprise me to see IE8 (or 7.5 or whatever they call it) shipped within 6 months of the release of IE7. Knowing Mozilla, Firfox 1.5 might be done by then.
Do you have something to back this claim up, or is it just wishful thinking? The fact is that Firefox 1.5 had already two alphas and one beta released, and they are very stable, and the final release is expected by the end of the year (BTW, have you ever tried Firefox?). What are the odds to see at least IE7 being released by the end of the year? I would really love to cut half of the development time of my team by not having to work around IE bugs anymore. However it looks like IE5-6 will be around for a lot of time :(
I doubt Firefox has CSS 3.
Firefox has in fact already implemented parts of CSS3 and they come with the beta.
If they do, they're making a HUGE mistake. CSS3 is still in development, and issuing a browser based on it today will likely result in behavior that's different from the final standard, which means yet another set of hacks to support non-standard features.
You are new to open source, aren't you? It is not a problem if the final version of the standard will be (a little) different then the current one. Firefox releases are very often (Firefox had 7 stable releases in the last year, not one every 5 years like IE) and the automatic update mechanism will make the transition very smooth. Nobody will have to target old versions of Firefox for more then one month or someting.
This is what the -moz properties are for, to give more advanced functionality, but prevent it from colliding with possibly changed features in the standard. It's absolutely irresponsible for FF developers to make CSS3 features available using proposed CSS3 properties.
You made me lough. FF is irresponsible for releasing the bleeding edge of web standards while it is just OK for Microsoft not to release anything for 5 years, and leave us with a very crappy browser implementation on 90% of the desktops. Really, which approach do you think helps driving web standards further and which one is more responsible? And don't start with the "Microsoft changed, they now promote standards" bullshit because I already heard that from a lot of Microsoft fans, since 1998. They are doing it now just because they see Firefox as a big threat. As soon as they manage to deal with it, all the Microsoft-behind-standards bullshit will be over and they will go back to the thing they do best. What is this? "The same thing we do every night, Pinky. Try to take over the world!". How will they do this? By locking users and developers to Windows, .NET and now Sparkle. Some people never get it though. -
Re:How can you vouche for the security of this?
It really wouldn't surprise me to see IE8 (or 7.5 or whatever they call it) shipped within 6 months of the release of IE7. Knowing Mozilla, Firfox 1.5 might be done by then.
Do you have something to back this claim up, or is it just wishful thinking? The fact is that Firefox 1.5 had already two alphas and one beta released, and they are very stable, and the final release is expected by the end of the year (BTW, have you ever tried Firefox?). What are the odds to see at least IE7 being released by the end of the year? I would really love to cut half of the development time of my team by not having to work around IE bugs anymore. However it looks like IE5-6 will be around for a lot of time :(
I doubt Firefox has CSS 3.
Firefox has in fact already implemented parts of CSS3 and they come with the beta.
If they do, they're making a HUGE mistake. CSS3 is still in development, and issuing a browser based on it today will likely result in behavior that's different from the final standard, which means yet another set of hacks to support non-standard features.
You are new to open source, aren't you? It is not a problem if the final version of the standard will be (a little) different then the current one. Firefox releases are very often (Firefox had 7 stable releases in the last year, not one every 5 years like IE) and the automatic update mechanism will make the transition very smooth. Nobody will have to target old versions of Firefox for more then one month or someting.
This is what the -moz properties are for, to give more advanced functionality, but prevent it from colliding with possibly changed features in the standard. It's absolutely irresponsible for FF developers to make CSS3 features available using proposed CSS3 properties.
You made me lough. FF is irresponsible for releasing the bleeding edge of web standards while it is just OK for Microsoft not to release anything for 5 years, and leave us with a very crappy browser implementation on 90% of the desktops. Really, which approach do you think helps driving web standards further and which one is more responsible? And don't start with the "Microsoft changed, they now promote standards" bullshit because I already heard that from a lot of Microsoft fans, since 1998. They are doing it now just because they see Firefox as a big threat. As soon as they manage to deal with it, all the Microsoft-behind-standards bullshit will be over and they will go back to the thing they do best. What is this? "The same thing we do every night, Pinky. Try to take over the world!". How will they do this? By locking users and developers to Windows, .NET and now Sparkle. Some people never get it though. -
Re:How can you vouche for the security of this?
