Slashdot Mirror
Firefox 0.10.1 Released, Fixes Security Hole
_xeno_ writes "Firefox 0.10.1 was released today to fix a security flaw that could potentially allow a malicious site to erase files from the user's Download directory. If you already have Firefox 0.10 installed, you can go to Tools, Options, and choose Advanced, go to Software Updates and choose Check Now to grab the patch."
upgrade done in 3 seconds! :D
this is what i call being secured
But what exactly is the worry here? It deletes files in your download directory? Does that really matter? Could someone enlighten me on why its worth the bother to uninstall and reinstall for this?
The Braying and Neighing of Barnyard Animals Follows.
...there are no updates, woohoo
i was updated automagically without having to do anything
now that's service!
after firebird, firefox, firefox 1.0 and now firefox 0.10 ??
Who finds this version numbering scheme damn confusing? The actual program calls itself 1.0PR but the directory structure on the Mozilla server and CowboyNeal call it 0.10.1. Anyone care to explain what's going on here?
Only in a Slashdot fantasy can a Slackware install turn into several hours of sex . . . . .
Some people have a dedicated download directory they only use for temp storage until moving the file into a permanent place (or deleting it).
There are, however, a lot of users who pack all their stuff onto the desktop or into "My Documents" with no or little subfolders. For such use cases, the patch is indeed worth installing.
So after doing the update through the advanced options should my browser report 0.10.1 under help about? Because I still have 1.0PR
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
...could potentially allow a malicious site to erase files from the user's Download directory
:-)
My download directory in Windows is my desktop. Have you seen my desktop? It's a fairly old screenshot, too - it's only got worse since then. My iBook's equally bad, except everything's just randomly strewn around the place...
A bit of remote tidying-up would be greatly appreciated.
Tedious Bloggy Stuff - hooray?
I'm just curious if anybody knows how long this patch took to be released. That is, what was the turnaround time from the discovery of the bug to the release of this patch? In the past it has been a fast as a few hours. The longest I think was only a day or too.
I see the 0.10.1 at the bottom in the user agent string.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
"Firefox was not able to find any available updates" - this on a vanilla install of the 1.0 PR.
This is what open-source needs: a quick and convenient upgrade/patch system. I went to the system settings and ten seconds later, my Firefox was patched.
Now if only Gaim does this.
Will
A NYC lawyer blogs. http://www.chuangblog.com/
Considering Firefox is supposed to be the secure alternative, 13 security advisories in the last 6 or so months isn't a good look.
Sure it isn't that bad, but nonetheless, it doesn't help the Firefox's image at all and looking at Secunia, Firefox has had more advisories than any other browser, (yes, that includes Internet Explorer and the Mozilla Suite) since May this year.
It's way too late to save netscape as a company (and maybe a good thing too, their releases sucked), but ms is definitely on the skids judging by the access logs of the sites I run (not just the linux related ones).
MP3 Search Engine
... under the main menu edit, then preferences ... then advanced... to Software updates
I ran this thing last night forgetting that Firefox was installed to a location that user accounts can't write to.
Seeing the error mesage and remembering this fact I lit Firefox as root and ran the update. This left Firefox mangled and incapiable of downloading things from the user accounts.
The moral of the story: do be careful using the update thingy. Now, off to fill out a bug report.
Only in a Slashdot fantasy can a Slackware install turn into several hours of sex . . . . .
be as effortless and completely painless like this one?
Funny, but my 'tools' menu doesn't have 'options' in it. I have 'edit->preferences' then an 'advanced' option in that preferences area.
Is the terminology different on different versions?
creation science book
What type of sites is it you operate? Here are some logs from a 100% non-technology related site which still shows Internet Explorer as by far the most-used browser.
.NET CLR 1 .NET
Note that the Opera browser shown in Rank 3 should not be taken as accurate as this merely runs a "ticker" on auto-refresh setting every 10 minutes.
