Mozilla: The Good And The Bad

Rui del-Negro writes "According to this article at The Register, six security flaws in Mozilla were posted to BugTraq last weekend. They have not been added to the official Mozilla vulnerability list yet. But details can be found here, here, here and here (phew!). Finally, two other bugs were found, relating to loading GIF files (in several Linux browsers) and Mozilla's (JavaScript) implementation of onUnload ( ). Are they trying to prove they can beat Microsoft at their own game..? Or is someone just trying to win a prize?" On a brighter note, Zerbey writes "From Neil's Place here is 101 Things Mozilla can do which IE cannot. Very interesting reading and an excellent resource for convincing stubborn Internet Explorer users why they should switch. This article was also reported at Mozillazine. I'm still waiting for NTLM auth to be implemented so we can switch over at my workplace, the only reason we still have to use Internet Explorer."

Read the entire article....

[dartboard]

If you read ALL the way to the end of the article you'll note that 5 of the 6 bugs are already fixed in 1.0.1 which has been out for a couple months now. I believe the sixth is already fixed in the 1.2 nightlies.

Re:Read the entire article....

[tbmaddux]

5 of the 6 bugs are already fixed in 1.0.1 which has been out for a couple months now. I believe the sixth is already fixed in the 1.2 nightlies.

The same 5 of the 6 that are fixed in 1.0.1 are also fixed in 1.1. The last one is already fixed in 1.2 beta. Maybe even alpha or earlier (but why would one use those).

I saw this mentioned on The Screensavers last night and IMO the Register article is greatly overstating the magnitude of the vulnerabilities. These are all known, patched bugs. Good to motivate people to stay up to date, but this is a lousy way to evaluate a product's security.

Let's talk about the known, unpatched bugs in MSIE instead.

Newsflash: Old buggy release has bugs

[roybadami]

However, also according to the article on the register, most of these bugs are in Mozilla 1.0, which makes this kind of old news. Mozilla 1.0.1 was specifically advertized as a security bug-fix release, and has been out for quite some time.

NTLM auth

[bunratty]

I'm still waiting for NTLM auth to be implemented so we can switch over at my workplace, the only reason we still have to use Internet Explorer.

NTLM auth is bug 23679, and is scheduled for Mozilla 1.3 alpha which will be out in about one month.

Re:NTLM auth

[drok]

NTLM auth is bug 23679, and is scheduled for Mozilla 1.3 alpha which will be out in about one month.

Except that it was also scheduled for 1.2 alpha, then beta, then... despite 107 votes and being topembed+ it keeps slipping.

Want to have NTLM support? Vote for it! http://bugzilla.mozilla.org/show_bug.cgi?id=23679 (Bugzilla doesn't allow slashdot.org referers anymore...)

-Robert

Re:NTLM auth

[oliverthered]

The code is already there, at least in the greatest part and has been for months.

It looks like there are three problems,
putting DES, MD4,MD5 somewhere sensible possibly using PSM
adding NTLM
and fixing a nasty bug where Mozilla opens too many connections.

Until the nasty blocker is fixed there can be no NTLM.

Re:NTLM auth

Besides cscx's excellent point (IIS built-in directory authenication), there's another critical reason that NTLM is needed -- it's the _default_ authenication method for MS Proxy Server.

Sure, you can change it to normal HTTP login, but 99% of admins stick with the defaults. This effectively means that most users behind a MS Proxy can not use Mozila.

IMO, this bug should be on the super-white-hot-critical list over at mozilla.org, but it's not.

These are already fixed

[nxg125]

To quote Mozillazine

The most remarkable detail about these bugs is that most of them are already fixed. In fact, only one of the flaws (reported here in September) is present in the latest stable branch and trunk releases (Mozilla 1.0.1 and 1.1 respectively), while the more recent 1.2 Beta isn't vulnerable to any of them.

Article is from MAY 22!!

[dartboard]

This article is 6 months old! Sheesh.

Re:Why users "should" switch

[Anonvmous+Coward]

"Even if it is true you aren't likely to win. IE is firmly now a component of the Windows operating system. Removing it will cause the seas to boil and the rivers to run red with blood."

