Slashdot Mirror
Security-Updated Versions Of Mozilla Released
petabyte writes "As mentioned in this Mozillazine article, there are new versions of the Mozilla Suite (1.7.2), Mozilla Firefox (0.9.3) and Mozilla Thunderbird (0.7.3) available. They address 4 security bugs (linked from the Mozillazine article). Unlike Firefox 0.9.2, these can't be fixed with just a XPI upgrade, so you'll have to download a new binary and install."
Due to Microsofts previous wealth of experience in fixing security problems, can it be true that their patching process is more effiecient than the Mozilla's?
Why otherwise would it be required to download an entirely new browser to fix a few problems?
I'm getting tired of the whole uninstall, delete, re-install, get plugins, import bookmars, set settings, get skins (optional) routine. I wish they would hurry up and fix the installer so that I could simply update the browser and save all my stuff.
"I can not bring myself to believe that if knowledge presents danger, the solution is ignorance" - Isaac Asimov
Any idea where to get RPM's ?
If things keep going this way we end up with 0.9.55 or seomething. They should think about some patching systems..
According to the forum, a libpng vulnerability also just happens to crash IE.
There are a huge number of yeast infections in this county. Probably because we're downriver from the bread factory.
I suggest we tell the Mozilla Foundation guys to buy some OReilly security titles and read up, and come back with something that's actually not buggy
Hi, welcome to Firefox beta .93
Anyway, do you think that FF/Moz should take the Windows route and refuse to acknowledge vulnerabilities, and simply hope they pass by with no one else noticing? Please, think a little bit before posting a comment.
Sorry people, it was just an urge and I feel really stupid now, so I'm sorry!
Anyway, I am really glad to see this. I work at an ISP, and deal with a lot of these ad/mal/viral-ware that gets onto IE despite our best efforts. So, we have been deploying Mozilla Fire(something) and Thunderbird programs - and PEOPLE LOVE IT!
What makes them happy - makes me very happy!
'/dev/wit' is not available.
Well I don't know about you, but the 503 errors are gone for me.
"Sockets are the standard networking API, also useful for stopping your eyes from falling onto your cheeks" zeromq.org
However, those 3 Firefox holes were fixed faster than the 1 IE hole. Mozilla releases patches as soon as they've fixed the problem. Microsoft? They wait until Wednesday night. If a problem is fixed on a Thursday, and it's something already exploited, then most people affected (the clueless windows users) are basically screwed.
ROMANES EUNT DOMUS
i know it'll be an unpopular one about these parts, but: yeah, i'm with you bro. i should only have to click "Upgrade" on the Moz page to get the newest browser. Bitch and moan all you like, that's the way it should be: an icon in the corner: "upgrade now"...you can ignore if you like, you can build from source if you like, but me? Hell, just get me a new browser now....when i click. Yeah, yeah, save me all the "but, if it's just click and go and the security and the users and malware pages"...save it. Code against that, let me upgrade on the fly (restart okay...reboot not-okay) with a click. Tough to do? Hell, look about at the OS that this browser runs on (for the most part at this time): click and do for 'em eh? Not that much to ask. Give 'em a, 'no thanks, i'll do it the hard, trusted, but sure way' button. i'm not banging that in any way...hell, with some packages that's the only way i'll trust 'em. Moz is a safe bet: give us s 'click an' go to the newest version' button k? Yep.
I might be dafter than a regular brick, but I can't see that the FireFox Release Notes mentiones what is actually new in this release?
Oh well... perhaps I'm just weird for wanting to know what's new in this sub-release.
Yeah, Firefox beta, right up there next to Mozilla 1.7.2. Just keep talking about how it's all 'unfinalized, buggy beta software' and I'm sure you'll convince a lot of people to stop using Internet Explorer.
That being said, I'm glad to see the bugs being acknowledged and fixed, even if I don't personally agree with the way some of these bugs have been handled.
Schlock Mercenary
The timestamps in the 0.9.3 release directory show that the Windows binary has been updated.
Got the supposed 0.9.3 for Windows earlier today, which didn't work. Process appeared in task list, but no window came up. Also, any place the version number appeared, it was still listed as 0.9.2. With the caveat that I don't know how those folks do their releases, I'll say that with the proper automation, that oops-i-forgot-to-increase-the-version-number snafu should never happen.
http://bugzilla.mozilla.org/buglist.cgi?bug_id=25
IE catches shit for 2 out of the 4 bugs.
libpng buffer overflow - a lot of bitching goes on around here with regards to "OH M$ EVEN HAD AN OVERFLOW IN BMP HANDLING IN IE!!!"
null (%00) in filename fakes extension (ftp, file) - Variation of this got IE in trouble...