# Hits User Agent
1 31005 15.75% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
2 20925 10.63% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
3 11074 5.63% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Opera 7.50
4 10596 5.38% Opera/7.50 (Windows NT 5.0; U) [en]
5 9893 5.03% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko
6 8281 4.21% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
7 7856 3.99% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProd
8 6113 3.11% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
9 5286 2.69% Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)
10 4868 2.47% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
11 4795 2.44% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko
12 2915 1.48% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2) Opera 7.50
13 2885 1.47% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko
14 2783 1.41% Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)
15 2645 1.34% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.54
Backup not found: (A)bort (R)etry (P)anic
How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
This is the first security hole in the ubuntu linux distribution. They have supported patches of security holes in 18 months after the initial release of their distribution (which is every 6 month).
No update yet, so maybe this is not the distribution for the security minded.
If this doesn't work, of course, you'll have to download and install, which is almost as painless as the upgrade frob. The red 'upgrade' icon may still be present, so you'll have to click that so that Firefox will find that all is well with the world.
As always, YMMV.
This sig no verb.
Last night I noticed a nifty pulsing red bubble in the upper right-hand corner of my Firefox toolbar. Clicking it revealed a message from the software-updater stating that an urgent fix was availeble. I clicked allow install, and it was done in ten seconds. Very nice that the browser alerted me to a fix and patched itself in no time at all.
What you're seeing are the results of this program.. people are finding bugs, submitting them, and the bugs are being fixed before blackhats can exploit them.
.vbs file in it nuke my Thunderbird inbox lat night. And the email was never even opened, or previewed. Second time that happened. So much for Mozilla security.
That's not what I'm seeing. I had a spam with a
I don't respond to AC's.
has just been modded, within seconds of being posted, as "Flamebait".
How on earth is that post flamebait?
The article discusses a vulnerablility.
kertrats asks: How is asking others on
As to the last question asked by kertrats:
Again, kertrats was ASKING A QUESTION, NOT INSULTING THE GECKO GOD OF MOZILLA AND OPEN SOURCE.
It's mods like this one that make you wonder if the person modding is either waging a mod war against another
People ask questions like this all the time. How is kertras being confrontational and "flamebaiting" by asking questions that did not contain words like "junk" or "piece of shit", or whatever.
Obviously, kertras is a firefox user, and wants to continue to use firefox, otherwise he/she wouldn't give a rats ass about it either way.
Man, get with it with the damn mods.
The issue isn't that there is a new expliot. The good thing is that we found out about the exploit by having to apply the patch to fix it.
No software is perfect, any software that has any contact with the internet can have a exploit. It all depends on how fast the developers are able to discover and fix the problems.
"...a security flaw that could potentially allow a malicious site to erase files from the user's Download directory."
I would consider this a feature more than a bug. It's like someone breaking into your house and taking out the garbage for you...
:n
The reason (for as far as I know) that Firefox uses this versioning scheme:
If 1.0PR would have a version-tag with 1.0 in it, it would be more complicated for (for example) extensions to differentiate 1.0PR and the real 1.0. And home-users would probably not even get to see these version-numbers. They would just notice there is a new update.
And about the bugs, I know I'm stating the obvious, and that it's been said before in this thread, but I'll try again:
First of all, because Firefox performs so well people tend to forget this is still beta-software! Second, these bugs are discovered partially because of the bughunting program with rewards. So these bugs could well have existed for months before being discovered. It's good news they have already been squashed! And third, some of these bugs actually appeared because of the way Windows fucks up! (Remember the shell:// protocol?)
Hope this helps,
XoloX
I haven't done (ms-)windows since the beginning of time and since he doesn't know *anything* about computers it was hard trying to figure out what might've been the problem, but it sounded like the typical standard unprotected ms-windows setup that was probably also loaded with spam and ad-ware, bogging down even his simple efforts at browsing the web.
Knowing that quite a few people here have experience with cleaning up the standard MS-install mess, I would like to ask what needs to be done to plug the major holes and deficiencies in a new MS setup?
Firefox is an obvious rescue tool to replace MSIE so are there any issues when installing it or does it automatically and painlessly migrate all necessary MSIE data?
And what about utilities to remove the spyware his machine may already be infested with? Any suggestions?
I'm hoping to be able to burn all these goodies on a CD to give him so I also wonder whether they're easy enough to operate by a total non-techie?
Since his "computing needs" appear to be very simple I'm also giving him a Linux liveCD (perhaps Ubuntu-based Gnoppix would be a good starter with its simplified GUI and it also comes with Firefox) to try out and play with but before completing his conversion I'd need to evaluate how well e.g. OpenOffice.org fulfills his needs at this point.
