Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security-Updated Versions Of Mozilla Released

Posted by simoniker on from the guard-dogs-at-the-ready dept.

petabyte writes "As mentioned in this Mozillazine article, there are new versions of the Mozilla Suite (1.7.2), Mozilla Firefox (0.9.3) and Mozilla Thunderbird (0.7.3) available. They address 4 security bugs (linked from the Mozillazine article). Unlike Firefox 0.9.2, these can't be fixed with just a XPI upgrade, so you'll have to download a new binary and install."

12 of 375 comments (clear)

  1. Grumble Grumble by (54)T-Dub · · Score: 5, Insightful

    I'm getting tired of the whole uninstall, delete, re-install, get plugins, import bookmars, set settings, get skins (optional) routine. I wish they would hurry up and fix the installer so that I could simply update the browser and save all my stuff.

    --

    "I can not bring myself to believe that if knowledge presents danger, the solution is ignorance" - Isaac Asimov
    1. Re:Grumble Grumble by steeef · · Score: 5, Informative

      Installing over the old version often works, but sometimes not.

      If not, I usually save my plugins, delete the directory, install, then copy my plugins. My settings, bookmarks, and skins are all in my profile, and I haven't had to delete/recreate that in a while.

      It sounds like you're just being too careful.

    2. Re:Grumble Grumble by (54)T-Dub · · Score: 5, Insightful
      While I do understand why you would want a better installer, that isn't the central point of a [insert any piece of software here].
      And now we come to the basic problem with the attitude behind Open Source development. If we ever want to get open source out of the geek world we need to be able to get this idea out of our heads. A simple installation is important. Someone should not need years of experience to install an OS smoothly. And any computer novice should be able to upgrade their software with the click of the mouse (maybe 2). I'm not saying we need to dumb it down, just put in a little bit more attention to ease of use/install/upgrade.
      --

      "I can not bring myself to believe that if knowledge presents danger, the solution is ignorance" - Isaac Asimov
  2. Re:Does this mean that . . . by irokitt · · Score: 5, Funny

    Trying to download a 4.0 MB file after it's linked to on the front page of Slashdot is never an easy thing, dude.

    --
    If my answers frighten you, stop asking scary questions.
  3. Re:slashdot still refuses to render in firefox by Valtor · · Score: 5, Funny

    Well I don't know about you, but the 503 errors are gone for me.

    --
    "Sockets are the standard networking API, also useful for stopping your eyes from falling onto your cheeks" zeromq.org
  4. Re:Does this mean that . . . by NeoThermic · · Score: 5, Informative
    Really? His ass must be very correct:

    Internet Explorer 6 Service Pack 1

    I quote:
    Windows Me:
    32 MB of RAM minimum
    Full install size: 8.7 MB

    Windows 2000:
    32 MB of RAM minimum
    Full install size: 12.0 MB

    Windows 98 Second Edition:
    16 MB of RAM minimum
    Full install size: 12.4 MB

    Windows 98:
    16 MB of RAM minimum
    Full install size: 11.5 MB

    Windows NT 4.0 with the high encryption version of Service Pack 6a and higher:
    32 MB of RAM minimum
    Full install size: 12.7 MB

    Windows XP:
    32 MB of RAM minimum
    Full install size: 12.0 MB

    Thats just *one*, and its larger than the 5MB 0.9.3 release.

    NeoThermic
    --
    Use my link above, or to view my server, NeoThermic.com
  5. The actual vulnerabilities by Anonymous Coward · · Score: 5, Informative
    Copy & Paste, Bugzilla hates us:

    http://bugzilla.mozilla.org/buglist.cgi?bug_id=251 381,249004,250906,253121

    • Importing false CA certificate leading to error -8182 (perm DoS), especially exploitable by email
    • null (%00) in filename fakes extension (ftp, file)
    • new libpng buffer overflow vulnerabilities
    • lock icon and certificates spoofable with onunload document.write


    IE catches shit for 2 out of the 4 bugs.

    libpng buffer overflow - a lot of bitching goes on around here with regards to "OH M$ EVEN HAD AN OVERFLOW IN BMP HANDLING IN IE!!!"

    null (%00) in filename fakes extension (ftp, file) - Variation of this got IE in trouble...
  6. Re:Mod parent up. by (54)T-Dub · · Score: 5, Insightful

    Here here. And their "handy" little update notification in the lower right corner has never worked for me. It is constantly telling me that I have to upgrade to version 0.9.1 (which I'm running). Even now it still says the same freaking thing.

    Don't get me wrong, I love Mozilla and open source. But it's those little things that developers hate coding that get to me sometimes. Don't even get me started on a Linux install.

    --

    "I can not bring myself to believe that if knowledge presents danger, the solution is ignorance" - Isaac Asimov
  7. Re:The four vulnerabilities... by black+mariah · · Score: 5, Insightful

    Are you fucking stupid? Every fucking one of those is EASILY an exploit, not of code but of the user.

    Fake certificates help in all sorts of scams. Spyware, eBay scams, whatever. "Oh, this is signed by Macromedia. It must be safe!"

    Fake extensions. We've all seen the results of simply adding a .jpg before a .exe, and how much shit does MS take for THAT one? Like it's their fault that people are fucking stupid enough to double click on 0wnyourcomputer.jpg.exe. Faked extensions are worse, because they don't even have the fucking .exe at the end.

    Lock icon spoofable. So you go to a site you THINK is secured, but it turns out it isn't. Happy funtime on your credit card!

    Not all exploits are code-based, not all exploits are related to software.

    --
    'Standards' in computing only impress those who are impressed by things like 'standards'.
  8. Reality check, please. by Lexomatic · · Score: 5, Insightful
    Firefox is still pre-version 1.0 at the moment, so people should be expecting these sort of updates.

    Prior to 0.9, Firefox was only being updated ever few weeks, with each release holding many fixes since the last release. I think the increase in releases has mainly been due to the fact that in the last month or so the user base of Firefox has gone up dramatically.

    I am sure this has put a lot more stress on the Firefox dev team because now people are starting to rely on their browser to be as good as IE and with whole organisations now looking at using Firefox over IE, the pressure must really be on to make sure it lives up to expectations.

    Once Firefox hits version 1.0, people will get real shitty if it has bugs and security flaws, so the more they fix during 0.9.+ the better. Until then, I am happy to keep downloading it, daily if needed.

  9. Letting People Know by MournsForHumans · · Score: 5, Interesting

    What I find odd is that despite this release being focused on patching security vulnerabilities there's no noticable mention on the web site of the importance of this update. I leave my home page set to the FireFox page in hopes that there will be a clear message saying if there's a need to upgrade, but the page itself only says 0.9 -- and I'm fairly confident that the average user isn't going to figure out the difference from the front page (which now says 0.9.3, but how many users are aware of what version they're using?) It wasn't until I read slashdot that I was made aware of the release of this security update, and who knows if something could have happened since then?

    While I don't expect a windowsupdate.com for Mozilla, being that a main criticism of users is their failure to keep software updated why don't the developers make it more clear that an update is even present?

  10. Re:UI Spoof Not Fixed by Anonymous Coward · · Score: 5, Funny

    I noticed 0.9.3 doesn't fix the UI Spoof using XUL mentioned a few days ago... Could this mean what I think it means....

    Yes.... FireFox is your father.