While this is not a showstopper, can somebody explain me why Firefox for mac ever since 0.7 has a problem with Expose feature? IE one can se a small window attached to the main window?
Also, why is it we cannot search the bookmarks in the sidebar wihtout crashinf the whole application?
Small annoyances but we are getting awfully close to 1.0 and still no sign of improvement.
Safari is catching up in terms of speed and is looking ever more appealing!
Artificial intelligence is no match for natural stupidity
Last time I tried to install over an existing installation i seriously regretted it. Took me 3x as long to get everything worked out. So now I uninstall first.
"I can not bring myself to believe that if knowledge presents danger, the solution is ignorance" - Isaac Asimov
I just installed 0.9.3, its listing inside the installer as 0.9.2 still.
Your right about automation, even InstallShield can do it!
liqbase
249004 Importing false CA certificate leading to error -8182 (pe...
# False certificates aren't really an exploit
250906 null (%00) in filename fakes extension (ftp, file)
# fake extense aren't exploits
251381 new libpng buffer overflow vulnerabilities
# okay that is an exploit
253121 lock icon and certificates spoofable with onunload docume...
# that is not an exploit either
I think they should be more like bugs. I think Mozilla is just trying to play it safe. Ironically by them "being up front" they may end up driving people away from the browser...
--Joey
>>What the initial poster was talking about was a motherfucking update, NOT a service pack.
Since when is a service pack not an update?
Update:
1. Information that updates something.
2. The act or an instance of bringing something up to date.
3. An updated version of something.
Now. Please. Tell me how a Service pack doesn't count as an update?
NeoThermic
Use my link above, or to view my server, NeoThermic.com
I downloaded the linux installer version (firefox-0.9.3-i686-linux-gtk2+xft-installer.tar.g z)ked from the Firefox page and itself seems to have a little bug:
** (firefox-installer-bin:3120): WARNING **: Invalid UTF8 string passed to pango_layout_set_text()
It winds up with an incomplete installation. However, if you just download the gzipped tarball without the installer from here and untar it over your old firefox directory you should be just fine.
Use this link instead: http://ftp.mozilla.org/pub/mozilla.org/firefox/rel eases/0.9.3/
tasks(723) drafts(105) languages(484) examples(29106)
i wonder if the people who uncovered these bugs qualified for the $500 payment or if it contributed to them being found.
looks like the mozilla binary builds for x86_64 havent been updated yet.
I use an invisible root window in my application as well. Many applictions use invisible windows, and they do not foul Exposé at all. Exposé will not show an invisible window, nor will it show an offscreen window (which is frustrating to me, as I have several tools that try to remember where windows were last displayed even on smaller monitors).
I really do not know what Mozilla is doing, but it is not that simple.
Yeah, i see a lot of people on this list complaining about Mozilla having so many patches... dang, at least they put them out there... also im sure the opensource nature of mozilla/firefox lets many eyes see the bugs... while in IE there could be millions of little goodies that could be exploited and we would never know. I'm just impressed that the coding team has fixed the bugs so quickly. Yes.. they do need to build in a better patching mechanism.. but every project has a few growing pains.
If it really is necessary to point out to you, then I'm getting sick of comments like: ...and...
"At 5MB for Firefox (on windows), its far smaller than the average IE 'patch', which normally are around 7 MB or so."
"IE catches shit for 2 out of the 4 bugs."
"Anyway, do you think that FF/Moz should take the Windows route and refuse to acknowledge vulnerabilities, and simply hope they pass by with no one else noticing? Please, think a little bit before posting a comment."
Thank you,
Xeon
Real programmers can write assembly code in any language. -- Larry Wall
Not on Gentoo, you insensitive clod!
Does the "Periodically check for updates" feature work in Firefox? It has never in the past informed me of an update, and even now when I manually check by selecting "Check Now" it currently tells me no updates are available.
The only ways I can see to accomplish a silent install are either:
- rewrite the installer so it actually does work (pain in the ass)
- or use the
.zip version and completely re-implement the install process in a batch script (even more annoying)
This is another one of those "enterprise" necessities that the developers seem not to have figured out.Well, you should browse to bugzilla.microsoft.com and enter a bug report against XP.
If you tell them about the problem they'll hurry to solve it, I'm sure...
The new Mozilla Firefox release fixes four security problems and all the other bugs that have been fixed in the aviary branch. Microsoft, on the other hand, hasn't published fixes to IE's layout engine since 2001.
That was what an update should be!
.mozilla directory. The only nit to pick was that search plugins aren't stored in userspace, but copying them over is trivial.