Should invading one's peaceful neighbours be opposed, or rewarded with trade deals?
I'm curious. Do most of the security holes we hear about with Firefox/Mozilla affect all platforms or mostly Windows?
GD Mozilla knew about a serious vulnerability for more than 6 months in their browser, and didn't do anything about it, leaving hundreds of millions exposed.....
Oops, s/Mozilla/Microsoft ^^
OSS > closed&vulnerable
The thing that strikes me here is that the ability for browsers to have convenient, automatic features (and, in the case of Firefox, UI customization capability up the wazoo) is simply another form of the same mentality that made IE into such a security nightmare. The ability for a browser to download and execute things on the client automatically is just a huge security risk, regardless of the measures that the designers think they have put in place. The Mozilla press release even has a "click here" link to automatically install the patch! Who doesn't think that this kind of thing will have endless potential for hackers to exploit in the years ahead. The bloated XUL interface engine that makes Mozilla (and Firefox) next to unusable on my old workstation (450 MHz, RH 7.3) also means that the UI can be totally changed - this, to me, is very scary. Because if something can be totally changed, then I can guarantee that eventually someone will figure out a way to totally change it without my consent.
Why not just design a browser that works on multiple platforms, using an established cross-platform GUI such as wxWidgets, rather than going away to create a browser and coming back with another new, slow, bloated, universal uber-platform swiss-army-knife UI language... yeah, I know, "Do it yourself dude", and plenty of geeks out there just love the customizability of XUL, but truthfully all I want is a fast, small browser. It just seems like everything is getting larger, slower and more bloated these days. Even Firefox, which is supposed to be sleek and fast, runs like a dog on my workstation. I don't see why I should have to upgrade my computer just for a fricking browser, when every other piece of software that I use runs just fine thanks very much.
I don't hate Mozilla, these are just my honest reactions to the whole affair over the last couple of years.
evidence like this is worthless without a clearer picture of your target audience, number of hits, etc., etc.
remember too that the giant OEMs like Dell continue to ship seven to nine million XP-SP2 systems each month with IE 6 installed as the default browser.
I just checked with "check for updates" on my 0.9.3 version, it said there's no updates needed. Why putting the button if it won't work properly? Ok yes it's beta, but c'mon, the potential userbase for mozilla is for microsoft-basher and most importantly, people who don't trust IE to be safe/secure anymore.
Ok with the release of 1.0 it's been fixed, I grant that, but still, I'm really annoyed after seeing this. And while at it, why do we have to go so deep to get updates? there should be an upgrade button in the menu 1st level.
For their defense, they do turn on update checking by default. The only thing is one who downloaded prior 1.0 and thought he was safe from where will probably have the same reaction I have. It's not trolling, it's just common sense and misjudgment. Don't get me wrong, I wouldn't even write this if I wouldn't care about mozilla, Its my main browser now, I've been doing my bank transactions from it, etc etc.. that's why I'm getting this reaction.
Trust is the most difficult thing to gain and easiest thing to lose.
--- Metamoderating abusive downgraders since my 300th post.
Why does a user have to go to Tools -> Options -> Advanced to check for updates to Firefox? For the average non-technical user, this should be much more accessible.
One thing I didn't like is that when I got the notification from Firefox for a "critical fix" there was no indication of exactly what it was supposed to fix. I like to know why I need to install an update before doing it. Or am I just blind?
sure... ip address?
They still have yet to fix a much more serious bug.
Just because most of us don't live in South America doesn't mean it isn't huge problem.
Sorry, links to Bugzilla from Slashdot are disabled.
ooh, bugzilla you sassy wench
I'm running Firefox on Linux and I had the previous release candidate installed. The update facility failed with a meaningless error, and corrupted my current install.
So I downloaded and installed the new version, which overwrote my old version including my plugins directory, and on startup, failed with an obscure error until I deleted my user profile.
I'm a card carrying Firefox freak, but really, this was not smooth...
