Slashdot Mirror
Firefox 0.10.1 Released, Fixes Security Hole
_xeno_ writes "Firefox 0.10.1 was released today to fix a security flaw that could potentially allow a malicious site to erase files from the user's Download directory. If you already have Firefox 0.10 installed, you can go to Tools, Options, and choose Advanced, go to Software Updates and choose Check Now to grab the patch."
But what exactly is the worry here? It deletes files in your download directory? Does that really matter? Could someone enlighten me on why its worth the bother to uninstall and reinstall for this?
The Braying and Neighing of Barnyard Animals Follows.
after firebird, firefox, firefox 1.0 and now firefox 0.10 ??
So after doing the update through the advanced options should my browser report 0.10.1 under help about? Because I still have 1.0PR
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
I'm just curious if anybody knows how long this patch took to be released. That is, what was the turnaround time from the discovery of the bug to the release of this patch? In the past it has been a fast as a few hours. The longest I think was only a day or too.
"Firefox was not able to find any available updates" - this on a vanilla install of the 1.0 PR.
What type of sites is it you operate? Here are some logs from a 100% non-technology related site which still shows Internet Explorer as by far the most-used browser.
.NET CLR 1 .NET
Note that the Opera browser shown in Rank 3 should not be taken as accurate as this merely runs a "ticker" on auto-refresh setting every 10 minutes.
# Hits User Agent
1 31005 15.75% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
2 20925 10.63% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
3 11074 5.63% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Opera 7.50
4 10596 5.38% Opera/7.50 (Windows NT 5.0; U) [en]
5 9893 5.03% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko
6 8281 4.21% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
7 7856 3.99% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProd
8 6113 3.11% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
9 5286 2.69% Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)
10 4868 2.47% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
11 4795 2.44% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko
12 2915 1.48% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2) Opera 7.50
13 2885 1.47% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko
14 2783 1.41% Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)
15 2645 1.34% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.54
Backup not found: (A)bort (R)etry (P)anic
Last night I noticed a nifty pulsing red bubble in the upper right-hand corner of my Firefox toolbar. Clicking it revealed a message from the software-updater stating that an urgent fix was availeble. I clicked allow install, and it was done in ten seconds. Very nice that the browser alerted me to a fix and patched itself in no time at all.
I haven't done (ms-)windows since the beginning of time and since he doesn't know *anything* about computers it was hard trying to figure out what might've been the problem, but it sounded like the typical standard unprotected ms-windows setup that was probably also loaded with spam and ad-ware, bogging down even his simple efforts at browsing the web.
Knowing that quite a few people here have experience with cleaning up the standard MS-install mess, I would like to ask what needs to be done to plug the major holes and deficiencies in a new MS setup?
Firefox is an obvious rescue tool to replace MSIE so are there any issues when installing it or does it automatically and painlessly migrate all necessary MSIE data?
And what about utilities to remove the spyware his machine may already be infested with? Any suggestions?
I'm hoping to be able to burn all these goodies on a CD to give him so I also wonder whether they're easy enough to operate by a total non-techie?
Since his "computing needs" appear to be very simple I'm also giving him a Linux liveCD (perhaps Ubuntu-based Gnoppix would be a good starter with its simplified GUI and it also comes with Firefox) to try out and play with but before completing his conversion I'd need to evaluate how well e.g. OpenOffice.org fulfills his needs at this point.
Should invading one's peaceful neighbours be opposed, or rewarded with trade deals?
I'm curious. Do most of the security holes we hear about with Firefox/Mozilla affect all platforms or mostly Windows?
I don't believe it was that message. This appeared as a bar at the top which stated (loosely) that it prevented the website from running... something or other. I don't have it inform me in any way when it blocks a popup. Anyway it had an options button which had a list of trusted sites. update.mozilla .org was already on the list, however the link originated from www.mozilla .org so it wasn't picked up. I would say they should add that site to the list.
I'm running Firefox on Linux and I had the previous release candidate installed. The update facility failed with a meaningless error, and corrupted my current install.
So I downloaded and installed the new version, which overwrote my old version including my plugins directory, and on startup, failed with an obscure error until I deleted my user profile.
I'm a card carrying Firefox freak, but really, this was not smooth...
It would be a useful addition to add an FF Profile Manager that included FF Update and Extension Install/Update permissions for multi-user workstations . I looked through MozillaZine, but didn't find much. I can prohibit other users from updating FF and installing/updating extensions using NTFS permissions, User group settings and GP settings, but it would handy to have it included in a FF Profile Manager.