Come on
... you are really eating Microsoft's Blushit(TM) with a large spoon. How can they be as compliant as Firefox 2.0, 3.0 or whatever the Firefox version will be in 2008-2009, when even the Mozilla guys don't know what new features will implement then. In my opinion even trying to make IE as good as Firefox 1.5 would be a VERY ambitious goal. Firefox 1.5 is already supporting SVG, CSS 3, JavaScript 1.6. But why am I bringing you arguments that are already backed by code, when people like you simply love arguments that start like this "Microsoft announced that {name of microsoft product shiping in n>3 years} will have feature {x}, {y that they will probably not finish until revision 2 of the product} and {z that they are not even planning to do}". Well, we know how well Microsoft was at making estimates with Longhorn/Vista when it comes to time and features included. -
Re:Short and simpleHow many Critical IE vs Firefox
According to "the community", *all* IE bugs are critical. Even user-executed attachments. Even non-critical ones. Mozilla has begun publishing vuln advisories with the same "a malicious web page" verbiage that everyone berated Microsoft for in order to inflate the importance of every single IE bug. Or maybe you've forgotten the "IE Bug Of The Day" Slashdork articles back in 2003? This is not a valid argument simply because it cannot be applied equally to both browsers (anymore).
How fast where patches/new versions deployed
Aside from Mozilla simply disabling features and calling that a 'fix' (IDN comes to mind - twice), the speed with which patches are released has nothing to do with how quickly they are applied. And the 'automatic update' 'feature' of Firefox that insisted on downloading and reinstalling the entire browser all over again (and then leaving the previous entries in the Add/Remove programs applet) didn't really help. Microsoft has released patches that are then reverse engineered to create exploits - what does speed have to do with that?
How many days was the browser open to the exploit [...] Total number of days browser was exploitable - IE vs Firefox
https://bugzilla.mozilla.org/show_bug.cgi?id=6907
0 Look at the 'Last Updated' date at the top and then look at the first comment. That's three years. All the "unpatched vulnerabilities" in IE that everyone parrots to prove Microsoft sucks are like this one. You can't take MS to task after this, now can you?
I bet you will find issues in IE that are not even patched yet, turnaround for more Firefox issues however? In most cases a solution within hours a patch within days
Again, irrelevant. And Microsoft has gotten a lot better at releasing patches quickly for at least quite a few years. This is no longer a valid argument, either.
Is IE insecure? Sure. It's a bit better now, but sure. That's not the point. Before it was "OMFG FIREFOX IS TEH SUPER" - now it's "well, it doesn't suck so much". The argument about Firefox being a better browser security-wise is no longer valid. Feature wise, sure. It blows IE out of the water and then some.
-
Risk mitigation
Until we find a way to write perfect code, it would be smart to mitigate risk by providing binaries with stack smashing protection on by default:
https://bugzilla.mozilla.org/show_bug.cgi?id=27213 8 -
Re:XAML?
You are kidding, right? I just checked http://www.mozilla.org/projects/xul/xul.html, and most of the spec is either under construction, or not even there.
XUL is nothing more than an XML way to define a web browser interface. XAML is a spec for serializing UI objects into XML. This is a big difference. XAML is merely a convenient way to specify object properties and relationships, and hacking it to fit XUL would be a pretty disgusting kludge.
To make an analogy, English and Japanese are both languages for doing almost the same thing. There is even a canonical way to represent Japanese in the English alphabet. You would never suggest that Japanese should change their spelling to match English words just because they're using the English alphabet, would you?
dom -
FOSS and trademarks
Trademarks aren't new to FOSS, and I can't imagine the Linux trademark being restricted as severly as the Mozilla or AbiWord ones:
If an individual or organization is creating a Community Edition of Mozilla Firefox or Thunderbird, it must use the names "Firefox Community Edition" or "Thunderbird Community Edition" to identify this software. Mozilla Community Edition Policy
... AbiSource freely licenses the use of certain of its trademarks solely in combination with the suffix "Personal" when applied to derivative works based on an AbiSource GPL product. Thus, for example, you are free to use the mark "AbiWord Personal" in connection with derivative works that are based on "AbiWord". AbiWord Trademark Usage Guidelines(These are the only cases automatically allowed, other use requires explicit permission.)
(Unlikely IMHO) worst case scenario if "Linux" were trademarked:
Debian and Fedora are based on Linux®. "Linux" is a trademark of Linus Torvalds.
People would still call them Linux anyway, it wouldn't be the end of the world.I do think that it might make things easier to automatically allow any person, company or organisation to use the trademark prefixed by their own name for derivitive works, e.g. "Debian Mozilla", "Debian AbiWord" for Debian's versions of each. That would make things clear enough, I think.