It is quite confusing. I believe that 1.0PR was called 0.10 in order to distinguish it better from 1.0RCs and above. THe program actually calls itself "Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040913 Firefox/0.10.1", as in 0.10.1, but the "laymans" name is 1.0PR... you could say ;)
:)
So I guess what will happen is they will start with 0.10, then now it is 0.10.1.. and work their way back to 0.9 again, after which they will call it "Firefox 1.0RC1", and start the small number scheme all over again!
Do the same for RC2.. RC3.. RC4.. Final RC..
Oh well. When longhorn comes out, we will get Firefox 1.0 for longhorn too!
Online backup with Mozy, sounds like Ozzie, but more!
... to give it the same filename as the previous one (firefox-1.0PR-i686-linux-gtk2+xft-installer.tar.g z) ?????
This is a bit offtopic but what the hey. You ask serveral questions in this post so I my answer may not answer all your points:
To the best of my knowledge Firefox will only offer to migrate IE bookmarks. It doesn't do cookies although if you are willing to mess about by hand I think you can get IE to export it's cookies to a file and then copy the cookies file to the firefox profile.
Will the migration be painless? Who knows? It's been generally painless for me on recent machines but that's no guarantee for you.
Two of the most famous spyware removal utilities are Adware and Spybot search and Destroy.
Help > About will reflect the old version until you restart the program.
G
It would be a useful addition to add an FF Profile Manager that included FF Update and Extension Install/Update permissions for multi-user workstations . I looked through MozillaZine, but didn't find much. I can prohibit other users from updating FF and installing/updating extensions using NTFS permissions, User group settings and GP settings, but it would handy to have it included in a FF Profile Manager.
while the in-browser update worked for running as root, it didn't replace it for my user accounts. Thus, I just synced my local portage tree and emerged the latest version of firefox(-bin) instead... worked like a charm :)
I just installed and patched the PR edition on my system and added AdBlock and Firesomething. My friend who is a Microsoft developer was watching this process which took 2 minutes. He was taken aback and had to admit that things have improved for installing applications for Linux. He also said that most Windows users would be lost following the instructions to install from a terminal window or doing any installation requiring "./configure, make, make install." He has a point. We need more "Windows-like" app installation to get more Windoze users to migrate to Linux.
I went to the system settings and ten seconds later, my Firefox was patched.
So you're concerned that you might be tricked into deleting files from your download directory, but you've got no qualms about having write access to applications you run?
What if the "Ask me where to save every file"-option is checked and there is apparently no defined download directory?
Uh. What then?
Fight for your digital freedom, join the EFF *now*: http://www.eff.org/support/
I'd really like to make Firefox check for updates at startup or change the interval of checking for updates. I found the variable in the about:config screen but the number "86400000" doesn't make sense to me. Any ideas anyone?
- Save a tree, eat more woodpeckers
Doesn't work for me. Anyone now when they might fix the problem? windows update never failed. So can I install over the orginal Mozilla folder?
Apparently the author doesn't actually use firefox. The menu is not Tools -> Options, but Edit -> Preferences.
At least they haven't changed the name in a few weeks!
Your top 15 browser strings just show around 45% (added in head, please allow a +/- 5% error margin) of your hits, you have no idea what the majority of your users are using!
I really have to give the Mozilla folks some credit: their "preview" releases are generally of better overall quality than a certain other organization's finals.
The higher the technology, the sharper that two-edged sword.
IE does it all the time:-)
What happpened to the Theme manager on Windows?
...Wait, what? That wasn't there before! What has happened to the Theme managar since 0.9.1?!?
*Updated from 0.9.1 to 0.10.1*
*Went to see if all the themes he uses are there.*
*Yep, click to change from the ugly 0.9.x+ theme to a IE looking one (to show off Firefox to friends)*
"You must restart Firefox."
The same thing happened to me, but then I looked at the version and realized that I was still running .9.3 on that box. It'll only show the update if you have .10.
And the l33t shall inherit the 34r7h.
The user has to actually initiate the update themselves. You simply see a little red arrow, click it, and then are asked to update. Why is this bad if mozilla.org knows how to secure itself?
"Who doesn't think that this kind of thing will have endless potential for hackers to exploit in the years ahead."
Don't you think they've thought of that? Update installs are coded for mozilla.org only and I expect other layered security to come as well. Give them a little credit already. When mozilla/firefox becomes the plauge of the Internet like IE is currently then you can start throwing accusations around. Until then based on their track record I'm willing to give them the benefit of the doubt.
