Slashdot Mirror
Security-Updated Versions Of Mozilla Released
petabyte writes "As mentioned in this Mozillazine article, there are new versions of the Mozilla Suite (1.7.2), Mozilla Firefox (0.9.3) and Mozilla Thunderbird (0.7.3) available. They address 4 security bugs (linked from the Mozillazine article). Unlike Firefox 0.9.2, these can't be fixed with just a XPI upgrade, so you'll have to download a new binary and install."
I'm getting tired of the whole uninstall, delete, re-install, get plugins, import bookmars, set settings, get skins (optional) routine. I wish they would hurry up and fix the installer so that I could simply update the browser and save all my stuff.
"I can not bring myself to believe that if knowledge presents danger, the solution is ignorance" - Isaac Asimov
The 4MB size of the complete Mozilla browser is smaller than many of Microsoft's IE updates have been.
So, while you may have to re-download the whole browser, the actual file size is still smaller.
According to the forum, a libpng vulnerability also just happens to crash IE.
There are a huge number of yeast infections in this county. Probably because we're downriver from the bread factory.
At 5MB for Firefox (on windows), its far smaller than the average IE 'patch', which normally are around 7 MB or so.
/. announced it, and got a nice hefty 1500KB/s sustained over a 768bps connection. I would suggest those who want to find out about new releases before a lot of others sign up to mozilla [dash] announce [at] mozilla [dot] org
Also consider that this *one* new install fixes what would require from microsoft as *four* patches. (and god know how much time between each)
As a side note, I got 0.9.3 before
NeoThermic
Use my link above, or to view my server, NeoThermic.com
I suggest we tell the Mozilla Foundation guys to buy some OReilly security titles and read up, and come back with something that's actually not buggy
Hi, welcome to Firefox beta .93
Anyway, do you think that FF/Moz should take the Windows route and refuse to acknowledge vulnerabilities, and simply hope they pass by with no one else noticing? Please, think a little bit before posting a comment.
Sorry people, it was just an urge and I feel really stupid now, so I'm sorry!
Anyway, I am really glad to see this. I work at an ISP, and deal with a lot of these ad/mal/viral-ware that gets onto IE despite our best efforts. So, we have been deploying Mozilla Fire(something) and Thunderbird programs - and PEOPLE LOVE IT!
What makes them happy - makes me very happy!
'/dev/wit' is not available.
Trying to download a 4.0 MB file after it's linked to on the front page of Slashdot is never an easy thing, dude.
If my answers frighten you, stop asking scary questions.
Well I don't know about you, but the 503 errors are gone for me.
"Sockets are the standard networking API, also useful for stopping your eyes from falling onto your cheeks" zeromq.org
i know it'll be an unpopular one about these parts, but: yeah, i'm with you bro. i should only have to click "Upgrade" on the Moz page to get the newest browser. Bitch and moan all you like, that's the way it should be: an icon in the corner: "upgrade now"...you can ignore if you like, you can build from source if you like, but me? Hell, just get me a new browser now....when i click. Yeah, yeah, save me all the "but, if it's just click and go and the security and the users and malware pages"...save it. Code against that, let me upgrade on the fly (restart okay...reboot not-okay) with a click. Tough to do? Hell, look about at the OS that this browser runs on (for the most part at this time): click and do for 'em eh? Not that much to ask. Give 'em a, 'no thanks, i'll do it the hard, trusted, but sure way' button. i'm not banging that in any way...hell, with some packages that's the only way i'll trust 'em. Moz is a safe bet: give us s 'click an' go to the newest version' button k? Yep.
I might be dafter than a regular brick, but I can't see that the FireFox Release Notes mentiones what is actually new in this release?
Oh well... perhaps I'm just weird for wanting to know what's new in this sub-release.
got a nice hefty 1500KB/s sustained over a 768bps connection
I'm impressed! How'd you get the 15,000x speedup?
[
for the math impaired:
1500KB/s = 12000Kb/s
12000Kb/s / 768bps = 15625.
]
The only reason we have the rights we have is that people just like us died to gain those rights. -- Cheerio Boy
Internet Explorer 6 Service Pack 1
I quote:
Thats just *one*, and its larger than the 5MB 0.9.3 release.