It's not that simple. To fully support CSS, for example, Gecko (the page rendering engine that's used by Mozilla, Firefox, and Thunderbird) has to be able to change the way buttons and other elements are drawn. And it has to be able to control z-ordering, i.e. it has to be in control of what happens when you draw two buttons on top of eachother. The same goes for things like charset support, printing, accessibility, etc.
To provide full support for the W3C standards, you need widgets that provide very specific capabilities. Toolkits like wxWidgets have the opposite goal: they work by hiding specifics from the application programmer. There is a fundamental mismatch between the two.
If you want to fully support all the standards that make up the web across different operating systems, you end up with something like Firefox. It's not primarily some geek pride thing (although that always plays a role); it is primarily a consequence of the complexity and scope of the standards involved.
Bit OT but...
I was just over at a friend's place and made the pitch for FF... The response I got? "But I LIKE Internet Explorer". Touch pitch. She liked clicking on the blue "e" to surf the web instead of that strange FF logo.
I've switched a tonne of people already though. Many more comverts on the way. The campaign for FF is on!
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
I went to Tools/Options/Advanced/Software Update and clicked "Check Now". It confirmed that there was a critical update available, which I let it install immediately. Firefox hung while downloading the update (1.0PR, Windows XP).
I had to terminate Firefox without completing the update, which seemed dangerous, but there was no alternative. When I restarted it, I discovered that I had previously blocked software installs in Tools/Options/Web Features, which might have caused the automatic upgrade to hang. (Of course there should have been a message instead of hanging.) So I checked Allow Web sites to install software. (My "allowed sites" list displayed as empty, incidentally. Is that correct?)
Then I downloaded the update manually (file 259708.xpi) to my harddrive and installed it by opening that file in Firefox. The update installed successfully (no message though). I verified this by checking the install.log in the firefox directory.
Now Firefox should have been at version 0.10.1, but Help/About showed 0.10.0 until I closed Firefox and reopened it. This is surely a bug, and it might allow a user to install the same update twice. Under some imaginable circumstances, that might trash the installation.
This source code is subject to the U.S. Export Administration Regulations and other U.S. law, and may not be exported or re-exported to certain countries (currently Afghanistan (Taliban controlled areas), Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria) or to persons or entities prohibited from receiving U.S. exports (including Denied Parties, entities on the Bureau of Export Administration Entity List, and Specially Designated Nationals).
How realistic is it to keep this code away from these contries, and, more important, how fair is it to do so? Could the mozilla 1.0 code be significant for the international security? Or is it just paranoid? Why is a web browser dangerous?
And, what about IE?
The Mozilla Foundation has a history of sweeping bugs under the rug and underrating the severity of problems (this has happened twice within the last few months). And, apparently, they decided to cherry pick their 'independent security monitoring organization' to make themselves look good, as they've had more than 13 security 'adviseries' this year alone.
SecurityFocus has about 25 on record for the year. 9 were reported within the last month. And the trend is increasing significantly, not slowing down.
Hmm... I guess FireFox isn't the bug-free non-Microsoft browser to have, now is it?
Time to find another one... they might have to release another patch someday y'know!
It looks like that standard disclaimer to make sure the Mozilla Foundation doesn't get sued by the government - I believe that IE also had the disclaimer (havn't checked in a while though). MoFo does have their servers in the States.
I assume a version without NSS (the HTTPS &c stuff) would be legal, and it's probably possible to obtain the code from intermediary countries anyway.
1. It can detect I need the update, but when I click next to download and install, it just sits there
2. I don't have the checkbox marked to look for Firefox updates, but it checked anyways.
it seems i'm the only one who has this problem... it is a permissions problem, i think. When i try to install, it does download the patch but then it says: "Firefox encountered a problem when upgrading your software"... and if I click "Details" it says: "data: Downloading fix: (Read Only)" So i've tried to upgrade calling firefox as root: #/firefox/firefox and then finally i've been able to upgrade firefox... BUT!!! Surprise! If I run firefox as root and look at Help->About Mozilla Firefox it correctly says the new version, but if I run firefox as a normal user it still shows the OLD version (1.0pr) and also still shows the advisory to download the patch! how can i solve this problem? anyone can suggest where to change permissions to firefox files? thank you in advance! I have Firefox 1.0PR installed on linux (mdk10) in the path: /firefox/