However, for anyone who's in favour of unrestricted usage of "Linux" (or any other FOSS name), consider Sys-Con Media and their LinuxWorld magazine (Slashdot story). It's lucky that the editorial staff were willing to put their jobs on the line to do something about it.
-
Re:UI suggestion
3) creating a new tab doesn't copy the history like it does in IE. In IE, when you spawn a new window you get the history of the old window. This is really, really handy.
Try the Duplicate Tab extension.
This really should be default behaviour.
-
Re:Article
The 3. Tabs and new windows issue has been around as an enhancement since the beginning of time, 1999 at least.
The bug number is 18808
-
Re:UI suggestionSo, there's no "last tab I used" command in FF
Use the Last Tab extension.
-
Re:Firefox flaws fixable
fourth flaw: bug 123913 -> https://bugzilla.mozilla.org/show_bug.cgi?id=1239
1 3 -
Re:UI suggestion
You might also want to look at RadialContext, a radial menu that can therefore work like a gesture except it's also a menu so you can also use it for the more arcane functions (or you can use Ctrl and get the default menu back).
The problem with gestures is the lack of feedback. Radial menus are a very nice compromise IMO. It's a shame that they are so rarely used (and usually so poorly implemented).
Anyway I know I couldn't live without RadialMenu. Only drawback is that it's of course unuseable with a trackpad on a laptop... :-( -
Download Statusbar
While the download status window is adequate, I strongly agree with his suggestion to replace it with a status bar or toolbar. Fortunately, we can already obtain this functionality using an extension: Download Statusbar by Devon Jensen is truly wonderful, and while it may be a bit too configurable for the average user, those who are looking for a nice replacement to the built-in download manager.
-
Re:UI suggestion
Well, if you really want it implemented go to https://bugzilla.mozilla.org/ and put in your feature request.
-
One point where IE is still superior to FF
This is a pet peeve of mine...
When bookmarking a web page with frames, only the top frame is bookmarked, and the location of the sub-frames won't be remembered. IE does this correctly.
I don't like sites which use frames, but it's still used on a lot of sites. Example: Google groups. And I would like to be able to bookmark these pages too.
The bug in Bugzilla: Frame State Bookmarking (frameset bookmarks) (copy link and paste in new browser window, they don't allow linking from Slashdot). This bug exists since 2000... Please vote for it. -
Feature Reductus
It wouldn't be hard for a browser to support both directions, but browsers these daya are removing features if they believe the standard specification doesn't call for it.
https://bugzilla.mozilla.org/show_bug.cgi?id=30811 7
http://blogs.msdn.com/ie/archive/2005/08/29/457667 .aspx -
Re:Poor resource
Isn't the Mozilla browser now Firefox?
No. http://www.mozilla.org/products/mozilla1.x/ -
Re:Poor resource
Firefox with FlashBlock or AdBlock is your friend.
Xesdeeni -
Re:Poor resource
Firefox with FlashBlock or AdBlock is your friend.
Xesdeeni -
Re:Poor resource
Firefox with FlashBlock or AdBlock is your friend.
Xesdeeni -
Re:In other words...
The only site on the whitelist by default is addons.mozilla.org, where each extension is thoroughly checked that it works ok.
Really? Who checks them, and vouches for their safety? Where on that site does it say that everything is 'thoroughly checked'? And if they do stand behind everything on that site, why don't they sign them? There's clearly no coherent policy yet.
OK, so they don't write them, they won't sign them - fair enough. But then even the 'official workaround' XPI you could download to fix the IDN problem isn't signed. (Check for yourself: Click Here). So I hear about a security problem, but the only patch available relies on me to check the URL to make sure it's OK - and the fault is one that allows me to pretend to be another URL! Granted, the page it's linked from is HTTPS, but that's no guarantee...
Or alternatively, someone can alter the XPI (or write a new one), pretend to mirror it and offer it for download - since the real one's not signed by Mozilla, I can't prove I'm not getting the right one!
Unless extensions get signed, we'll never know where they come from - and I could find myself downloading a malicious extension from whatever.mozilla.org, and assuming I'd be OK.
I know signing isn't the be-all and end-all (there's nothing to stop someone signing a malicious app) but at least I could see it wasn't signed by a Mozilla developer!
Say what you like about Microsoft, but at least they tend to sign their Active X stuff, patch downloads, etc.
And yes, I've spoken about this before...
Mark -
Re:In other words...
The only site on the whitelist by default is addons.mozilla.org, where each extension is thoroughly checked that it works ok.