NeoThermic
Use my link above, or to view my server, NeoThermic.com
Yeah, Firefox beta, right up there next to Mozilla 1.7.2. Just keep talking about how it's all 'unfinalized, buggy beta software' and I'm sure you'll convince a lot of people to stop using Internet Explorer.
That being said, I'm glad to see the bugs being acknowledged and fixed, even if I don't personally agree with the way some of these bugs have been handled.
Schlock Mercenary
The timestamps in the 0.9.3 release directory show that the Windows binary has been updated.
Got the supposed 0.9.3 for Windows earlier today, which didn't work. Process appeared in task list, but no window came up. Also, any place the version number appeared, it was still listed as 0.9.2. With the caveat that I don't know how those folks do their releases, I'll say that with the proper automation, that oops-i-forgot-to-increase-the-version-number snafu should never happen.
http://bugzilla.mozilla.org/buglist.cgi?bug_id=25
IE catches shit for 2 out of the 4 bugs.
libpng buffer overflow - a lot of bitching goes on around here with regards to "OH M$ EVEN HAD AN OVERFLOW IN BMP HANDLING IN IE!!!"
null (%00) in filename fakes extension (ftp, file) - Variation of this got IE in trouble...
While this is not a showstopper, can somebody explain me why Firefox for mac ever since 0.7 has a problem with Expose feature? IE one can se a small window attached to the main window?
Also, why is it we cannot search the bookmarks in the sidebar wihtout crashinf the whole application?
Small annoyances but we are getting awfully close to 1.0 and still no sign of improvement.
Safari is catching up in terms of speed and is looking ever more appealing!
Artificial intelligence is no match for natural stupidity
Last time I tried to install over an existing installation i seriously regretted it. Took me 3x as long to get everything worked out. So now I uninstall first.
"I can not bring myself to believe that if knowledge presents danger, the solution is ignorance" - Isaac Asimov
249004 Importing false CA certificate leading to error -8182 (pe...
# False certificates aren't really an exploit
250906 null (%00) in filename fakes extension (ftp, file)
# fake extense aren't exploits
251381 new libpng buffer overflow vulnerabilities
# okay that is an exploit
253121 lock icon and certificates spoofable with onunload docume...
# that is not an exploit either
I think they should be more like bugs. I think Mozilla is just trying to play it safe. Ironically by them "being up front" they may end up driving people away from the browser...
--Joey
>>What the initial poster was talking about was a motherfucking update, NOT a service pack.
Since when is a service pack not an update?
Update:
1. Information that updates something.
2. The act or an instance of bringing something up to date.
3. An updated version of something.
Now. Please. Tell me how a Service pack doesn't count as an update?
NeoThermic
Use my link above, or to view my server, NeoThermic.com
I downloaded the linux installer version (firefox-0.9.3-i686-linux-gtk2+xft-installer.tar.g z)ked from the Firefox page and itself seems to have a little bug:
** (firefox-installer-bin:3120): WARNING **: Invalid UTF8 string passed to pango_layout_set_text()
It winds up with an incomplete installation. However, if you just download the gzipped tarball without the installer from here and untar it over your old firefox directory you should be just fine.
Use this link instead: http://ftp.mozilla.org/pub/mozilla.org/firefox/rel eases/0.9.3/
tasks(723) drafts(105) languages(484) examples(29106)
"The 4MB size of the complete Mozilla browser is smaller than many of Microsoft's IE updates have been."
Maybe version updates. However, most IE fixes are a couple of hundred K. Right now, I have a cumilative update that's 2.8 meg that fixes a small handful of things. What you're suggesting would require a 4 megabyte download just to fix a typo in the credits.
"So, while you may have to re-download the whole browser, the actual file size is still smaller."
This would only be true under strange scheduling circumstances. On top of that, IE updates don't require an uninstall.
I easily prefer Firefox to IE, but this statement is misleading in a couple of different directions. Microsoft definitely has Mozilla beat when it comes to the efficiency of updates like this, whether you focus on just the size of the file or if you expand that out to the total end user experience.