"The ability for a browser to download and execute things on the client automatically is just a huge security risk, regardless of the measures that the designers think they have put in place."
Just because Microsoft completely fucked up with IE doesn't mean all of IE's features are bad, just not properly secured. Your wrongly throwing away an entire workable concept for all the wrong reasons.
Also AFAIK there has never been a hack of either Windows Update or Red Hat Network where someone got trojaned for installing an update. Again, expect tighter controls on who can install what in the future.
" next to unusable on my old workstation (450 MHz, RH 7.3) "
Yes, and xp runs slow on 5 to 6 year old hardware as well. What your point? The zilla's won't ever be blazing fast on ancient hardware so you might as well move on now. Photoshop CS won't run very well on a P450 either. That's a fairly lame complaint since most users don't have your problem. The Mozilla developers also never claimed it would be a browser for old computing platforms in the first place. I don't know why you assumed that. I have btw used Firefox on that era hardware as well. It's no speed demon loading but useable once it launched. On my PIII 700 laptop with 256MB, a machine only a little newer than users, Firefox runs pretty well and its all I use.
If you wanna get rich, you know that payback is a bitch
Is anyone else having a problem with Firefox not displaying columns correctly? See my example from Slashdot. I'm on Windows XP SP1.
It's amazing how quick everyone is to bash MS IE, some legitimate, but not a peep on Firefox. Not a peep. I understand there is a bias here, but the silence is deafening.
I agree with what you're saying, it should just be in the tools menu, "check for firefox updates" or something. But, it doesnt really matter too much, because firefox checks automatically every couple days anyways and if it finds anything it lets you know. Doing it the way described in the story is only if you want the update immediately and firefox hasnt automatically checked for it yet. Not the biggest deal really.
Joseph?
errr... I operate ww.com...
MP3 Search Engine
Depends if youre on linux or windows. On Windows its tools->options. They really should standardize it.
Joseph?
I ran firefox as root and upgraded. The patch installed two files:
/opt/firefox/components/nsHelperAppDlg.js
/opt/firefox/defaults/pref/bug259708.js
But the permissions were off, so I needed to do a quick "chmod 644" on both the upgraded files. Only then did the patch world for me.
First off, the software update screen isn't in tools, its in prefs for my version about a week old.
Second, the 'check now' does generate some traffic on the net before it says there is a vital security update available and activates the 'install now' box for my clicking pleasure.
Unforch, while clicking on it does bring up the download progress screen, it generates absolutely no, none, nada, net traffic to initiate the download, it just sits there with its little wheel spinning forever.
Am I mis-configured somehow?
Also, it won't replace mozilla here until it can import all the mozilla stored passwords to go along with the import of mozilla's bookmark data.
I cannot access my bank from firefox-0.10 without calling them up, going thru a rather lengthy ident procedure involving the sacrifice of my firstborn, and changing my password to yet another long sequence only mozilla seems to be able to remember.
This is very important to many of us, but firefox seems to have dropped the ball on ths one and that will prevent its instant, widespread acceptance as the default browser of choice at this location. I suspect many others will feel the same way.
Cheers, Gene
Does accessing http://ftp.mozilla.org/ hang a very long time for you before showing anything? If so, you have IPv6 enabled in your distribution and have your firewall rules set to drop IPv6 connections. Disabling IPv6 in your distribution should fix the long wait when connecting. Here are SuSE's instructions to disabling IPv6 (hopefully they should work on other distributions also).
I think this is to help with package managers who use version numbers to tell when something needs to be upgraded.
For example RPM will not upgrade 1.0PR or 1.0b to 1.0 because they appear to be the same version, it can't tell which one is higher. This was happening with the mozilla RPMs a while ago, you had to force downgrade to get it to work. So using sub-version numbers from the current release for all the betas, gammas etc seems like a smart idea.
Error:
Firefoy could not download the file at
http://ftp.mo....
because: Read only
Very user friendly!
I had the same problem. I think the problem was that I had disabled the "Allow web sites to install software" feature. When I reenabled it, the update procedure worked fine. If this *was* the cause, it would've been nice if Firefox had shown some kind of message saying so. I only remembered about the setting after trying to manually install the XPI file.
