Slashdot Mirror

Well, MNG might have had more traction if Firefox had kept support. Even for the "light" version of MNG.
Initially the accusation was that MNG took up too much space in Firefox (entire kilobytes more!) amusing in this age of slapping in megabytes of libs for the latest camera/microphone HTML5 support.
Anyway, the MNG guys went and stripped down libmng (minimal support) so that there was no increase in resulting size.

At that point, the reason changed to concerns about security. Which, is reasonable I guess, although I'd again point to all the libs they are just slapping in.

MNG had a lot of potential. There was the JNG - can you believe that over a decade ago we had browsers with lossy images with alpha channel?

Personally I think it was the fact that the people who were most active in killing off https://bugzilla.mozilla.org/show_bug.cgi?id=18574 were those who had created APNG.
I'd be fine w/ APNG even with the less efficient animation frames if only they hadn't killed off JNG to get it :(

I can't think of a single time when I wanted the formatting from a web page to be carried into a printed document when I copied and pasted a block of text. Surely the sensible default should be to paste in plain text and pick up formatting from the destination document? At the very least this should be an optional default.

Surely this should be handled at the copy, not the paste. I know there's a Firefox extension called Copy As Plain Text. Is that what you're looking for?

FIREFOX HOLE? WARNING Re: Base64 Encoded Images

tor-talk@lists.torproject.org
SERIOUS ISSUE With Details! Re: Base64 Encoded Images: How to block them?

From: https://tails.boum.org/forum/Base64_Encoded_Images:_How_to_block_them__63__/

@comment 9 / Comment by Anonymous â" Wed 14 Nov 2012 06:23:21 AM CET

"This has been a known "trivial" bug since 2006. Looking it over, it appears that the security benefit of being able to reduce ones browser's attack surface might have been overlooked. Or perhaps we've missed something!

The best way to get something done about this would be to create a Bugzilla account and explain the necessity (don't nag - just explain the need and the impications which seem to have been missed)

The bug is 331257. While you're there you might also be interested in 255107 and 786275."

https://bugzilla.mozilla.org/show_bug.cgi?id=255107
https://bugzilla.mozilla.org/show_bug.cgi?id=331257
https://bugzilla.mozilla.org/show_bug.cgi?id=786275

#####

@comment 14:

"This excellent thread should be looked upon by the Tor and Tails developers. Has Mozilla dropped the ball on this? It appears to me to be a vicious bug which should be patched."

- Story: ::: Firefox, Opera allow crooks to hide an entire phish site in a link :::

http://www.theregister.co.uk/2012/09/03/phishing_without_hosts_peril/

"Watch out for the tinyurl that isn't | By John Leyden | Security, 11/03/2012

A shortcoming in browsers including Firefox and Opera allows crooks to easily hide an entire malicious web page in a clickable link - ideal for fooling victims into handing over passwords and other sensitive info.

Usually, so-called "phishing attacks" rely on tricking marks into visiting websites designed by criminals to masquerade as banks and online stores, thus snaffling punters' credentials and bank account details when they try to use the bogus pages. However this requires finding somewhere to host the counterfeit sites, which are often quickly taken down by hosting companies and the authorities or blocked by filters.

Instead, the malicious web pages can be stored in data URIs - uniform resource identifiers, not to be confused with URLs - which stuff the web code into a handy string that when clicked on, instructs the browser to unpack the payload and present it as a page.

It negates the need to find somewhere to secrete your malicious page, and once shortened using a service such as TinyURL, the URI can be reduced to a small URL perfect for passing around social networks, online chats and email. Crooks may need to set up a server to receive data from victims, however.

It's a technique already documented by researchers Billy Rios and Nathan McFeters - but now Henning Klevjer, an information security student at the University of Oslo in Norway, has revisited the attack method in his paper, Phishing by data URI [PDF][1].

Typically an attacker would first create a standalone web page, probably using content scraped off the legitimate site it seeks to mimic before making an encoded page and embedding it into a data URI.

URI-based attacks were previously documented by Rios and McFeters as part of an attack Microsoftâ(TM)s Internet Explorer 6 and 7. Klevjer's research expands on this basic theme and gives it a modern twist.