Why do you need to remove IE to use another browser? Even if you could, why would you want to? I still need IE once in a while because some dumb-ass sites think they need to embed Quicktime movies inside their page. Never could quite get QT to work quite right in other browsers.

Re:A Word on Mozilla

[Entropy_ah]

the Windows version is hurting
That's strange because I've found that Mozilla is more stable and faster in Windows vs. its Linux couterpart.

Re:A Word on Mozilla

[\\]

I've been using Mozilla for OS X since i bought my powerbook a couple months ago and have had no problems whatsoever, besdies the occasional crash. Even java works properly - still can't get games.yahoo.com to properly work on any of my lunix mozilla installations.

Re:Bug reporting?

[Squarewav]

Well, they may be more open about it, but IE has the advantage that when a bug/hole is fixed it takes a small download to fix it, ware with mozilla and 99% of other OSS progs, takes ether a complete re download to fix it, a download of a source patch then a recompile, or possibly even fixing the source yourself (assuming you know enough about the internals of the program to fix it)

Mac version of Mozilla is unusable?

[Shinzaburo]

...the Mac versions are basically unusable...

How are the Mac versions unusable? I've been using Mozilla 1.2 beta on OS X for weeks, and it's working wonderfully. Extremely stable (hasn't crashed once), reasonably fast rendering, and the best standards compliance I've seen on any browser. It would be great if the overall browsing speed were improved, but as the browser I use on a daily basis, it's certainly usable even in its current state.

Mozilla rules

[dolo666]

Because Mozilla is open source, it's better than any other closed source alternative. I have only three reasons why I use it:

1. Smart Features -- not bloat-ware.

2. Tab Surfing.

3. No spyware or ads.

The information exchange is one factor of why open source is better, however, consider this as well: every decision you make adds to the total inertia of a project. Therefore, when you base a product on open source, you are creating a momentum that is going to carry on through your whole project. By saying, "Yes, we will listen to our public", you are also saying that you will like your public, and your public will like you in the end.

Microsoft has never done that. They put you on hold, put you off, ignore you and they do what they want. How long can they continue to take that stance in the face of an angry public?

Marshall Berman said it best when he said you can't slow progress or stop it. You can only guide it. He goes on to say that anyone who tries to resist change is going to pay the price in the end. Well I can't think of any other company that has resisted change as much as Microsoft has - especially recently.

Re:Most are already fixed

[MAXOMENOS]

In fact, as of 1.0.1, five of the six bugs are fixed. Only one of these bugs exists in 1.0.1, and it's generally regarded as the least serious. Almost every distribution is running Mozilla 1.0.1 or 1.1 by now. I know I'm running 1.1 on my box, and Ximian GNOME is using 1.0.1.

Seriously, this isn't as big a deal as it looks, folks.

31 security vulnerabilities in IE

[Futurepower(R)]

Here's a link. On November 6, 2002, there were 31 security vulnerabilities in Microsoft Internet Explorer

The link is taken from: Windows XP Shows the Direction Microsoft is Going.. If Spanish is your native language: Windows XP muestra la dirección que Microsoft está tomando.

Re:The one thing it doesn't do

[IvyMike]

I've never walked into a Fortune 500 company and seen Mozilla running on a PC. Never.

Are you sure you're looking? Quite a few people at my company (it is in the Fortune 500) use it, and we're nothing special. It's not the majority of people, or even close, but certainly not zero either.

Re:How about https?

[Dr+Caleb]

Anyone have this problem?

With some sites, yes. If they don't support the Mozilla certificates, they won't allow https. I use Mozilla for my Banking (switched banks because they supported Mozilla) and things like Hushmail. For some things at work, I still have to use IE for sites that don't support Mozilla's certs.

Re:Why users "should" switch

Just tried it with Mozilla 1.0.1 - logged in with no problems. The error message you linked to says that you have cookies and/or javascript disabled. That doesn't have anything to do with the browser you're using.

Re:I can do them!