I'd just like to note that yesterday i finally decided to upgrade from 0.9.3 -> 1.0PR -- and I went to grab the latest MOOX Release Build
I was very surprised to see 1.0.1 -- now I finally understand what it is --.
Damn I love this guys releases -- this is sooo friggin' fast. Highly recommended. Just be sure to read his build explanation on his Main Page So you grab the right one.
May this post be indexed by spiders, and archived for all to see as my Internet epitaph.
This is an excellent time to say thanks to the Firefox team - and get something in return (in addition to a kickass browser). Buy a Firefox shirt Or, donate I just bought an awesome shirt, myself!!
Open source already has quick and convenient upgrade/patch systems, systems that ensure system-wide consistency.
Per-program updates and installers like Mozilla has are a nuisance because application packages get out of sync and you end up having to keep track of new releases manually. Software like Mozilla has them because neither of the two commercial platform (Windows, Macintosh) can get their act together on package and dependency management.
I can spoof mozilla.org on my local network. Adding an entire domain to a whitelist for software installation would be a dumb dumb idea. I like what certain linux distros do for updates: accept GNUPG signatures for official updates. Firefox should have signed updates from known "releasers" at mozilla.org.
I wonder why that's not the default mechanism for updates in Firefox. Is there some obvious reason that I'm overlooking?
For Windows, you can use Cygwin.
For Mac OS X, you can use Fink.
For both of them, there are also commercial software update systems.
The problem is that neither Apple nor Microsoft ship or support such systems, probably because it would cause them business and legal problems.
It's called Cygwin Setup. It's not apt (AFAIK), but it seems to be working well. Of course, it does come with the Cygwin libraries, but you can hardly expect people to try to port that stuff to raw Windows APIs.
I went to Tools/Options/Advanced/Software Update and clicked "Check Now". It confirmed that there was a critical update available, which I let it install immediately. Firefox hung while downloading the update (1.0PR, Windows XP).
I had to terminate Firefox without completing the update, which seemed dangerous, but there was no alternative. When I restarted it, I discovered that I had previously blocked software installs in Tools/Options/Web Features, which might have caused the automatic upgrade to hang. (Of course there should have been a message instead of hanging.) So I checked Allow Web sites to install software. (My "allowed sites" list displayed as empty, incidentally. Is that correct?)
Then I downloaded the update manually (file 259708.xpi) to my harddrive and installed it by opening that file in Firefox. The update installed successfully (no message though). I verified this by checking the install.log in the firefox directory.
Now Firefox should have been at version 0.10.1, but Help/About showed 0.10.0 until I closed Firefox and reopened it. This is surely a bug, and it might allow a user to install the same update twice. Under some imaginable circumstances, that might trash the installation.
I thought Bad Microsoft was the only one who let me unprotected from the bad people! Firefokz has security flaws too??? OHMYGOSH!!! I though Linuz was impenetrable and perfect!! I'm hit!!! ohhhh! I'm melting.... I'm melting!! What a world...
Is this the one where you save an image that is embeded with the data: protocol?
Phillip
It wasn't in my whitelist by default - I clicked the XPI download in the article summary ("update" didn't work). (linux, x386, 1.0PR .tar.gz release).
Anyway, all I'm saying is why isn't there a better method for download verification than just the server of origin? I can spoof DNS replies that my computer is mozilla.org, send the file, etc.
Yes, it would be hard to do, but not for a skilled attacker with a specific opponent.
XPI's should require some sort of signature for install. (As far as I know, they do not). It wouldn't limit XPI installs to mozilla.org exclusively, but it would let you know that the file you're installing was in fact approved by the website you're installing from and hasn't been tampered with (e.g. by a person spoofing DNS requests on your own network).
I think that explains it nicely. Can you hear me now?
I think it's great that we are actually getting bugs *found*, *reported*, and *fixed*. Can you just imagine how dangerously insecure life would be without this kind of performance? Sadly, if you haven't yet switched you don't have to.