Googleâ(TM)s Chrome browser blocks redirection to data URIs, and other browsers have limits on the volume of data that can be packed into URIs. Klevjer created a 26KB attack page that failed to load in Internet Explorer, but worked on both Firefox and Opera.

As well as gettin

FIREFOX HOLE? WARNING Re: Base64 Encoded Images

tor-talk@lists.torproject.org
SERIOUS ISSUE With Details! Re: Base64 Encoded Images: How to block them?

From: https://tails.boum.org/forum/Base64_Encoded_Images:_How_to_block_them__63__/

@comment 9 / Comment by Anonymous â" Wed 14 Nov 2012 06:23:21 AM CET

"This has been a known "trivial" bug since 2006. Looking it over, it appears that the security benefit of being able to reduce ones browser's attack surface might have been overlooked. Or perhaps we've missed something!

The best way to get something done about this would be to create a Bugzilla account and explain the necessity (don't nag - just explain the need and the impications which seem to have been missed)

The bug is 331257. While you're there you might also be interested in 255107 and 786275."

https://bugzilla.mozilla.org/show_bug.cgi?id=255107
https://bugzilla.mozilla.org/show_bug.cgi?id=331257
https://bugzilla.mozilla.org/show_bug.cgi?id=786275

#####

@comment 14:

"This excellent thread should be looked upon by the Tor and Tails developers. Has Mozilla dropped the ball on this? It appears to me to be a vicious bug which should be patched."

- Story: ::: Firefox, Opera allow crooks to hide an entire phish site in a link :::

http://www.theregister.co.uk/2012/09/03/phishing_without_hosts_peril/

"Watch out for the tinyurl that isn't | By John Leyden | Security, 11/03/2012

A shortcoming in browsers including Firefox and Opera allows crooks to easily hide an entire malicious web page in a clickable link - ideal for fooling victims into handing over passwords and other sensitive info.

Usually, so-called "phishing attacks" rely on tricking marks into visiting websites designed by criminals to masquerade as banks and online stores, thus snaffling punters' credentials and bank account details when they try to use the bogus pages. However this requires finding somewhere to host the counterfeit sites, which are often quickly taken down by hosting companies and the authorities or blocked by filters.

Instead, the malicious web pages can be stored in data URIs - uniform resource identifiers, not to be confused with URLs - which stuff the web code into a handy string that when clicked on, instructs the browser to unpack the payload and present it as a page.

It negates the need to find somewhere to secrete your malicious page, and once shortened using a service such as TinyURL, the URI can be reduced to a small URL perfect for passing around social networks, online chats and email. Crooks may need to set up a server to receive data from victims, however.

It's a technique already documented by researchers Billy Rios and Nathan McFeters - but now Henning Klevjer, an information security student at the University of Oslo in Norway, has revisited the attack method in his paper, Phishing by data URI [PDF][1].

Typically an attacker would first create a standalone web page, probably using content scraped off the legitimate site it seeks to mimic before making an encoded page and embedding it into a data URI.

URI-based attacks were previously documented by Rios and McFeters as part of an attack Microsoftâ(TM)s Internet Explorer 6 and 7. Klevjer's research expands on this basic theme and gives it a modern twist.

Googleâ(TM)s Chrome browser blocks redirection to data URIs, and other browsers have limits on the volume of data that can be packed into URIs. Klevjer created a 26KB attack page that failed to load in Internet Explorer, but worked on both Firefox and Opera.

As well as gettin

FIREFOX HOLE? WARNING Re: Base64 Encoded Images

tor-talk@lists.torproject.org
SERIOUS ISSUE With Details! Re: Base64 Encoded Images: How to block them?

From: https://tails.boum.org/forum/Base64_Encoded_Images:_How_to_block_them__63__/

@comment 9 / Comment by Anonymous â" Wed 14 Nov 2012 06:23:21 AM CET

"This has been a known "trivial" bug since 2006. Looking it over, it appears that the security benefit of being able to reduce ones browser's attack surface might have been overlooked. Or perhaps we've missed something!