[bstadil]

close to pushing IE off my desktop

FYI, If you do that you can use the MS filemanager if you are stuck in on a web site. Just type or Cut and paste the url (incl http:// bit) into filemanager and presto it morphs into IE.

Lately Amazon.com is getting more IE centric on their view content of books and I have to resort to this. FYI, I have complained to Amazon.com

Re:10 Things...

[jameslore]

??!!

I've always found Moz to have *significantly* better CSS support than IE. IE doesn't even have full CSS 1 support, and supports even less of CSS 2.

e.g. position: fixed; doesn't work in IE (and even does very odd things sometimes), and absolutely positioned elements are not sized according to their bounds (top, left, right, bottom) but by width and height (my pick for most silly IE bug)

Re:How about https? -- check for mozilla-psm

[zrodney]

I've been using Mozilla for over a year now and for the life of me, I still can't access anything via. https...

do you have the mozilla-psm package installed?

the https part of mozilla is often in a second package, maybe for export or something. if you
only installed the rpm for mozilla, you may still have to install the personal security manager part.

here's what rpm on my redhat 7.2 based machine shows for example:

[root@mouser root]# rpm -qa | grep mozilla
mozilla-1.0.1-2.7.3
mozilla-nspr-1.0.1-2 .7.3
mozilla-psm-1.0.1-2.7.3
mozilla-nss-1.0.1-2 .7.3
nautilus-mozilla-1.0.6-16

so, check to see if you can install the mozilla-psm package and https should be all set

here's the rpm -qi Description for mozilla-psm:
Description :
The mozilla-psm package provides Secure Sockets Layer (SSL) support
for the Mozilla Web browser.

Re:The 101 list is bullshit

[Edgewize]

While the 101 list goes a bit overboard, you're wrong to dismiss a lot of the items.

1. Tabbed browsing is inherantly slower with IE because it creates a new browser instance for each tab.

5. The side bar is NOT just a history window. You can put virtually anything in it, including slashdot headlines or a google box.

7-8. MSIE does NOT adjust font sizes if the CSS specifies it in pixels. Mozilla does.

17. At least with 5.5, the "cookie manager" is nothing more than a listview of all your temporary internet files. Mozilla has a real interface with more capabilities.

22. The average user will not set this, and will inevitably install Bonzi Buddy or some other crap because they click OK too fast. Mozilla comes secure by default.

46. You can run Mozilla from a network share without ever launching an installer. I'd like to see you do try with MSIE 6.

77. Yeah, assuming that you have the appropriate locale of Windows. And that you'd never want to run a version that was different from your operating system's locale settings.

97. True. But you must admit that Mozilla's security process is more open than IEs, and that there won't be major vulnerabilities that go unpatched for months. With IE you have no such guarantee.

101. You just can't argue with that one. The lizard is cool.

JavaScript, other standards

[Cardinal]

He also complained about Mozilla's vaunted "standards compliance." His exact words: "Mozilla invents its own standards, and it's the only one to comply to them."

For the most part, this is only true if your friend believes that the W3 is a subsidiary of AOL. Needless to say, it isn't, and in fact many of the standards which Mozilla follows (While IE only sorta follows) were written by groups that included representatives from Microsoft. A partial list of the (real, non-Mozilla invented) standards that Mozilla enforces can be found here.

Isn't javascript "write once, run anyware" kinda stuff?

It'd be nice, wouldn't it.

JavaScript is a Netscape invention, always has been. As such, Netscape did write its own standard and is the only one to comply with it. However, there IS a real standard known as ECMAScript that Moz and IE both do a reasonably good job of supporting. Unfortunately, this does not cover everything. ECMAScript can be thought of as defining the 'core' of what scripting on browsers is often used for.

Beyond the core are the areas of scripting that make up the buzzword-compliant DHTML (Dynamic HTML, a fancy way of saying JS, CSS, and HTML)

This is where cross-browser scripting gets hairy. The standards used for manipulating documents dynamically are collectively defined by the W3 as the DOM, or Document Object Model, which has many uses outside of HTML, but we'll stick to its HTML uses for now. Unfortunately, some of the more advanced elements of the DOM are still in a drafting phase, and as such are not ready to be used as standards. Meanwhile, browsers implement support in their own ways, lacking any sort of rules to adhere to. It's my hope that as these drafts are finalized into W3 Recommendations, that MS will include support for them as I know Mozilla will. Until then, browser detection will continue being a way of life for advanced client side scripting.