This source code is subject to the U.S. Export Administration Regulations and other U.S. law, and may not be exported or re-exported to certain countries (currently Afghanistan (Taliban controlled areas), Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria) or to persons or entities prohibited from receiving U.S. exports (including Denied Parties, entities on the Bureau of Export Administration Entity List, and Specially Designated Nationals).
How realistic is it to keep this code away from these contries, and, more important, how fair is it to do so? Could the mozilla 1.0 code be significant for the international security? Or is it just paranoid? Why is a web browser dangerous?
And, what about IE?
Actually, this isn't a bug - it's a feature. Storage of password information is done in an encrypted form by the browser - which prevents other programs from being able to pull that information out and use it to someone elses benefit. It is dangerous enough that you have the password for your bank saved on your computer; you want Firefox to make it easy to steal, too?
I was notified of this available update last night running Firefox under a limited user account in Windows XP. How does the update work without access to the actual Firefox directory? I didn't see anything about this in the web site which isn't suprising; it seems that most people are expected to run with an administrator account these days. I have to assume that the update is actually doing something, but I don't know how it does this without a system-wide change.
I'm running Firefox o.9.1, yet when I Check For Updates it says no available updates could be found. Why is that?
Eh?
Will it hurt my already bad Karma to point out, firstly, it doesn't work, secondly, WinXP does all this automatically.
My home machine is a 400mhz pentium 2 with 128mb of memory, and Firefox runs wonderfully.
I've set several people up who are running machines even more ancient than that (oldest being a 200mhz with 32mb) and Firefox works great.
What we call folk wisdom is often no more than a kind of expedient stupidity.-Edward Abbey
Hmm... I guess FireFox isn't the bug-free non-Microsoft browser to have, now is it?
Time to find another one... they might have to release another patch someday y'know!
It looks like that standard disclaimer to make sure the Mozilla Foundation doesn't get sued by the government - I believe that IE also had the disclaimer (havn't checked in a while though). MoFo does have their servers in the States.
I assume a version without NSS (the HTTPS &c stuff) would be legal, and it's probably possible to obtain the code from intermediary countries anyway.
1. It can detect I need the update, but when I click next to download and install, it just sits there
2. I don't have the checkbox marked to look for Firefox updates, but it checked anyways.
Thanks! That was my problem anyway. There should have been some sort of notice that that was the problem :P
There is one thing above all else that interests me in a webpage -- ideas as expressed by words and images. The ideas are always more important to me than any web layout scheme such as CSS. It is much to Slashdot's credit that it uses good old HTML 3.x. I like reading text that is typeset in just one font, in black on a white background and at one readable and unvarying font-size, which is almost exactly what Slashdot gives. I don't like reading in the presence of distracting layouts chosen for me according to someone else's personal taste in CSS, or of distracting images that someone else has decided should appear during every mouse-over movement on buttons and dynamic menus.
The Rules of Writing for Web Authors and Designers:
Rule #1:
Rule #2:
Rule #3:
Scroogle
No, but short of painting it on the wall, also highly insecure, there is no way in hell I could remember all the passwords to all the places I might vicariously or otherwise go. Banking is just one instance. For instance, my ability to respond to your message is transparent, because mozilla remembered my login info for /. and silently logged me in as Almost-Retired.
To switch browsers now, would require I re-invent all of that for my daily tour of the net to see whats new. With all due respect for what may be an outstanding piece of code, if it cannot assume the duties, therefore making me re-invent the wheel to be able to function with it, then its nothing but eye candy. I have updated mozilla probably 10 times without being forced to do all that to recover what I feel are very basic functions. Since firefox comes from the same people, I fail to see where the excuse is that mozilla can be upgraded without losing functions, but firefox cannot also make use of that same information when it imports the bookmarks etc from mozilla. It doesn't grok.
I'm also behind enough firewall devices and software that no one, in the 18 months since I last set that up, has managed to get past the second line of defense, portsentry doing its thing on the firewall. The last time I had my address scanned, the only response was from a closed identd port, and I found an option in the router to shut even that off. The disadvantage is that I cannot run a BitTorrent server, but thats relatively un-important to me anyway. I can wait for the iso's to show up.
Cheers, Gene
I can access the georgia site above in about 700 milliseconds on a 768/128 dsl circuit. No ipv6 stuff has ever been installed or turned on in my path from this keyboard to the network. iptables on the firewall is still 1.2.6a because 1.2.7 requires a newer glibc than is on that now ancient rh7.3 box.