The best way to get something done about this would be to create a Bugzilla account and explain the necessity (don't nag - just explain the need and the impications which seem to have been missed)

The bug is 331257. While you're there you might also be interested in 255107 and 786275."

https://bugzilla.mozilla.org/show_bug.cgi?id=255107
https://bugzilla.mozilla.org/show_bug.cgi?id=331257
https://bugzilla.mozilla.org/show_bug.cgi?id=786275

#####

@comment 14:

"This excellent thread should be looked upon by the Tor and Tails developers. Has Mozilla dropped the ball on this? It appears to me to be a vicious bug which should be patched."

- Story: ::: Firefox, Opera allow crooks to hide an entire phish site in a link :::

http://www.theregister.co.uk/2012/09/03/phishing_without_hosts_peril/

"Watch out for the tinyurl that isn't | By John Leyden | Security, 11/03/2012

A shortcoming in browsers including Firefox and Opera allows crooks to easily hide an entire malicious web page in a clickable link - ideal for fooling victims into handing over passwords and other sensitive info.

Usually, so-called "phishing attacks" rely on tricking marks into visiting websites designed by criminals to masquerade as banks and online stores, thus snaffling punters' credentials and bank account details when they try to use the bogus pages. However this requires finding somewhere to host the counterfeit sites, which are often quickly taken down by hosting companies and the authorities or blocked by filters.

Instead, the malicious web pages can be stored in data URIs - uniform resource identifiers, not to be confused with URLs - which stuff the web code into a handy string that when clicked on, instructs the browser to unpack the payload and present it as a page.

It negates the need to find somewhere to secrete your malicious page, and once shortened using a service such as TinyURL, the URI can be reduced to a small URL perfect for passing around social networks, online chats and email. Crooks may need to set up a server to receive data from victims, however.

It's a technique already documented by researchers Billy Rios and Nathan McFeters - but now Henning Klevjer, an information security student at the University of Oslo in Norway, has revisited the attack method in his paper, Phishing by data URI [PDF][1].

Typically an attacker would first create a standalone web page, probably using content scraped off the legitimate site it seeks to mimic before making an encoded page and embedding it into a data URI.

URI-based attacks were previously documented by Rios and McFeters as part of an attack Microsoftâ(TM)s Internet Explorer 6 and 7. Klevjer's research expands on this basic theme and gives it a modern twist.

Googleâ(TM)s Chrome browser blocks redirection to data URIs, and other browsers have limits on the volume of data that can be packed into URIs. Klevjer created a 26KB attack page that failed to load in Internet Explorer, but worked on both Firefox and Opera.

As well as gettin

Integrated authentication can be done with Firefox if you backend application(s) support it:
https://developer.mozilla.org/en-US/docs/Integrated_Authentication

First hit off a quick Google search of "SPNEGO Firefox" - IBM WebSphere Application Server:
http://pic.dhe.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=%2Fcom.ibm.websphere.base.doc%2Finfo%2Faes%2Fae%2Ftsec_SPNEGO_config_web.html

.
Your point on group policies is valid .. with a good reason for having it to distribute the whitelists needed for integrated authentication! Of the two features, this should be the more trivial of the two to implement. No idea why they haven't done so yet.

I'd like to begin by saying good job devs! As a developer: Yay, another version to support! IE Support already requires coddling especially for the long in the tooth IE6 & 7; granted IE9 is much better but there are still rough patches with border radius and gradients are used as well as transitions, see the table at the bottom. CSS transitions would be a very welcome addition. Maybe we can create a betting pool for how long until the next incarnation?

With their current strategy what are the chances it'll be a Windows 8 requirement? I'm off to find that guy who read the bones for Obama to do a browser reading.

Based on the job Oracle does maintaining their Tech Stacks, they would destroy the kernel. Case in point, the huge security issue with Java that Oracle feels best to be fixed in February. http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html#PatchTable Just because you can, doesn't mean you should republish source code developed and collimated at considerable expense by someone else. Responsibility? http://blog.mozilla.org/security/2012/08/28/protecting-users-against-java-security-vulnerability/ ?? Wait till February. Anonymous's best friend.

