Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security-Updated Versions Of Mozilla Released

Posted by simoniker on from the guard-dogs-at-the-ready dept.

petabyte writes "As mentioned in this Mozillazine article, there are new versions of the Mozilla Suite (1.7.2), Mozilla Firefox (0.9.3) and Mozilla Thunderbird (0.7.3) available. They address 4 security bugs (linked from the Mozillazine article). Unlike Firefox 0.9.2, these can't be fixed with just a XPI upgrade, so you'll have to download a new binary and install."

30 of 375 comments (clear)

  1. Does this mean that . . . by Anonymous Coward · · Score: 2, Insightful

    Due to Microsofts previous wealth of experience in fixing security problems, can it be true that their patching process is more effiecient than the Mozilla's?

    Why otherwise would it be required to download an entirely new browser to fix a few problems?

    1. Re:Does this mean that . . . by scifience · · Score: 4, Insightful

      The 4MB size of the complete Mozilla browser is smaller than many of Microsoft's IE updates have been.

      So, while you may have to re-download the whole browser, the actual file size is still smaller.

    2. Re:Does this mean that . . . by NeoThermic · · Score: 3, Insightful

      At 5MB for Firefox (on windows), its far smaller than the average IE 'patch', which normally are around 7 MB or so.

      Also consider that this *one* new install fixes what would require from microsoft as *four* patches. (and god know how much time between each)

      As a side note, I got 0.9.3 before /. announced it, and got a nice hefty 1500KB/s sustained over a 768bps connection. I would suggest those who want to find out about new releases before a lot of others sign up to mozilla [dash] announce [at] mozilla [dot] org

      NeoThermic

      --
      Use my link above, or to view my server, NeoThermic.com
    3. Re:Does this mean that . . . by Frizzle+Fry · · Score: 2, Insightful
      The 4MB size of the complete Mozilla browser is smaller than many of Microsoft's IE updates have been.

      This becomes less true, though, when Firefox requires you to download the 4 mb browser an infinite number of times. Which seems to be what it wants, since when I start 0.9.3 it tells me that a new critical update is available and that update turns out to be... 0.9.1. (And of course, if I install that and launch it, it will tell me that a new update is available...).
      --
      I'd rather be lucky than good.
    4. Re:Does this mean that . . . by NanoGator · · Score: 4, Insightful

      "The 4MB size of the complete Mozilla browser is smaller than many of Microsoft's IE updates have been."

      Maybe version updates. However, most IE fixes are a couple of hundred K. Right now, I have a cumilative update that's 2.8 meg that fixes a small handful of things. What you're suggesting would require a 4 megabyte download just to fix a typo in the credits.

      "So, while you may have to re-download the whole browser, the actual file size is still smaller."

      This would only be true under strange scheduling circumstances. On top of that, IE updates don't require an uninstall.

      I easily prefer Firefox to IE, but this statement is misleading in a couple of different directions. Microsoft definitely has Mozilla beat when it comes to the efficiency of updates like this, whether you focus on just the size of the file or if you expand that out to the total end user experience.

      --
      "Derp de derp."
    5. Re:Does this mean that . . . by Teckla · · Score: 4, Insightful

      Maybe if you add together all the small IE updates, it totals more than 4mb at Windows Update.

      I can download and install the full Mozilla package faster than I can reboot my computer every time there's an Internet Explorer patch.

      That puts Mozilla ahead of IE, at least in my book. :)

    6. Re:Does this mean that . . . by Anonymous Coward · · Score: 2, Insightful

      I are not a programmer but I have a question. Wouldn't it be possible to use something like a "binary diff" program for updates? If not then why nott?

    7. Re:Does this mean that . . . by Anonymous Coward · · Score: 1, Insightful

      Well, you DID have to wait at least a month for Mozilla to patch its browser.

  2. Grumble Grumble by (54)T-Dub · · Score: 5, Insightful

    I'm getting tired of the whole uninstall, delete, re-install, get plugins, import bookmars, set settings, get skins (optional) routine. I wish they would hurry up and fix the installer so that I could simply update the browser and save all my stuff.