Really? Who checks them, and vouches for their safety? Where on that site does it say that everything is 'thoroughly checked'? And if they do stand behind everything on that site, why don't they sign them? There's clearly no coherent policy yet.
OK, so they don't write them, they won't sign them - fair enough. But then even the 'official workaround' XPI you could download to fix the IDN problem isn't signed. (Check for yourself: Click Here). So I hear about a security problem, but the only patch available relies on me to check the URL to make sure it's OK - and the fault is one that allows me to pretend to be another URL! Granted, the page it's linked from is HTTPS, but that's no guarantee...
Or alternatively, someone can alter the XPI (or write a new one), pretend to mirror it and offer it for download - since the real one's not signed by Mozilla, I can't prove I'm not getting the right one!
Unless extensions get signed, we'll never know where they come from - and I could find myself downloading a malicious extension from whatever.mozilla.org, and assuming I'd be OK.
I know signing isn't the be-all and end-all (there's nothing to stop someone signing a malicious app) but at least I could see it wasn't signed by a Mozilla developer!
Say what you like about Microsoft, but at least they tend to sign their Active X stuff, patch downloads, etc.
And yes, I've spoken about this before...
Mark -
Re:In other words...
The only site on the whitelist by default is addons.mozilla.org, where each extension is thoroughly checked that it works ok.
Really? Who checks them, and vouches for their safety? Where on that site does it say that everything is 'thoroughly checked'? And if they do stand behind everything on that site, why don't they sign them? There's clearly no coherent policy yet.
OK, so they don't write them, they won't sign them - fair enough. But then even the 'official workaround' XPI you could download to fix the IDN problem isn't signed. (Check for yourself: Click Here). So I hear about a security problem, but the only patch available relies on me to check the URL to make sure it's OK - and the fault is one that allows me to pretend to be another URL! Granted, the page it's linked from is HTTPS, but that's no guarantee...
Or alternatively, someone can alter the XPI (or write a new one), pretend to mirror it and offer it for download - since the real one's not signed by Mozilla, I can't prove I'm not getting the right one!
Unless extensions get signed, we'll never know where they come from - and I could find myself downloading a malicious extension from whatever.mozilla.org, and assuming I'd be OK.
I know signing isn't the be-all and end-all (there's nothing to stop someone signing a malicious app) but at least I could see it wasn't signed by a Mozilla developer!
Say what you like about Microsoft, but at least they tend to sign their Active X stuff, patch downloads, etc.
And yes, I've spoken about this before...
Mark -
But what about 281377?
Asa, it's good to see (putatively) competent posters on this topic. Please know that this is not intended as a troll. You see, one thing is a config change, but if it doesn't *actually* solve the problem then it'll just be noise in the config file.
I mean, I came across https://bugzilla.mozilla.org/show_bug.cgi?id=28137 7 that said this IDN config change isn't gonna work, and this worries me. If the publicized workaround is not effective then I think I'd be better off taking my chances on watching URLs myself, rather than having IDN 'faux disabled' (this may become effective at a later time when I'm not aware of it).
Can you say anything about these issues?
(PS. I'm still on v1.0.6 because 1.5b1 breaks my extensions.) -
Re:Done and...
You may want to read bug 307259, which is the bug filed (on 09-06).
Of course, Ferris only actually went public after the Mozilla people worked enough to determine the real cause - the report itself is incorrect ("format string vulnerability") and just had a working testcase. So not only did he not have a patch that got rejected... he didn't even initially get the cause correct. -
Re:So, reason #2 not to enable IDN
sorry forgot to add the url
http://www.mozilla.org/projects/security/tld-idn-p olicy-list.html -
Re:Here's a question...
That's great, but that problem is already solved in Mozilla (and Opera).
http://www.mozilla.org/projects/security/tld-idn-p olicy-list.html -
Re:this reminds me..."Whatever you think about ActiveX, I've never heard about an evil control that pretends to be Windows Update or Macromedia Flash."
Very very true. The problems with ActiveX all stem from uninformed users clicking yes to that XXX Toolbar popup.
I definately think it'd be a good idea for Mozilla to implement a community page for every extension any firefox browser anywhere tries to install from a remote location. Something much like the current extension directory, but inclusive of extensions not even hosted there (even any commercial extensions that may arise in the future). It could work something like this:- The browser hashes the extension code minus any fuzziness, whitespace etc (or better yet hash the bytecode) to try and ensure malicious authors don't try to scatter negative feedback.