They are going to need to fix this one soon then
https://bugzilla.mozilla.org/show_bug.cgi?id=738698
Click-to-play

I followed the link to Doom (and the next link, and the next link...) until I finally got to:

Harvey Anderson
Mozilla Corporation
650 Castro Street, Suite 300
Mountain View, CA 94041
Email: dmcanotice@mozilla.com
Phone Number: 650-903-0800
Fax: 650-903-0875

Re: DOOM on browser available on Mozilla website - Cease and Desist Notice - DMCA Notice of Copyright Infringement

Dear Mr. Anderson:

In accordance with Mozilla’s copyright infringement policy, this is to notify you of activity occurring on the Mozilla site listed below which infringes on the exclusive intellectual property rights of Id Software LLC, a wholly owned subsidiary of ZeniMax Media Inc. The copyrighted work at issue is Id Software’s proprietary software game DOOM® (“DOOM”). The link below offers an unauthorized derivation or version of Id Software’s DOOM game.

https://developer.mozilla.org/en-US/demos/detail/doom-on-the-web/

DOOM is a registered trademark and the game assets are copyrighted material. Use of the mark DOOM and copyrighted assets without our authorization and consent, directly violates our trademark and copyright rights in and to such intellectual property. We hereby demand the immediate removal of all such links from your website and written assurance that you will prevent any further infringement of Id Software’s intellectual property rights. I have a good faith belief that use of the copyrighted materials described above as allegedly infringing is not authorized by the copyright owner, its agent, or the law. I swear, under penalty of perjury, that the information in this notification is accurate and that I am the copyright owner or am authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.

Sincerely,

Joshua Gillespie

Associate General Counsel
ZeniMax Media Inc.
1370 Piccard Dr., #120
Rockville, MD 20850
T: 301.948.2200
Email: jgillespie@zenimax.com

It's just the horrible way it was built, they are just tiffs and you can get them manually. However there are a couple of plugins that solve the problem. Firefox Addon and Chrome Addon

You can install them from Firefox by going here and here.

The ".pdf" on the end of the link didn't mark it well enough for you?

I don't usually hover over each link in a /. summary to inspect it before clicking it. Emails caught in my spam folder? Yeah, probably a good idea. Vetted (well, theoretically) links on /. I usually trust enough to just click-away.

And what browsers in common use don't easily show PDFs?

Firefox is working on it right now, but it looks like they're targeting FF18, which is currently scheduled to move to beta on Nov 19th.

I believe that Chrom{e|ium} has some support, but I haven't seen it (might not be configured on default installs).

The ".pdf" on the end of the link didn't mark it well enough for you?

I don't usually hover over each link in a /. summary to inspect it before clicking it. Emails caught in my spam folder? Yeah, probably a good idea. Vetted (well, theoretically) links on /. I usually trust enough to just click-away.

And what browsers in common use don't easily show PDFs?

Firefox is working on it right now, but it looks like they're targeting FF18, which is currently scheduled to move to beta on Nov 19th.

I believe that Chrom{e|ium} has some support, but I haven't seen it (might not be configured on default installs).

We're calculating lost downloads, now? And I thought lost sales due to piracy was a stupid metric...

If only - If only - People had another way to get a browser than to pick from a menu when they first use Windows! Some sort of, I dunno, website or something, where they could choose to go to get whatever browser they prefer.

Alas, we do not live in a perfect world.

People keep saying this, but it's not true.

Here's a post from the end of May explaining why the IE10 choice is wrong, and explaining that the consensus view of the DNT group is that it is wrong. Mozilla helped create DNT, remember.
https://blog.mozilla.org/privacy/2012/05/31/do-not-track-its-the-users-voice-that-matters/
That's about five months ago, of course.

the whole purpose of certificate chains is to prevent MITM attacks

But it can only do that if those who hold root or intermediate certificates that your application trusts can be trusted can be trusted not to issue (whether through their own choice, through trickery by the attacker or through pressure applied by the attacker) a fraudulent certificate to your attacker for the service you are connecting to.