"Derp de derp."
i wonder if the people who uncovered these bugs qualified for the $500 payment or if it contributed to them being found.
I use an invisible root window in my application as well. Many applictions use invisible windows, and they do not foul Exposé at all. Exposé will not show an invisible window, nor will it show an offscreen window (which is frustrating to me, as I have several tools that try to remember where windows were last displayed even on smaller monitors).
I really do not know what Mozilla is doing, but it is not that simple.
Yeah, i see a lot of people on this list complaining about Mozilla having so many patches... dang, at least they put them out there... also im sure the opensource nature of mozilla/firefox lets many eyes see the bugs... while in IE there could be millions of little goodies that could be exploited and we would never know. I'm just impressed that the coding team has fixed the bugs so quickly. Yes.. they do need to build in a better patching mechanism.. but every project has a few growing pains.
If it really is necessary to point out to you, then I'm getting sick of comments like: ...and...
"At 5MB for Firefox (on windows), its far smaller than the average IE 'patch', which normally are around 7 MB or so."
"IE catches shit for 2 out of the 4 bugs."
"Anyway, do you think that FF/Moz should take the Windows route and refuse to acknowledge vulnerabilities, and simply hope they pass by with no one else noticing? Please, think a little bit before posting a comment."
Thank you,
Xeon
Real programmers can write assembly code in any language. -- Larry Wall
Not on Gentoo, you insensitive clod!
Maybe if you add together all the small IE updates, it totals more than 4mb at Windows Update.
I can download and install the full Mozilla package faster than I can reboot my computer every time there's an Internet Explorer patch.
That puts Mozilla ahead of IE, at least in my book. :)
The new Mozilla Firefox release fixes four security problems and all the other bugs that have been fixed in the aviary branch. Microsoft, on the other hand, hasn't published fixes to IE's layout engine since 2001.
That was what an update should be!
.mozilla directory. The only nit to pick was that search plugins aren't stored in userspace, but copying them over is trivial.
Upgraded from 0.9.1 to 0.9.3. Didn't have to fiddle with turning off extentions or re-downloading them and reconfiguring them this time. Continues to use the same
To-do List: Receive telemarketing call during a tornado warning. Check.
Where are the Changelog? From the website, you only know there is a new version for these three apps, but there is not description of what has been changed since the last version?
I remember that for every release there used to be a link to the Changelog with details on all the new changes since the last minor update (eg v1.6.1 to v1.6.2). Is the new site/design just too "user friendly"?
(After some browsing I did find a link to an *external* website with change details, but can't find it again now... @_@)
Codeala - Just another mindless drone
Well, I guess bigger download speeds = bigger penis. I got it at 1120KB/S..
^^
Prior to 0.9, Firefox was only being updated ever few weeks, with each release holding many fixes since the last release. I think the increase in releases has mainly been due to the fact that in the last month or so the user base of Firefox has gone up dramatically.
I am sure this has put a lot more stress on the Firefox dev team because now people are starting to rely on their browser to be as good as IE and with whole organisations now looking at using Firefox over IE, the pressure must really be on to make sure it lives up to expectations.
Once Firefox hits version 1.0, people will get real shitty if it has bugs and security flaws, so the more they fix during 0.9.+ the better. Until then, I am happy to keep downloading it, daily if needed.
One way to keep updated about Mozilla releases and developments in many different areas is by subscribing to one of the developer mailing lists:. html
... I wrote a note this morning but I imagine they are submerged.
http://www.mozilla.org/community/developer-forums
MozillaZine.org also does a good job of summarizing the development, but it's almost always 2-3 days late.
For the true cutting-edge lizard in you, there's always the feedhouse:
http://feedhouse.mozillazine.org/
And of course it has RSS feeds.
For those of you wanting to know when specific bugs have been fixed, I find the "edge" websites to be most simple to read (although not thorough):
The Rumbling Edge (for Thunderbird):
http://weblogs.mozillazine.org/rumblingedge/
The Burning Edge:
http://www.squarefree.com/burningedge/
Saddly, there is no information about the releases almost a day after they have been out on http://mozillaeurope.org/en/
Enjoy!