- Offer the user a friendly details link to http://extensions.mozilla.org/?lookup=hash on the warning screen when they try to install the extension
- The user can read other peoples warnings, doubts, or happy reviews see the extension rating, how many people have installed it, etc and can then decide for themselves whether it's trustable enough to install.
- The hash links could be redirected to proper extension pages with names, descriptions and version #'s etc once the extension is well established and rated to be 'safe' by the community.
- For users too lazy to 'waste' time checking the feedback pages thoroughly, the warning dialog could show any immediate threat or trust rating and whether the code for this extension has been peer reviewed.
Problems:- Successfully identification of extensions could be tricky if a malicious author tries to dodge the system.
- The trust ratings and user comments need to be safe from poisoning and therefore moderated
-
Re:anti-ActiveX
Firefox extensions are in a combination of XML and JavaScript, so their functionality is a bit more limited.
That's not correct. Firefox extensions can include (and run) arbitrary executables. I downloaded the XPIs for all extensions hosted on addons.mozilla.org a few months ago, and a quick search of their contents shows Windows
.EXE files in firefoxview 0.31, foxamp 0.2.8, Mozilla Archive Format 0.4.3, and flashgot 0.5.7.6.What worries me is how few people realize this. I mean, the most popular extension at addons.mozilla.org is FlashGot, which lets you (italics mine):
"Download one link, selected links or all the links of a page at the maximum speed with a single click, using the most popular external download managers for Windows, Mac OS X, Linux and FreeBSD..."
They are better sandboxed than IE ActiveX controls used to be.
As indicated above, they are not sandboxed. At all.
-
Re:anti-ActiveX
Firefox extensions are in a combination of XML and JavaScript, so their functionality is a bit more limited.
That's not correct. Firefox extensions can include (and run) arbitrary executables. I downloaded the XPIs for all extensions hosted on addons.mozilla.org a few months ago, and a quick search of their contents shows Windows
.EXE files in firefoxview 0.31, foxamp 0.2.8, Mozilla Archive Format 0.4.3, and flashgot 0.5.7.6.What worries me is how few people realize this. I mean, the most popular extension at addons.mozilla.org is FlashGot, which lets you (italics mine):
"Download one link, selected links or all the links of a page at the maximum speed with a single click, using the most popular external download managers for Windows, Mac OS X, Linux and FreeBSD..."
They are better sandboxed than IE ActiveX controls used to be.
As indicated above, they are not sandboxed. At all.
-
Re:anti-ActiveX
Firefox extensions are in a combination of XML and JavaScript, so their functionality is a bit more limited.
That's not correct. Firefox extensions can include (and run) arbitrary executables. I downloaded the XPIs for all extensions hosted on addons.mozilla.org a few months ago, and a quick search of their contents shows Windows
.EXE files in firefoxview 0.31, foxamp 0.2.8, Mozilla Archive Format 0.4.3, and flashgot 0.5.7.6.What worries me is how few people realize this. I mean, the most popular extension at addons.mozilla.org is FlashGot, which lets you (italics mine):
"Download one link, selected links or all the links of a page at the maximum speed with a single click, using the most popular external download managers for Windows, Mac OS X, Linux and FreeBSD..."
They are better sandboxed than IE ActiveX controls used to be.
As indicated above, they are not sandboxed. At all.
-
Re:anti-ActiveX
Firefox extensions are in a combination of XML and JavaScript, so their functionality is a bit more limited.
That's not correct. Firefox extensions can include (and run) arbitrary executables. I downloaded the XPIs for all extensions hosted on addons.mozilla.org a few months ago, and a quick search of their contents shows Windows
.EXE files in firefoxview 0.31, foxamp 0.2.8, Mozilla Archive Format 0.4.3, and flashgot 0.5.7.6.What worries me is how few people realize this. I mean, the most popular extension at addons.mozilla.org is FlashGot, which lets you (italics mine):
"Download one link, selected links or all the links of a page at the maximum speed with a single click, using the most popular external download managers for Windows, Mac OS X, Linux and FreeBSD..."
They are better sandboxed than IE ActiveX controls used to be.
As indicated above, they are not sandboxed. At all.
-
Re:anti-ActiveX
Firefox extensions are in a combination of XML and JavaScript, so their functionality is a bit more limited.