    --

    "I can not bring myself to believe that if knowledge presents danger, the solution is ignorance" - Isaac Asimov
    1. Re:Grumble Grumble by (54)T-Dub · · Score: 5, Insightful
      While I do understand why you would want a better installer, that isn't the central point of a [insert any piece of software here].
      And now we come to the basic problem with the attitude behind Open Source development. If we ever want to get open source out of the geek world we need to be able to get this idea out of our heads. A simple installation is important. Someone should not need years of experience to install an OS smoothly. And any computer novice should be able to upgrade their software with the click of the mouse (maybe 2). I'm not saying we need to dumb it down, just put in a little bit more attention to ease of use/install/upgrade.
      --

      "I can not bring myself to believe that if knowledge presents danger, the solution is ignorance" - Isaac Asimov
    2. Re:Grumble Grumble by Anonymous Coward · · Score: 1, Insightful

      I do something similar, but keeping plugins in /usr/local/lib/mozplugins

      But this is the one thing that makes me hesitate to recommend moz to newbies who regard CLI as some kind of scary dark art. And as distros like Mandrake become more and more 'user friendly', CLI does become an 'expert' tool. Linux is no longer an 'expert' operating system where you can just safely assume any user is comfortable on the command line.

  3. 0.9.? by asd-Strom · · Score: 2, Insightful

    If things keep going this way we end up with 0.9.55 or seomething. They should think about some patching systems..

    1. Re:0.9.? by Anonymous Coward · · Score: 1, Insightful

      If this were being pushed out be you average software company, Firefox would already be at 9.0 and counting.

  4. Re:Firefox by gerf · · Score: 3, Insightful

    I suggest we tell the Mozilla Foundation guys to buy some OReilly security titles and read up, and come back with something that's actually not buggy

    Hi, welcome to Firefox beta .93

    Anyway, do you think that FF/Moz should take the Windows route and refuse to acknowledge vulnerabilities, and simply hope they pass by with no one else noticing? Please, think a little bit before posting a comment.

  5. Mod parent up. by hot_Karls_bad_cavern · · Score: 4, Insightful

    i know it'll be an unpopular one about these parts, but: yeah, i'm with you bro. i should only have to click "Upgrade" on the Moz page to get the newest browser. Bitch and moan all you like, that's the way it should be: an icon in the corner: "upgrade now"...you can ignore if you like, you can build from source if you like, but me? Hell, just get me a new browser now....when i click. Yeah, yeah, save me all the "but, if it's just click and go and the security and the users and malware pages"...save it. Code against that, let me upgrade on the fly (restart okay...reboot not-okay) with a click. Tough to do? Hell, look about at the OS that this browser runs on (for the most part at this time): click and do for 'em eh? Not that much to ask. Give 'em a, 'no thanks, i'll do it the hard, trusted, but sure way' button. i'm not banging that in any way...hell, with some packages that's the only way i'll trust 'em. Moz is a safe bet: give us s 'click an' go to the newest version' button k? Yep.

    1. Re:Mod parent up. by (54)T-Dub · · Score: 5, Insightful

      Here here. And their "handy" little update notification in the lower right corner has never worked for me. It is constantly telling me that I have to upgrade to version 0.9.1 (which I'm running). Even now it still says the same freaking thing.

      Don't get me wrong, I love Mozilla and open source. But it's those little things that developers hate coding that get to me sometimes. Don't even get me started on a Linux install.

      --

      "I can not bring myself to believe that if knowledge presents danger, the solution is ignorance" - Isaac Asimov
  6. Re:Firefox by Justus · · Score: 3, Insightful

    Yeah, Firefox beta, right up there next to Mozilla 1.7.2. Just keep talking about how it's all 'unfinalized, buggy beta software' and I'm sure you'll convince a lot of people to stop using Internet Explorer.

    That being said, I'm glad to see the bugs being acknowledged and fixed, even if I don't personally agree with the way some of these bugs have been handled.

    --
    Schlock Mercenary
  7. MAC OSX Complains by OlivierB · · Score: 4, Insightful

    While this is not a showstopper, can somebody explain me why Firefox for mac ever since 0.7 has a problem with Expose feature? IE one can se a small window attached to the main window?
    Also, why is it we cannot search the bookmarks in the sidebar wihtout crashinf the whole application?

    Small annoyances but we are getting awfully close to 1.0 and still no sign of improvement.
    Safari is catching up in terms of speed and is looking ever more appealing!

    --
    Artificial intelligence is no match for natural stupidity
  8. Re:And? by NeoThermic · · Score: 3, Insightful

    >>What the initial poster was talking about was a motherfucking update, NOT a service pack.

    Since when is a service pack not an update?

    Update:

    1. Information that updates something.

    2. The act or an instance of bringing something up to date.

    3. An updated version of something.

    Now. Please. Tell me how a Service pack doesn't count as an update?

