Firefox Updated to 1.0.4

Exstatica writes "Firefox has been updated to 1.0.4 and they have fixed a few critical security holes, all javascript vulnerabilities. The Mozilla Foundation announced these vulnerabilities May 7th. 'There are currently no known active exploits of these vulnerabilities although a proof of concept has been reported." You don't have to upgrade, but it's recommended.'" We've reported on these vulnerabilities previously.

Update process...

[sznupi]

yes, I know the arguments behind it...but it would be relly nice if update didn't involve simply downloading installer (on mine 128kbps it's so so...and on slower?)

Re:Update process...

[iamjoltman]

I believe that a patch update system will be implemented starting with Firefox 1.1

Re:Update process...

[cyways]

How about just including an Update entry somewhere in the menus? As far as I can tell, there's no menu item or icon that automatically takes you to an update site or checks to see if an update is available. My 1.0.3 version running on Windows didn't display the update icon this morning, so I eventually clicked on the circle icon to go to the Firefox home page. Guess what? No mention of an update there, or any link to the downloads page either.

Re:Update process...

[88NoSoup4U88]

So can you tell me what the argument(s) behind it are ?

I find it very strange that the people I have converted (mostly not too tech-savvy) to using Firefox, still have to make re-installs themselves.

Re:Update process...

[barryman_5000]

Reading some of the blogs on planet.mozilla.org states just that. Lots of tiny nifty features are supposedly going to be making it into 1.1 (the back/forward cache should make my 1 sec wait non-existent now!).

Quick and serious on security

[xiando]

These issues were announced on Monday, and now a security release is available. This shows how professional the Mozilla Foundation has become and how serious they take security issues. Good work! Security problems will inevitably appear from time to time in all kinds of software, how these issues are handled is to me just as important as the software itself. Good job!

Re:Quick and serious on security

[portwojc]

Yes excellent work.

Hopefully the mainstream news sources I saw will report this just as they reported the problem. I'm not holding my breath though.

Re:Quick and serious on security

[Hungry+Student]

I would've shared your cynicism had I not just logged onto the BBC news website and seen their Latest News ticker show the words "The makers of Firefox say the two flaws in the open source browser have been fixed.", linking to this story of theirs, posted at 17:01BST, 16:01GMT.

A good, accurate followup to their original "Critical flaws found in Firefox" story

Already upgraded

[Walkiry]

Posting from 1.0.4 right now. Funny thing, after I upgraded and restarted the browser, I still had the "updates available" little red arrow on the top right corner of the browser. After checking for upgrades (and finding none), it's disappeared. Bug? Leftover registry entry or config file from 1.0.3?

Re:Already upgraded

[kbrosnan]

There is a flag variable in about:config 'app.update.updatesAvailable' that gets set to true. The notification would have gone away on its own in about a day when Firefox checked for updates.

Dude at work

[PlancksCnst]

This guy at work noticed I was using firefox (he's an IE user), and said, slyly, "You know, there's a couple of really bad security holes." Good think FF fixes their holes faster than MS.

Re:Dude at work

[OwlWhacker]

This guy at work noticed I was using firefox (he's an IE user), and said, slyly, "You know, there's a couple of really bad security holes."

That's like somebody seeing you kissing and saying "You can get diseases from that", yet they themselves are in a sexual relationship with somebody who is highly promiscuous with junkies.

Vulnerabilities everywhere.

[CABAN]

Next time I try to help a friend out I'm not suggesting firefox. I'm suggesting Netscape! Wwwait.

hmmm...

[prophetmike]

Firefox 1.0.4 was posted sometime between 11 and 11:30PM last night EST. I got it about 11:40 :D (Yes, geek alert) That aside, with all of these newfound vulnerabilities popping up so often, could Firefox become (later down the line) the new Internet Explorer? May seem highly unlikely now.. but as the New York Lottery says... "Hey, you never know."