Upgraded from 0.9.1 to 0.9.3. Didn't have to fiddle with turning off extentions or re-downloading them and reconfiguring them this time. Continues to use the same
To-do List: Receive telemarketing call during a tornado warning. Check.
Where are the Changelog? From the website, you only know there is a new version for these three apps, but there is not description of what has been changed since the last version?
I remember that for every release there used to be a link to the Changelog with details on all the new changes since the last minor update (eg v1.6.1 to v1.6.2). Is the new site/design just too "user friendly"?
(After some browsing I did find a link to an *external* website with change details, but can't find it again now... @_@)
Codeala - Just another mindless drone
Prior to 0.9, Firefox was only being updated ever few weeks, with each release holding many fixes since the last release. I think the increase in releases has mainly been due to the fact that in the last month or so the user base of Firefox has gone up dramatically.
I am sure this has put a lot more stress on the Firefox dev team because now people are starting to rely on their browser to be as good as IE and with whole organisations now looking at using Firefox over IE, the pressure must really be on to make sure it lives up to expectations.
Once Firefox hits version 1.0, people will get real shitty if it has bugs and security flaws, so the more they fix during 0.9.+ the better. Until then, I am happy to keep downloading it, daily if needed.
On a lot of stock systems the offending line in mime.types is: .rpm extension in the wild.
audio/x-pn-realaudio-plugin rpm
and should be:
application/x-rpm rpm
I have not come across any realmedia files with the
.
One way to keep updated about Mozilla releases and developments in many different areas is by subscribing to one of the developer mailing lists:. html
... I wrote a note this morning but I imagine they are submerged.
http://www.mozilla.org/community/developer-forums
MozillaZine.org also does a good job of summarizing the development, but it's almost always 2-3 days late.
For the true cutting-edge lizard in you, there's always the feedhouse:
http://feedhouse.mozillazine.org/
And of course it has RSS feeds.
For those of you wanting to know when specific bugs have been fixed, I find the "edge" websites to be most simple to read (although not thorough):
The Rumbling Edge (for Thunderbird):
http://weblogs.mozillazine.org/rumblingedge/
The Burning Edge:
http://www.squarefree.com/burningedge/
Saddly, there is no information about the releases almost a day after they have been out on http://mozillaeurope.org/en/
Enjoy!
Notepad specialist & FAT administrator, group training available
This version broke something related to the proxy configuration. I can no longer authenticate myself at any website using saved passwords if I use my university proxy server. :(
What I find odd is that despite this release being focused on patching security vulnerabilities there's no noticable mention on the web site of the importance of this update. I leave my home page set to the FireFox page in hopes that there will be a clear message saying if there's a need to upgrade, but the page itself only says 0.9 -- and I'm fairly confident that the average user isn't going to figure out the difference from the front page (which now says 0.9.3, but how many users are aware of what version they're using?) It wasn't until I read slashdot that I was made aware of the release of this security update, and who knows if something could have happened since then?
While I don't expect a windowsupdate.com for Mozilla, being that a main criticism of users is their failure to keep software updated why don't the developers make it more clear that an update is even present?
Just tried Moz 1.7.2 and the anti-aliased fonts were gone (maybe build options?). Furthermore, I've faced some segfaults when browsing Slashdot. Reverted to Slack 10's original Moz 1.7.
My 2 cents.
I noticed 0.9.3 doesn't fix the UI Spoof using XUL mentioned a few days ago... Could this mean what I think it means....
Yes.... FireFox is your father.
The windows version listed for download at the FireFox product page is not the same as the windows version listed on the main download page.
Just a heads-up to everyone rushing to download without checking. The mozilla.org web guys might want to fix that too.
Cheers.
user@host$ diff
problems that Firefox .9.x has had with slashdot. It seems that the side menu bars randomly overlap the main page content. It really looks ugly.
Granted, I'd like to see a patcher/updater that works, but this is still sub 1.0 software.
Rename current firefox directory.
Install firefox.
Copy plugins folder to new install.
Load firefox.
That's it. Your bookmarks and settings are in your profile, NOT in the install directory.
Some plug-ins will need to be reinstalled.
The main executable for firefox is ~6MB... It would seem to me that this is not a very efficient method for updating the program. Perhaps they'll design the next version with modules that can be updated more efficiently by smaller downloads?
Anyone know why the version information for the file for 0.9.3 lists 0.9.0.0? Right click firefox.exe and then properties then version tab.
IE has an executable of a few KB (WinXP).
A few random security flaws found. Imagine if it was worth thousands of dollars to you to find and exploit these flaws so you searched and found them months ago as part of your full-time work...
I don't have to imagine it; we can see how well it works with microsoft products.
They have paid programmers so there is no exploits and flaws in their software, right?
Treehugger? Treehugger... Treehugger!