Notepad specialist & FAT administrator, group training available
What I find odd is that despite this release being focused on patching security vulnerabilities there's no noticable mention on the web site of the importance of this update. I leave my home page set to the FireFox page in hopes that there will be a clear message saying if there's a need to upgrade, but the page itself only says 0.9 -- and I'm fairly confident that the average user isn't going to figure out the difference from the front page (which now says 0.9.3, but how many users are aware of what version they're using?) It wasn't until I read slashdot that I was made aware of the release of this security update, and who knows if something could have happened since then?
While I don't expect a windowsupdate.com for Mozilla, being that a main criticism of users is their failure to keep software updated why don't the developers make it more clear that an update is even present?
I noticed 0.9.3 doesn't fix the UI Spoof using XUL mentioned a few days ago... Could this mean what I think it means....
Yes.... FireFox is your father.
Care to explain why you've linked a `Security Update for Windows 2000`?
We are talking about IE here, not 2K.
As for a IE patch that is large?
IE6 SP1 - 8.7 MB to 12.7MB
IE5 SP2 for ME - 6MB to 17MB
Internet Explorer 6 SP1 Update: "HTTP 404 - File Not Found" Error Message When You Try to Visit Web Pages That Are Opened by JavaScript Functions in Frames or in Windows - 1.3MB
October 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 - 2.1MB
October 2003, Cumulative Patch for Internet Explorer for Windows Server 2003 - 4.2MB
October 2003, Cumulative Patch for Internet Explorer 6 - 2.5MB
Need me to continue? Or have I proved my point?
NeoThermic
Use my link above, or to view my server, NeoThermic.com
problems that Firefox .9.x has had with slashdot. It seems that the side menu bars randomly overlap the main page content. It really looks ugly.
Granted, I'd like to see a patcher/updater that works, but this is still sub 1.0 software.
Rename current firefox directory.
Install firefox.
Copy plugins folder to new install.
Load firefox.
That's it. Your bookmarks and settings are in your profile, NOT in the install directory.
Some plug-ins will need to be reinstalled.
The main executable for firefox is ~6MB... It would seem to me that this is not a very efficient method for updating the program. Perhaps they'll design the next version with modules that can be updated more efficiently by smaller downloads?
Anyone know why the version information for the file for 0.9.3 lists 0.9.0.0? Right click firefox.exe and then properties then version tab.
IE has an executable of a few KB (WinXP).
A few random security flaws found. Imagine if it was worth thousands of dollars to you to find and exploit these flaws so you searched and found them months ago as part of your full-time work...
I don't have to imagine it; we can see how well it works with microsoft products.
They have paid programmers so there is no exploits and flaws in their software, right?
Treehugger? Treehugger... Treehugger!
During the recent Ject issue, I looked into trying to rip out IE. I have like 120 machines to look after, I don't have the money to active directory, and I have certain limits. I'll use psexec but even so, its a long tedius job maintaining 120 machines.
:shell: made me rather glad I had'nt committed a massive workload in the name of switching to a new bugwridden, secuirty glitched browser.
Now, getting back to IE, yes, I did look at ripping it out. Not so easy on XP Pro as any user who signs in gets linked to the program in default. I could banjax the progam directory, and stop it being used that way, but if I do that, I believe I can still call windowsupdate.com via an explorer window. I presume however, that anyone using the same method uses the same cuplable browsing that impairs IE. Thus I'm not really solving the problem, just fending it off until the users get smart.
In terms of Mozilla and Firefox, sadly I have to say the security failure regarding
Today, I'm told if I had rolled Mozilla, someone's just committed me to a whole sale re-roll out just because they can't patch, they have to fix it in a new install.
I've said it before, I'll say it again, doing this to me just puts me right off even contemplating it. Next week, watch out, the next Mozilla issue will rear its ugly head.
I sadly have to put aside the OSS/MS stuff, because whatever I put out there has to work, and its not about Ideaology, I do not care about Ideaology. Mozilla is a fine effort, but the security side leaves much to be desired. One is hard pushed to claim that its a quantum leap in browser security.
AdmV
We`re all equal