I repeat, clicking on the install now button generates absolutely no traffic at that instant on the routers or modems leds. I do see some later (10 seconds or so) activity, probably from kmail as it runs 24/7 here too, but in many tries, a flash of data was never generated by clicking on the install now button.
Cheers, Gene
Why is Iraq still on that list despite being controlled by US forces, while non-Taliban Afghanistan (which I would consider to be in a fairly similar boat to Iraq) is not?
Guys, /usr you have to change the permission to make it work. /[installdir]/defaults/pref set permisson to 444 on bug259708.js /[installdir]/components/ to 444 on nsHelperAppDlg.js :-)
the permissons on the bug fix are set wrong by the install program. If you have to install as root since your install is for many users somewhere under
For example change
in
Meaning allow "group and others' to read the files, just for the cli challenged
Hope this helps,
Ronald
it seems i'm the only one who has this problem... it is a permissions problem, i think. When i try to install, it does download the patch but then it says: "Firefox encountered a problem when upgrading your software"... and if I click "Details" it says: "data: Downloading fix: (Read Only)" So i've tried to upgrade calling firefox as root: #/firefox/firefox and then finally i've been able to upgrade firefox... BUT!!! Surprise! If I run firefox as root and look at Help->About Mozilla Firefox it correctly says the new version, but if I run firefox as a normal user it still shows the OLD version (1.0pr) and also still shows the advisory to download the patch! how can i solve this problem? anyone can suggest where to change permissions to firefox files? thank you in advance! I have Firefox 1.0PR installed on linux (mdk10) in the path: /firefox/
I just applied the fix using the same method that you did, and I had no problems. User accounts running it show that it's up to date.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
I was trying to get Firefox working in a chroot jail just this week. Unfortunately, it is tricky and there doesn't seem to be much support for it or info on the web.
I already run my Firefox as user 'anon' and it cannot access my personal files directly. More support for priviledge separation would be nice.
Any tips?
Huh? To me it seems to say that most people are running more or less enchanced versions of Netscape 4.0.
This is bug 116443. http://bugzilla.mozilla.org/show_bug.cgi?id=116443
Well, you're not giving the whole list here, but even so, this says at least 8.94% of your users browse with Mozilla, and at least 13.83% of your users browse with Opera. Thats fairly impressive.
.NET are usually spoofs. .NET is installed by default in Windows XP. MSIE with "Win 9x" or "Windows XP" are always spoofs. I see this ALOT in my web logs.
By the way, user agents that have MSIE and Windows NT 5.1 without
This patch is in violation of the MPL. It has the MPL license removed from:
o zapps/downloads/content/nsHelperAppDlg.js
http://lxr.mozilla.org/seamonkey/source/toolkit/m
Which is in violation of clause 3.5
The Mozilla Foundation claims there's more than two million downloads of Firefox Preview Relase. Will they count how many people downloads this fix or new PR (0.10.1)?
How many unpatched Firefox out there?
Why is a web browser dangerous?
Because it includes encryption software, and encryption is considered a potential weapon.
zWhat would an EWOULDBLOCK block, if an EWOULDBLOCK could block would? -- me
If she likes the big blue "e", then give it to her. Copy the icon to Firefox, and install IE Skin. I believe there's another XPI that will change the Windows titlebar string, so a casual user would be completely unaware that the browser isn't Explorer.
"The scary thing is, it's spread across not one but two desktops.. when my second display's nearly full I know I can't really put it off much longer"
That just means you need to buy a third screen!
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
And how many of those firefox hits are from when you test your own site?
There: Something at a specific location.
Their: Owned by someone.
Please make sure your english compiles.
I can't say about any users who had a problem updating... my copy of Firefox updated just fine and without issue.
IMHO, it's not about if a patch / update is needed... if that were the case, we'd all be running MS Windows 2.0, IE3, NetScape3, and Phoenix or the likes and no one would run Sendmail or Apache.
What it IS about is this: How soon is a patch available after a vunerability is known? With Firefox that's a pretty short period of vunerability.
~~Douglas
DouglasK Do Justly. Love Mercy. Walk humbly with your God.