During the recent Ject issue, I looked into trying to rip out IE. I have like 120 machines to look after, I don't have the money to active directory, and I have certain limits. I'll use psexec but even so, its a long tedius job maintaining 120 machines.
:shell: made me rather glad I had'nt committed a massive workload in the name of switching to a new bugwridden, secuirty glitched browser.
Now, getting back to IE, yes, I did look at ripping it out. Not so easy on XP Pro as any user who signs in gets linked to the program in default. I could banjax the progam directory, and stop it being used that way, but if I do that, I believe I can still call windowsupdate.com via an explorer window. I presume however, that anyone using the same method uses the same cuplable browsing that impairs IE. Thus I'm not really solving the problem, just fending it off until the users get smart.
In terms of Mozilla and Firefox, sadly I have to say the security failure regarding
Today, I'm told if I had rolled Mozilla, someone's just committed me to a whole sale re-roll out just because they can't patch, they have to fix it in a new install.
I've said it before, I'll say it again, doing this to me just puts me right off even contemplating it. Next week, watch out, the next Mozilla issue will rear its ugly head.
I sadly have to put aside the OSS/MS stuff, because whatever I put out there has to work, and its not about Ideaology, I do not care about Ideaology. Mozilla is a fine effort, but the security side leaves much to be desired. One is hard pushed to claim that its a quantum leap in browser security.
AdmV
We`re all equal
Settings are stored in your profile. Not in the program directory.
AFAIK, uninstall doesn't remove your profile.
However extensions and plugins (Flash, Acrobat...) are at risk if you accept to remove the Firefox directory at uninstall end.
I previously had Mozilla Firebird 0.7 installed on Windows 2000. I've tried to migrate to Firefox befoew, but certain things (like Sessionsaver sessions and the theme) didn't work/look proper[ly].
/window sessions so that they come back up after closing and re-opening the program. It's really nice when you have 15 tabs that you have the way you like them and accidently close the window. Qute is the Firebird theme and the most popular on the themes site.
.zip files and put them where I want them, so if you install using an installer, YMMV.
For those that don't know, Sessionsaver can save tab
Previously, all of my settings for Firebird were kept in C:\Documents and Settings\%username%\Application Data\Mozilla\Phoenix\ and there was a file in \Mozilla\ called pluginreg.dat.
I have always downloaded the
Here's how I got my settings back with the Firebird theme and all of my tabs back open. There's no real haX0ring involved here, but in the case that any one wants to do this, this is what worked for me. (Gripes to follow.)
Download Firefix 0.9.3
I downloaded and unpacked the Firefox zip file for Windows (ftp://ftp.mozilla.org/pub/mozilla.org/firefox/rel eases/0.9.3/Firefox-win32-0.9.3.zip).
Load Browser, Migrate Settings
Then, I loaded the browser and it prompted me as to whether or not I wanted my old settings migrated. I did, and selected the default options. The browser loaded and my homepage and network settings were there (YES!).
Download and Install Qute
Now, I liked the way Firebird looked and the way my tabs were saved by the Sessionsaver 0.2d extension. So, I went to the Themes manager and clicked Get More Themes. I downloaded and installed Qute. Then, in the Themes manager, I selected the Qute theme and clicked the Use Theme button. It didn't show up in my browser window right away, but I figured "maybe it needs me to shutdown and restart." So, I wasn't too worried.
Download and Install Sessionsaver 0.2d
Then, I googled for "sessionsaver", and got lucky. I installed the Sessionsaver extension. In the Extensions manager, it asked me if it wanted me to install it to my user preferences folder. It suggested that this way, it wouldn't have to be reinstalled when I upgrade the browser. I know that's not true, but I said yes, anyway. I loaded up an extra tab and a window to see if it would load them back up the next time.
Restart Firefox
Much to my surprise (and excitement), Firefox didn't open back up with my test windows and tabs, but my old Firebird session!
I went through this process again (making sure to remove my \Mozilla\Firefox folder and any added files and the program folder made when I unpacked the zip file), just to make sure I wasn't crazy.
Now, for the things that annoy me:
1) The Qute theme isn't EXACTLY like it was in Firebird. The buttos are shinier or something. I may write to the designer or search around for an older version if I can, but I'm going to live with it for now.
2) The Extentions, Themes, and Downloads windows suck up tons of CPU time when I move my mouse cursor between the panes and in and out of the windows. WTF?
3) The Download manager. I personally preferred the old progress windows from Firebird. I know there's an extension to allow me to use external programs for downloads, but I really did like those little windows. At least give me the choice of using the manager or the windows. The one function of this that I do like is t
Withdrawal before climax is very ineffective and those who try this are usually called "parents."