Take a look at this list.

http://www.mozilla.org/projects/security/certs/included/

AIUI everyone on that list (and anyone they delegate to!) can generate certificates that will let them MITM your ssl browsing sessions from firefox. I'm pretty sure that most of them would provide certificates for any domain if ordered to do so by the government of the country they are based in. Some of them may even by infiltrated by criminals. Therefore if your threat model includes governments then you should not rely on SSL with the "standard" CAs. OTOH if your threat model only includes low level criminals you are probably ok.

you've always been able to go online and download the browser you prefer through Windows

Only after starting Internet Explorer.

I see that you have been misinformed. Although I do not usually go to bat for Microsoft, I am impartial since I use & develop software for all modern OSs regularly. I once thought as you did, but have had my mind changed. Allow me to correct this misconception.

After installing MS Windows XP Pro. I dumped my compiler toolchain into the system and was about to compile Firefox and Chromium when I thought: Wait a minute. There's been a way to get other browsers installed here without using MSIE all along!

I simply hit Towels+R to launch the run dialog, then entered: FTP
To my (un)Amazement the terminal based FTP client that is installed by default was actually installed by default all along! Who Would(n't) have thought!?

From there it was a simple matter of connecting to the Mozilla FTP site:
open mozilla.org
cd pub/mozilla.org/firefox/releases/
ls
cd (into a version/platform/language/)
get "Firefox Setup 16.0b6.exe"

It was truly (un)remarkable that I could actually use MS's File Transfer Protocol client to Transfer Files without using Internet Explorer at all!

I felt quite silly for wrongly believing the oft spouted drivel about there not being any way to get another browser except through MSIE
I had used the FTP client for years, but I was blinded by my own MS hating nerd rage to the possibility that existed all along.
Why, those MS haters were just newbs who couldn't even use a simple FTP program.

Shortly after downloading the Firefox binaries I had the browser fully installed without having to clone a single Git repository!

IMO, Mozilla should make their releases folders a bit simpler to navigate, maybe an alias for firefox/latest or something. It's no wonder MS includes a browser by default. It's much easier to type "firefox" into a search box and click the mouse a few times to install it -- Mozilla's site even selects the OS, Platform, and Language automatically. At first I also thought it was super silly to integrate the web browser with the file browser, but if you think about it, if you've got a browsing engine capable of displaying FTP archives, why not re-use the code for the file browser too? Isn't that "The Unix Way!"(tm) ? I mean, Konqueror does this too, neh?

P.S. I just love that every key board has a Towel key -- X11 calls this the "super" key. Towels are super!
Douglas Adams would be proud.

no, its not. Its like an alcoholic thinking they've been dry for a couple of years and so its ok to start drinking again...

Allowing Microsoft to install only IE is much the same thing - the temptation to put just one little Windows-only extension in will be too great, and next thing you know, you're using MetroUI and wondering why your head hurts.

Its bad enough that Windows 8 will come with a single browser that works in the Metro side of things (subject to the others figuring out how to fully replace it, which they currently cannot). Can you imagine web sites that only work correctly in IE10 running in Metro?

No trick. This is a browser suite aimed at power users(hence the inclusion of IRC and newsgroup support and a host of extra options), and in everyday use it does startup and run faster than Firefox. It employs the same Gecko rendering engine and incorporates modern features ( SPDY support was recently added).
I use Gmail via IMAP on the built in client, and it still takes up less memory than running Firefox and Thunderbird together. The Seamonkey devs don't fuck around with the UI as the Firefox ones keeps doing, and for nostalgia you even can theme it to look like the old Netscape Communicator (if that counts).
All popular extensions (Adblock Plus included) have Seamonkey ports.
Out of the box you get better control over tab and link behavior, disable loading 3rd party images, mouse wheel integration, Firefox user agent compatibility and several other features.

What's not to like?

https://wiki.mozilla.org/SeaMonkey:Release_History#SeaMonkey_2.3_and_beyond
Stable releases will be more frequent (6-week release schedule) but with fewer changes, eliminating the need for minor releases. The aim is to release the stable versions right around a week of the release of the equivalent Firefox and Thunderbird.