Re:There is something

[Rick_T]

> It has much fewer bugs and still retains all the
> functionality needed to have a decent web
> experience.

Let's get real here. Dillo is great to browse simple stuff like local HTML documentation, and it's good for checking on the local news sites (when it doesn't choke on them too badly), but that's about all it's good for.

It has some sort of annoying cache bug that lets it get "stuck" (refusing to load a document whether you hit reload or not) on pages like Google's search results.

As distributed (version 0.6.6), Dillo doesn't do any kind of authentication or SSL. It also doesn't do Javascript/Java. So it has to be *very* casual browsing. It also doesn't print.

(I use Dillo myelf for viewing local copies of web pages I make for my students. This is mainly because it's so FAST.)

Already fixed?

[Sj0]

I recall reading about this; those bugs were fixed before the bugs were reported this weekend.

Re:Some questions or suggestions....

[ChristTrekker]

First, yup. Pre-fetch FAQ.

Second, XHTML 2.0 is being developed, which will radically change things. Make your suggestions known now.

Finally, I believe that's what SVG is for. Mozilla has some support for SVG, but it's not enabled in regular builds, IIRC.

Andreesen adding the IMG tag was a big mistake, and a very bad implementation of embedding media. The OBJECT tag is what we should have had all along.

Re:Here's two

[Yunzil]

2) View source opens notepad. I want to be able to edit, save (without it downloading the damn thing again!), and whatever.

File --> Edit Page

Entering HTML in a form

[Cardinal]

What you're looking for is over here.

Of course, it's a proprietary solution. A much better option is to implement a similar editing tool in JS/DOM that works in both Moz and IE6+ (Maybe Opera 7 if it actually includes some respectable DOM support)

Re:Most are already fixed

[arkanes]

both up2date and apt provide transparent updates for this kind of thing. up2date run from the command line is signifigantly slicker than Windows Update, and about the same when run from the gui. apt walks all over both of them for ease of use.

Re:I can do them!

[SomeOtherGuy]

I don't know abnout easier install. Installing a new version of IE always requires me to reboot. When I install a new (binary) version of Mozilla it usually is just an unzip or untar and then running the executable.

Maybe things are different on the Mac.

Re:Why do you want Mozilla to have NTLM support?

[DigitalCH]

If you want Mozilla to be usable by corporations you got to support NTLM.

I have worked for numerous corporations that have hundreds if not thousands of applications written using NTLM. They can't recode these applications(cost and time issues) and we shouldn't expect them to. Instead we should make the browser support what is out there.

In fact I remember a meeting where someone brought up the fact that the html design of an application wasn't compliant with Open Source browsers. One of the people in the meeting made a comment that it was a moot point because open source browsers were unusable because they couldn't support NTLM so there was no point in worrying about it till they did.

Something to think about.

Re:Bug reporting?

user_pref("capability.policy.default.Window.onunlo ad", "noAccess");

[take out the space]

I love the fact that security bugs are made public. I can decide whether to implement a workaround, disable a functionility, switch to an alternative, or wait a few days for the binaries to come out for my distro.

Re:Why users "should" switch

[loco123]

2. More control over text zooming
Can zoom text to any size. IE only supports five sizes and has no shortcut keys that I could determine.

CTRL+MouseWheel
...if one can call that a shortcut key.

Re:Why users "should" switch

[swv3752]

More effective to compare IE in Wine. Check memory usage of Notepad in Wine and Subtract it from IE in Wine. This gives a decent ballpark for memory usage of IE. Loaded both IE and Mozilla with the hompage set to MSN.com then loaded slashdot. Mozilla 1.0 used abot 22mb and IE 5.5 after subtracting notepad memory used 29mb. You can try this yourself. I was using a dual boot with Win98 and Wine used its internal dll's.