Mozilla Suite updated as well

[iamjoltman]

It should be noted that the Mozilla Suite has also relased an update, 1.7.8.

Re:Mozilla Suite updated as well

[chrae]

It seems that the Mozilla Suite has lost a lot of it's sex appeal. Firefox gets all the attention and Mozilla is the fat friend you gotta be nice to.

Re:Mozilla Suite updated as well

[mat+catastrophe]

But, you know, the fat friend will still love you after the sexy one leaves you for another.

Mirrors

[bunburyist]

Mozilla.org will probably get hammered!! Here's a google cache of the Firefox Mirror List

And while you're at it don't forget those extensions:

FoxyTunes: http:www.iosart.com/foxytunes/firefox/

AdBlock: http://adblock.mozdev.org/

Or you can just go get more at: update.mozilla.org

Happy Browsing!

Impressive

[PenguinBoyDave]

While I don't care for the update process, I am exceedingly impressed that Mozilla makes fixes so quickly, and doesn't try to hide them (like another browser company has done in the past). Professionalism...very nice to see this from Mozilla. Kudos!

Re:Many Eyes ?

[ssj_195]

They do, to an extent (but this does not magically prevent a product from *being released* without bugs), and yes it does, just like all software. It's worth noting that most (all?) of these bugs have been found precisely by these eyes that are looking over the code.

Oh, and hats off to the Firefox devs for the scorching turnover on this flaw. When Firefox 1.1 comes out (with its more diff-style updated) the process will be even more streamlined and painless.

Good, but I wish there was remote updating

As a system admin for our company, every new Firefox release means that I will have to go around to 150 workstations and manually reinstall the browser again to keep it up to date. I wish there was some sort of way to remotely update the browser on all machines or a way to patch vulnerabilities without a full reinstall.

Re:Good, but I wish there was remote updating

[LnxAddct]

As a system admin for your company, you should use a msi package, but if for some reason you can't, firefox's installer can be fully scripted by simply passing it some args and turning on the quiet switch(or invisible or something switch, you'll have to look it up).
Regards,
Steve

Re:Language Not Available!!

[un1xl0ser]

Why don't you upgrade your language from British English to American English?

That would solve both problems.

Middle click new tab on Mac

[Feng]

Does middle clicking on a link open a new tab for OS X yet? The last I heard you had to patch FF to enable this feature. Middle clicking works fine on Safari, it's one feature I really miss when using FF on OS X.

Re:Middle click new tab on Mac

[DrWhizBang]

Aren't all clicks with a Mac middle-clicks?

Re:Middle click new tab on Mac

[kbrosnan]

Middle click won't ever work on a 1.0.x release. You will need to wait until the 1.1 release. It was fix on the trunk by bug 151249.

bugzilla.mozilla.org/show_bug.cgi?id=151249

Amazingly fast response

[jbarr]

My wife pointed out an article on Google News (that I had already seen earlier) showing that Firefox had some security vulnerabilities. She winced because I had just converter her to Firefox. I told her not to worry. I said, "Mark my words, there will be a security fix within a week." Well, today the fix was released and she was impressed. Not only has the Firefox development team improved the product, but they have made my wife happy! Life is good!

It's in the details

You can check for updates from Tools>Options>Advanced>Software Updates. If you use some themes, e.g. Littlefox, there is a button next to the Firefox home page 'circle' that you can click to check for updates.

As for your observation regarding the red flag, I believe The Mozilla Foundation had disabled that feature on the website because of one of the critical flaws now fixed.

-clueless

(I need to create a login here, or did I do it previously?)

Re:It's in the details

[Dasch]

I don't care how much stuff it's downloading and executing

Then why aren't you using IE? ;)

Re:One of the reasons i use Firefox.

[3terrabyte]

True. True.
I switched to Firefox because I was sick of using IE. Ever since I've switched, AdAware has found ZERO spyware/malware incidents!