That's not correct. Firefox extensions can include (and run) arbitrary executables. I downloaded the XPIs for all extensions hosted on addons.mozilla.org a few months ago, and a quick search of their contents shows Windows
.EXE files in firefoxview 0.31, foxamp 0.2.8, Mozilla Archive Format 0.4.3, and flashgot 0.5.7.6.What worries me is how few people realize this. I mean, the most popular extension at addons.mozilla.org is FlashGot, which lets you (italics mine):
"Download one link, selected links or all the links of a page at the maximum speed with a single click, using the most popular external download managers for Windows, Mac OS X, Linux and FreeBSD..."
They are better sandboxed than IE ActiveX controls used to be.
As indicated above, they are not sandboxed. At all.
-
Nightly builds containing a real patch
If you don't want to disable IDN, or if you want to help test the change so Mozilla can release updated versions faster, try these nightly builds:
Today's Gecko 1.8 branch nightly - Firefox 1.5 Beta 1 plus the fix for this security hole.
Today's Aviary 1.0.1 branch nightly - Firefox 1.0.6 plus the fix for this security hole. There isn't a Linux build here; I don't know why. -
More Resources
These are a few sites that I found helpful. Some are a little old but I got something out of all of them.
http://www.xulplanet.com/
http://kb.mozillazine.org/Dev_:_Extensions
http://roachfiend.com/archives/2004/12/08/how-to-c reate-firefox-extensions/
http://businesslogs.com/technology/firefox_extensi on_tutorial.php
http://www.bengoodger.com/software/mb/extensions/p ackaging/extensions.html
http://mozilla-firefox-extension-dev.blogspot.com/
http://books.mozdev.org/index.html
http://www.mozilla.org/xpfe/gettingstarted.html
Of course another good way to learn about extensions is to download a few and look at the code. That has probably been the biggest help to me once the tutorials, etc. gave me the basic idea of what is going on. -
Hot on the Heals
Would this be the heals that you're talking about?
-
Mozilla Suite, Too
For all of you dinosuars who, like me, still use and prefer mozilla suite, this applies to us also. And for all of you lazy slashdot readers who, like me, hate to track down a link in another comment, here's that link:
What Firefox and Mozilla users should know about the IDN buffer overflow security issue -
Re:actually.
Tom Ferris is the reporter of this bug
see https://bugzilla.mozilla.org/show_bug.cgi?id=30725 9 -
Disabling IDN doesn't fix IDN
Since when are instructions for removing a feature in your product a "patch"? The details simply tell you to disable IDN support in your browser. If Microsoft released a patch like this people would call foul immediately. The patch is just a stop-gap reaction to make the Firefox team appear responsive to security bugs. Fixing and - more importantly - testing severe flaws in all your customers' configurations takes a long time and the idea of the 24-hour bug fix is idealogical at best.
-
Re:actually.
That's coming in 1.5. See the release notes here.
http://www.mozilla.org/products/firefox/releases/1 .5beta1.html
Note that future updates to Firefox "may now be half a megabyte or smaller." -
Re:actually.
will the 1.5 Beta Patch be offered through the new Update System? (or will 1.5 Beta1 users have to wait for 1.5 Beta2)
bzw: if anyone wants the Bug# its https://bugzilla.mozilla.org/show_bug.cgi?id=30725 9 (copy/paste link, Bugzilla doesnt like /. links) -
Re:Expose users?
You may want to try this URL instead.
(... WTF? Told the Mozilla folks Sept 6 and went public Sept 8? I mean, I know they're cool Open Sores people, but... 2 days?) -
Mozilla plugs hole quickly, while Microsoft delays
The patch has been issued on the Mozilla site, download it at the following address: http://www.mozilla.org/security/idn.html By the way, did anyone notice "Microsoft pulls 'critical' Windows update"? Check it out: http://news.zdnet.com/2100-1009_22-5857338.html. It seems the big browser wasn't able to address its security vulnerabilities over the last month and won't be delivering its "critical" updates on its regualarly scheduled Patch Tuesday. Hmm, interesting Mozilla responds in 72 hours to its critical vulnerabilites, whereas Microsoft takes more than 30 days?
-
New Mozilla Foundation IDN Security Advisory
Mozilla Foundation has published a security advisory entitled "What Mozilla users should know about the IDN buffer overflow security issue" located at http://www.mozilla.org/security/idn.html . They say there is a small download (i.e.
.xpi package) coming in the near future which will make this IDN configuration change automatically. -
Re:Tell all your friends!
here we are in 2005 and the number one exploit across systems is still... buffer overflows.
Are you sure that's true? Looking at http://www.mozilla.org/projects/security/known-vul nerabilities.html, it looks like most security holes in Firefox are not related to low-level memory management.