You were saying? (and for the record, 2.2 was released a year ago)

Looks like "Not yet."
https://wiki.mozilla.org/Security/Roadmap

http://www.mozilla.org/en-US/firefox/mobile/platforms/ says Firefox for Android runs on 2.2.

Firefox has apparently patched this vulnerability in version 16.0.1. In the interest of not causing Firefox users to needlessly panic and downgrade without good reason, maybe the poster should update the store to include a note about how this vulnerability has been patched.

There's an Add-On for that: https://addons.mozilla.org/en-US/firefox/addon/image-block/

I used to use https://addons.mozilla.org/en-US/firefox/addon/imglikeopera/ but it stopped working after an update.

There's an Add-On for that: https://addons.mozilla.org/en-US/firefox/addon/image-block/

I used to use https://addons.mozilla.org/en-US/firefox/addon/imglikeopera/ but it stopped working after an update.

I think you totally missed the fact that they were in such a hurry to release this new feature that they missed a major security bug. Their focus was on adding new features and not verifying that any code that was changed is still working correctly and securely. They should be embarrassed that the user community had to point out this glaring issue. Also FF16 apparently broken a number of add-ins as well. http://news.softpedia.com/news/Firefox-16-Bug-Causes-Some-Add-ons-to-Malfunction-298217.shtml

Obviously they do have functionality testing as evidenced by https://wiki.mozilla.org/Releases/Firefox_16/Test_Plan, but security testing seems to be lacking. Interesting to note btw, that FF17 is due out next month. Also interesting to flip through the test plans and see that they regularly (re)break things that were previously working.

Just taken the EFF test.

With JS enabled: 1 in 2 500 000 browsers have a similar configuration :(

With JS disabled: 1 in 70 000 :)

Thank you, NoScript ;) https://addons.mozilla.org/en-US/firefox/addon/noscript/

If you don't want to be tracked, you want to be 1 in a million, not one in 100.

I got: Your browser fingerprint appears to be unique among the 2,452,130 tested so far. Meaning if anyone sees my browser fingerprint at one place and then again at another place, they know it was the same browser.

My fingerprint showed up as unique both with and without NoScript. :(

I run the Zemana anti-logger program and it was somehow able to see that, which surprised me. With JS on, it's the huge numbers of fonts that give you away, especially if you have any kind of desk top publishing program or strange word processor installed.

Just taken the EFF test.

With JS enabled: 1 in 2 500 000 browsers have a similar configuration :(

With JS disabled: 1 in 70 000 :)

Thank you, NoScript ;) https://addons.mozilla.org/en-US/firefox/addon/noscript/

If you don't want to be tracked, you want to be 1 in a million, not one in 100.

I got: Your browser fingerprint appears to be unique among the 2,452,130 tested so far.
Meaning if anyone sees my browser fingerprint at one place and then again at another place, they know it was the same browser.

Has got you covered... some what:

https://addons.mozilla.org/en-US/firefox/addon/firegloves/
https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/
https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/

Is it just me who's thought it f'in hilarious to be on a friends computer hit a website and get porn based ads & pop-ups? :)

Has got you covered... some what:

https://addons.mozilla.org/en-US/firefox/addon/firegloves/
https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/
https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/

Is it just me who's thought it f'in hilarious to be on a friends computer hit a website and get porn based ads & pop-ups? :)

Has got you covered... some what:

https://addons.mozilla.org/en-US/firefox/addon/firegloves/
https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/
https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/

Is it just me who's thought it f'in hilarious to be on a friends computer hit a website and get porn based ads & pop-ups? :)

The Firefox Social API doesn't allow for the sidebar or other social features to know about the content of the pages you're visiting. You can read the docs if you want to learn more. https://developer.mozilla.org/en-US/docs/Social_API

The API doesn't allow for the sidebar or other social features to know about the content of the pages you're visiting. You can read the docs if you want to learn more. https://developer.mozilla.org/en-US/docs/Social_API

This is simply inaccurate. Firefox 10 (via changes that arrived way back at Firefox 7) was dramatically better than Firefox 4-6 and Firefox 15 was a good bit better than Firefox 10, thanks to killing add-on leaks and some other minor but incremental improvements in Firefox 11, 12, 13, and 14.