To IE's meager defense, I'm sure there might have been a setting somewhere that might have tightened up the holes, but switching to Firefox has been easier. Plus, I'm addicted to the tabbed browing.

Bleeding edge

[imipak]

Although I've been an enthusiastic mozilla/firefox user & supporter since the late 90s (yes I was browsing with a 'naked' gecko control, HA! :P) I was surprised to find I'd lost track of development to the extent that I didn't realise the trunk builds have a much more up-to-date gecko engine. The gecko in the 1.0.x series (inc. 1.0.4) are a year old! Those users who prefer livin' on the edge might prefer to get a faster, smaller, much less memory-leaky build from: ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nigh tly/latest-trunk/

In related news...

[amichalo]

...FireFox downloads double to 100 Million!

Re:Locales

[InsideTheAsylum]

You know, you don't have to wait for Firefoux to come out, you can just use the regular old Firefox..

Yes, but ...

[thinkfat]

... as soon as the first proof of concept evolves into a worm, they will experience what it means to be deployed on millions of internet-connected pc's of clueless users.

Rule #1: doesn't matter how fast you output a security update, if it's not being installed.

Unfortunately it's not enough for an update to _exist_.

Re:Yes, but ...

[jbarr]

And therin lies the double-edged sword. Just about everyone on /. complains about Microsoft's auto-update feature saying that it's intrusive, and they don't want some company to have control of what is installed on their PC's. Yet, in order to ensure security, an auto-update feature really becomes necessary. Of course, Microsoft and the Mozilla Foundation as companies are viewed with very different levels of "trusts." Unfortunatly, not everyone will be satisfied.

Personally, instead of displaying the tiny unobtrusive update indicator as it currently does, I would love see Firefox do something like change the window color to red and display a system message dialog stating the problem with a link to the update. Maybe a good compromise?

Re:Yes, but ...

[srleffler]

Unfortunately, many users didn't go find Firefox once. They had someone more technically oriented install it for them.

The fact that Firefox security updates don't automatically install unless you notice and click on that red arrow in the upper right corner pretty much guarantees that a large fraction of copies will remain unpatched. When I've visited people for whom I installed Firefox 1.0 when it came out, I've noticed that none of them have noticed the red update icon or updated Firefox on their own.

If users have to go and get updates, many machines will remain vulnerable to security holes.

Re:Yes, but ...

[Ogive17]

I downloaded firefox as soon as it was "officially" released.

Now I consider my knowledge of computers and software as advanced, but I'm definately not an expert. I found the interface to be less friendly than IE and trying to change options was a chore. Also, until 3 days ago, I didn't know how to automatically update Firefox until I saw someone mention clicking the red arrow on the top right portion of the window. Now, I had gone to mozilla.org and downloaded the latest versions on my own, but this was a hassle. And if "I" didn't know about the auto-update, my grandmother, parents, sister, brother, and a few friends I've turned to Firefox are not going to know either.

Sometimes reading through /. posts, I am reminded of bleeding heart liberals or bible thumping conservatives with how people treat OSS to M$. People are annoyingly blinded by their dis-like for the other side that they cannot see the whole picture. Sure Firefox is great, but it's not perfect and IE still has some advantages.

Firefox speed.....

[SammysIsland]

Back in the day when I first downloaded FireFox, one of my favorite parts of using it was how fast it would load up the first window when opened. It was almost instantaneous.

The more I use it, the longer this actions takes. It doesn't matter if I clear cache and cookies, un-install plugins, or just plain uninstall and reinstall the browser.

Is it simply the newer versions that cause it to load so slowly? My roommate has the same problem. Is anyone else experiencing this and is there an answer?

Responses greatly appreciated. Thanks.

Re:c'mon! Let's break some FF extensions!

[LnxAddct]

about:config
extensions.disabledObsolete = false
Regards,
Steve

news?

