Firefox 0.10.1 Released, Fixes Security Hole

← Back to Stories (view on slashdot.org)

Firefox 0.10.1 Released, Fixes Security Hole

Posted by CowboyNeal on Saturday October 2, 2004 @01:41AM from the hole-in-the-dam dept.

_xeno_ writes "Firefox 0.10.1 was released today to fix a security flaw that could potentially allow a malicious site to erase files from the user's Download directory. If you already have Firefox 0.10 installed, you can go to Tools, Options, and choose Advanced, go to Software Updates and choose Check Now to grab the patch."

7 of 441 comments (clear)

Min score:

Reason:

Sort:

This may sound stupid... by -kertrats- · 2004-10-02 01:43 · Score: 5, Interesting

But what exactly is the worry here? It deletes files in your download directory? Does that really matter? Could someone enlighten me on why its worth the bother to uninstall and reinstall for this?

--
The Braying and Neighing of Barnyard Animals Follows.
When... by Moby+Cock · 2004-10-02 01:48 · Score: 5, Interesting

I'm just curious if anybody knows how long this patch took to be released. That is, what was the turnaround time from the discovery of the bug to the release of this patch? In the past it has been a fast as a few hours. The longest I think was only a day or too.
No go by Anonymous Coward · 2004-10-02 01:51 · Score: 3, Interesting

"Firefox was not able to find any available updates" - this on a vanilla install of the 1.0 PR.
Re:it's nice to see ms finally losing the browserw by timmyf2371 · 2004-10-02 02:00 · Score: 4, Interesting

What type of sites is it you operate? Here are some logs from a 100% non-technology related site which still shows Internet Explorer as by far the most-used browser.

Note that the Opera browser shown in Rank 3 should not be taken as accurate as this merely runs a "ticker" on auto-refresh setting every 10 minutes.

# Hits User Agent
1 31005 15.75% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
2 20925 10.63% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1
3 11074 5.63% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Opera 7.50
4 10596 5.38% Opera/7.50 (Windows NT 5.0; U) [en]
5 9893 5.03% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko
6 8281 4.21% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
7 7856 3.99% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProd
8 6113 3.11% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
9 5286 2.69% Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)
10 4868 2.47% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
11 4795 2.44% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko
12 2915 1.48% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2) Opera 7.50
13 2885 1.47% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko
14 2783 1.41% Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)
15 2645 1.34% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.54

--

Backup not found: (A)bort (R)etry (P)anic
Upgrade was even easier then described... by kikensei · 2004-10-02 02:07 · Score: 3, Interesting

Last night I noticed a nifty pulsing red bubble in the upper right-hand corner of my Firefox toolbar. Clicking it revealed a message from the software-updater stating that an urgent fix was availeble. I clicked allow install, and it was done in ten seconds. Very nice that the browser alerted me to a fix and patched itself in no time at all.
Re:done already! by Epistax · 2004-10-02 02:24 · Score: 3, Interesting

I don't believe it was that message. This appeared as a bar at the top which stated (loosely) that it prevented the website from running... something or other. I don't have it inform me in any way when it blocks a popup. Anyway it had an options button which had a list of trusted sites. update.mozilla .org was already on the list, however the link originated from www.mozilla .org so it wasn't picked up. I would say they should add that site to the list.
Re:Automatic stuff == bad security by groomed · 2004-10-02 03:18 · Score: 4, Interesting

It's not that simple. To fully support CSS, for example, Gecko (the page rendering engine that's used by Mozilla, Firefox, and Thunderbird) has to be able to change the way buttons and other elements are drawn. And it has to be able to control z-ordering, i.e. it has to be in control of what happens when you draw two buttons on top of eachother. The same goes for things like charset support, printing, accessibility, etc.

To provide full support for the W3C standards, you need widgets that provide very specific capabilities. Toolkits like wxWidgets have the opposite goal: they work by hiding specifics from the application programmer. There is a fundamental mismatch between the two.

If you want to fully support all the standards that make up the web across different operating systems, you end up with something like Firefox. It's not primarily some geek pride thing (although that always plays a role); it is primarily a consequence of the complexity and scope of the standards involved.