Or to put it another way, Firefox 7 and Firefox 15 both made major advances in memory usage. More memory and performance optimizations hit in 16 or will in upcoming releases with Incremental Garbage Collection, IonMonkey, and then a Compacting Generational GC.

I realize that unsupported assertions based on anecdotes is the norm around here, but expect to get called when they're the opposite of the truth. For the details, read the last few months worth of posts here: https://blog.mozilla.org/nnethercote/

The 'social API' stuff sounds like utter nonsense; but plugin blocking is both a logical evolution of a previous feature(the https://www.mozilla.org/en-US/plugincheck/ link in the part of the interface for viewing plugins) and a very good idea for security.

Between Flash and Java, though not exclusive to them, browsing the internet with outdated plugins is about as safe as picking up used needles from a shooting gallery floor and injecting yourself in the hopes of scoring free heroin...

16.0.1 is now out.

https://www.mozilla.org/en-US/firefox/all.html

16.0.1 was already released. Release notes here.

Have you looked at Firefox Extended Support Release? I don't have any add-ons that haven't moved to support FF ESR 10.x.

I agree that FF ESR is the way to go.

However, ESR releases come out nearly as often as the regular releases. The good news is there are no new features, just fixes. Sometimes this means there are less security fixes in a match ESR release vs. the regular release.

Interestingly enough, while FF 16 was released with ESR 10.0.8, and FF 16 was pulled, ESR 10.0.8 is still available.

It'd be nice to know if both versions are affected. No public disclosure on the Security Advisories page.

Certainly there are pros and cons, and it’s indicated to organizations, but why not using Firefox 10 ESR(Extended Support Release) and escape pressure of the browser market? http://www.mozilla.org/en-US/firefox/organizations/all.html

Considering all the stuff "16" was supposed to have fixed, recommending a rollback over this sounds completely incompetent. And therefore expected.

Remember, these are the same geniuses that decided to start rolling the version number everytime someone fixes a typo a few months ago, and thus calling the current version (what is it really, 5.3 or so?) 16. And it isnt truly new either, take a look at this old bug for example: https://bugzilla.mozilla.org/show_bug.cgi?id=78414

Been sitting there well over 10 years now. Not one serious attempt to fix it. How many new features that no one wanted and random gui changes to confuse users have they managed to implement in that time period?

So yeah, no surprise here. Please, someone, make a browser that doesnt suck.

https://blog.mozilla.org/security/2012/10/10/security-vulnerability-in-firefox-16/

Great... How does that even happen?!

I have come to prefer Quickjava. It let's you toggle Java, Javascript, Cookies, Image Animations, Flash, Silverlight, Images, Stylesheets and Proxy quickly. If I encounter a site that is annoying I just toggle the appropriate plugin until I leave that site. The only thing it lacks is the ability to toggle per tab. If it had that it would be perfect.

It seems that they're working on it, just extremely slowly. If you open all of the bugs that those two depend on, these are the deepest roots. https://bugzilla.mozilla.org/show_bug.cgi?id=742081 https://bugzilla.mozilla.org/show_bug.cgi?id=784591 The latter was being worked with on Sunday, while the former is lagging with activity, last commented on 3 months ago. You should probably expect it to be fixed in about three years.

It seems that they're working on it, just extremely slowly. If you open all of the bugs that those two depend on, these are the deepest roots. https://bugzilla.mozilla.org/show_bug.cgi?id=742081 https://bugzilla.mozilla.org/show_bug.cgi?id=784591 The latter was being worked with on Sunday, while the former is lagging with activity, last commented on 3 months ago. You should probably expect it to be fixed in about three years.

I'm starting to think they'll never fix this.

https://bugzilla.mozilla.org/show_bug.cgi?id=660577
https://bugzilla.mozilla.org/show_bug.cgi?id=683284

I'm starting to think they'll never fix this.

https://bugzilla.mozilla.org/show_bug.cgi?id=660577
https://bugzilla.mozilla.org/show_bug.cgi?id=683284

lt IE 8

You mistyped "Mozilla Developer Network" and "W3C".

Get it from the source, fool!