[Errtu76]

Disclaimer: I like firefox. I use firefox.

Why is this news? Does this mean that every time firefox decides to update, it should be front page news? Can't you (slashdot) create a seperate field where the latest versions of popular products are announced? Like:

product | version | last update
firefox | 1.0.4 | today

Re:news?

[globalar]

Most of the time, Firefox updates are not very important. However, the exploits which 1.04 fix were highly publicized.

I saw many IT magazines, mostly targeted at management, with significant space (even a few covers) devoted to the exploit. It is an example of the Firefox (and Mozilla) team's committment that a patch came out so quickly. This is very important, as it shows open source products can compete in the very tough browser market.

The progress of Firefox is now being watched by many - opponents and supporters alike. Firfox is under the spotlight and responding the serious issues - especially security, which has plagued IE - is crucial for the browser's future success. This is more about PR and brand recognition than security.

Re:IE still #1 a-ok

[Ath]

All this "IE is the Sux04rz" talk makes it very apparent that the people getting infected either have no clue about how to configure a secure computer, or have no scruples on what they click "OK" to.

Boy, I cannot agree with you more. If you have half a clue, then IE is easy to make secure. I just went into Tools - Internet Options and set the Security policy to Restricted Sites, turned on popup blocking (after I obviously installed SP2), set my Privacy level to High (because everyone except an idiot knows this is how to disable Cookies), and then installed all the hot fixes from MS. If you are too lazy to maintain your software properly then you shouldn't even have a computer. Just get a Mac or something.

It's like all those people who complain about safety problems in cars. My Pinto is safer than almost every car out there. All that with almost zero risk of theft. I strapped some padding onto the rear bumper and put some steel reinforcement plating around the gas tank. There is almost no risk to myself or my passengers of a ruptured fuel tank, all because I took the time to fix an inherent problem in the design of the ... wait .... err ... I gotta go.

Re:IE still #1 a-ok

[WARM3CH]

Well, generally I agree with you. However, when it comes to correctly rendering UTF-8 pages, specially with Arabic characters, firefox has some very well known bugs that have not been fixed now for ages. The most annyoing one is a bug in rendering arabic decimal number: It shows all numbers like 1.4 as 4.1! Of course, IE renders such pages perfectly.

Re:IE still #1 a-ok

[EggyToast]

Imagine a company making a CD-Burning program that spit out a coaster 50% of the time and garbled data, resulting in 20% corrupt files of the "good" 50% discs.

Of course, there were settings you could change that would fix that. They were in Advanced>Settings>Options>Burning>Defaults>Input. You just had to uncheck "Always burn with error correction (may cause some discs to burn slower)" which simply fixed the garbled data, and "Always burn with high-precision laser" (so you don't get coasters). Checking those 2 boxes results in the application working perfectly every time.

Would anyone use that? No! People would laugh it off and comment on just how stupid it is. Why IE gets a free pass for almost the same transgressions is beyond me. Oh, wait, no it isn't -- it's because people started using it years ago and are afraid of changing to something better because it's "different." "I've already got those boxes checked."

Doing the .exe shuffle

[carambola5]

I can't run the executable "firefox.exe" at work because it "has been disabled by the administrator." Solution? Rename to firefox2.exe.

The only pain comes when firefox is updated... it leaves the firefox2.exe executable from the previous installation, and adds the new firefox.exe to the install folder. It then becomes a dumb little task to update all the icons and shortcuts scattered about my system.

Wish there was some way to specify, during install, the resulting executable name. Of course, I have to be one of the maybe twenty people in the world who needs this, so maybe it's not worth the miniscule bloat.

Additionally interresting informations

[masklinn]

It should be noted that 1.0.4 also features a JS bugfix which hastes said JS execution by around 20%.

May sound like it suck... if you don't know that the whole XUL thing (basically everything in firefox but the Gecko engine itself: interface, extensions, userscripts, ...) is pure Javascript.