    NeoThermic

    --
    Use my link above, or to view my server, NeoThermic.com
  9. one thing to note by dwgranth · · Score: 3, Insightful

    Yeah, i see a lot of people on this list complaining about Mozilla having so many patches... dang, at least they put them out there... also im sure the opensource nature of mozilla/firefox lets many eyes see the bugs... while in IE there could be millions of little goodies that could be exploited and we would never know. I'm just impressed that the coding team has fixed the bugs so quickly. Yes.. they do need to build in a better patching mechanism.. but every project has a few growing pains.

    1. Re:one thing to note by Anonymous Coward · · Score: 1, Insightful

      This is insightful? No... This is moronic.

      The exploits have all showed up on security mailing lists for a while now. There just hasn't been a response from the development team until now.

      HELLO!!! THEY AREN'T FIXING THE BUGS QUICKLY!! They are refusing to acknowledge the bugs until they find a fix. Same shit, different vendor.

  10. Re:The four vulnerabilities... by black+mariah · · Score: 5, Insightful

    Are you fucking stupid? Every fucking one of those is EASILY an exploit, not of code but of the user.

    Fake certificates help in all sorts of scams. Spyware, eBay scams, whatever. "Oh, this is signed by Macromedia. It must be safe!"

    Fake extensions. We've all seen the results of simply adding a .jpg before a .exe, and how much shit does MS take for THAT one? Like it's their fault that people are fucking stupid enough to double click on 0wnyourcomputer.jpg.exe. Faked extensions are worse, because they don't even have the fucking .exe at the end.

    Lock icon spoofable. So you go to a site you THINK is secured, but it turns out it isn't. Happy funtime on your credit card!

    Not all exploits are code-based, not all exploits are related to software.

    --
    'Standards' in computing only impress those who are impressed by things like 'standards'.
  11. Re:The actual vulnerabilities by Anonymous Coward · · Score: 2, Insightful

    Major difference:
    - IE vulnerability: you hear about it on /., in other media, and a month or so later (if at all) there appears a fix.
    - Mozilla vulnerability: Mozilla foundation announces "we found a vulnerability and have a fix for it" where it is also the first time I hear about it.
    And in the rare case it is in the press before there is a bugfix, the fix will be there before the ink is dry.

    Wouter.

  12. Reality check, please. by Lexomatic · · Score: 5, Insightful
    Firefox is still pre-version 1.0 at the moment, so people should be expecting these sort of updates.

    Prior to 0.9, Firefox was only being updated ever few weeks, with each release holding many fixes since the last release. I think the increase in releases has mainly been due to the fact that in the last month or so the user base of Firefox has gone up dramatically.

    I am sure this has put a lot more stress on the Firefox dev team because now people are starting to rely on their browser to be as good as IE and with whole organisations now looking at using Firefox over IE, the pressure must really be on to make sure it lives up to expectations.

    Once Firefox hits version 1.0, people will get real shitty if it has bugs and security flaws, so the more they fix during 0.9.+ the better. Until then, I am happy to keep downloading it, daily if needed.

    1. Re:Reality check, please. by Anonymous Coward · · Score: 1, Insightful

      And that applies to the non-beta Mozilla (version 1.7.2) how, exactly?

    2. Re:Reality check, please. by Anonymous Coward · · Score: 1, Insightful

      Firefox is still pre-version 1.0 at the moment, so people should be expecting these sort of updates.

      I wish people would bear that in mind when they try and switch people over from other browsers though. You can't have it both ways - either it's in beta, in which case switching people over is premature, or it's not in beta, in which case bugs like this are unacceptable.

  13. Re:Four and more by citog · · Score: 4, Insightful

    Maybe out on a limb here, but I prefer downloading a new version where security fixes are required. Security fixes need to be right, and right first time. Patching doesn't alway guarantee that.

  14. Re:Four and more by Anonymous Coward · · Score: 1, Insightful

    the patching system for IE must work because MSFT keeps using the incremental patch system. It shouldn't be necessary to download a whole browser just to fix some security bugs. I'm not saying IE is a better browser, I just have to say it's update system is better.

  15. Re:Mozilla 1.7.2 and Slackware 10 by MikeCapone · · Score: 2, Insightful

    Just wait until Patrick adds a Slack package of 1.7.2 to Slackware-current and get it off a mirror.

    --
    Treehugger? Treehugger... Treehugger!
  16. Re:Auto Update by chx1975 · · Score: 3, Insightful

    a few KB? what about mshtml.dll, a 2+ Mbyte DLL... iexplore.exe is small, 'cos it's not much more than a dummy dll loader.