Slashdot Mirror
Patch & Workaround for Firefox Flaw Available
mcc writes "Yesterday Slashdot reported on a Firefox vulnerability which could allow remote code execution. Today Firefox has a patch and a configuration workaround, both of which immunize against the bug. If you are using Firefox you should immediately go to the URL 'about:config', type 'network.enableIDN' into the box, and verify that 'network.enableIDN' is set to 'false'." Update: 09/10 18:59 GMT by Z : Removed wayward colon.
Done. Work around complete.
Ummm, Jon, aren't you supposed to be dead...? - Otter(3800)
Seems the default is "True." Am I supposed to do something after verifying the setting?
wtf is IDN?
I wouldn't be implying laziness on the part of developers until a couple days have passed after the bug report.
With two significant security flaws discovered so far in Firefox (and many in IE) what should a high-security company do for a secure web browser?
Firefox is totally secure, just like Linux is. Only MSFT is not secure, don't you read this website???
Fine. Now here's the confirmation of Mozilla's fast response again. Do we need more, more and more fast bugfixes to stop trolling around?
From what I read in yesterday's article it was more than a little serious. Going from broken to patched in a day is a damn good turnaround. Or it could just be, you know, breathlessly delivered news. This is possible. :) Either way, thank you Firefox team. The local high school is going to be transitioning over to Firefox within a few weeks, to coincide with moving in to a newly built school. I can't say I'm not more surprised about Firefox than the new school.
TLoM: Nerds + DDR + Rednecks for the win!
I'm I imagining it or is this the second time a bug has been found in IDN?
How do we know that URL doesn't trigger the bug? Appropriately enough, my /. confirmation image word is "beguile"!
What is IDN and what about it causes vulnerability?
Since when has this country used intellectual elite as a pejorative term?
here ;)
You can't handle the truth.
We actually had the patch and workaround up yesterday.
It's unfortunate that the bug reporter gave us so little time to respond to the issue before going public. He filed the confidential security bug on the afternoon of the 6th, and then went highly public (to c|net) in less than 72 hours.
As anyone can see now that the bug is no longer confidential, we were hard at work diagnosing the problem when he went public. Not only that, but the public release he made was based on our developer's analysis of the problem, not his -- which happened to be wrong.
This workaround that we posted (on the same day as the problem was made public) is only temporary and causes some of our users a loss of functionality (IDN). We will be issuing a full browser update for our stable Firefox 1.0.x and Mozilla 1.7.x releases which contains the real fix (also available as a patch to both 1.0.6 and 1.5 Beta yesterday) that avoids the security issue without disabling IDN.
Expect that new release shortly.
- A
I seem to recall having to do this before -- anyone else?
Going to
about:config:
does nothing in firefox (at least version 1.0.4)
use
about:config
instead.
"You mortals are so obtuse." -Q
informational:5
I'm amazed at how surprised some people are at the fact that Firefox has serious exploit. They think, "oh well, it's an alternative to microsoft, it's therefore immune to everything!". Then something bad happens and these same people act like they no longer have anywhere to turn to. They act like their faith was completely misguided and now they have no one to put said faith into.
The same thing applied to other people as well, as we saw in a previous slash dot article about macs. While not impossible, it's extremely difficult to make software that is in a constant state of development completely exploit proof. Firefox is ultimately a better browser than IE for numerous reasons, but it is not 100% perfect, nor is OSX, nor is Linux or FreeBSD or Windows, or anything else on this planet and it's silly to expect otherwise.
Nature doesn't operate on 100% uptime, only 99.9%.
I'm god, but it's a bit of a drag really...
But they don't design securely at all, and they certainly don't test securely.
You were probably deleted from the blog for FUD statements like that. I don't believe in censoring myself, but your asking really idiotic questions and making opinions while lacking the knowledge to be making them to begin with.
a very simple question in Ask Asa #17: Basically, who was responsible for the testing/QA failure that led to a security regression in Firefox 1.0.4
I think your first problem is is the way you ask questions. Your question is apparently an attempt to start a blame game. Also, I can tell you who is responsible for testing and QA failures: you are. Yep, you apparently missed that Mozilla puts out betas with the intent that people test and find the bugs. Did you not notice that it's an open source project? Because its open source there is no "team" of testers working round the clock to find problems. Oddly, Microsoft which has these types of teams never seems to find the large number of security holes in IE. Mozilla's strategy, with its far fewer security vulnerabilities, may be proving that its a better testing/QA model for security. Only time will tell I guess. So far I think Mozilla is easily winning in this game.
Asa isn't the funloving guy his blog projects, he can be a complete idiot too. Spread the word.
I have better things to do than spread FUD. I will instead spread copies of Firefox on peoples computers with the knowledge that it's still more stable and secure than IE. This seems to be more constructive than blasting people as "idiots" because I have some person problem with them.
It's quite similar to registering a domain name with typos and still hope that people enter their login data, but it's MUCH harder to realize that this is going on when you can't realize it by just reading the domain name with your eyes, no matter how closely you look at the letters.
"Unpatched" means there is not a patch available to fix the vulnerability. Yesterday it was unpatched.
Since when does "unpatched" mean lazy?
Bogtha Bogtha Bogtha
Deja vu anyone? I've always thought that this "bug" and its corresponding "patch" has been out for a while... I know for sure that when I heard about this a while ago, I disabled IDN...
Debugging? Klingons do not debug. Bugs are good for building character in the user.
While I always type in potentially system modifying commands into my computer based on what a news site tells me to type, this time I'll give it a day or so in order to let the tech guinea pigs report back just what the changes have done for them.
If the Sulfnbk.exe "virus" taught me anything [and I didn't since I had that hoax figured out when I saw it], it's don't assume someone's helping your computer if you don't know them from a hole in the ground, and you never asked for their help.
Saskboy's blog is good. 9 out of 10 dentists agree.
Release Date:
September 8, 2005
Date Reported:
September 4, 2005
Vendor Status:
Mozilla was notified, and im guessing they are working on a patch. Who knows though?
Is this the one that was reported by a "security professional" on September 4, 2005 and released on September 8, 2005? Boy, that would give Mozilla whole four (4) days to fix the bug!
We are doomed to be re-exploited.
I turned off IDN the last round of IDN exploits and left it off.
You will be baked, and there will be cake.
How hard is it to change the default IDN toggle to false, from true?
I don't know, try changing the company to Microsoft and see.
*Imagines millions of barking zealot nerds screaming 'Omg M$ is teh lazy!!111'*
I believe this is the second problem to arise from the support for IDN. I checked my setting, and I already had it disabled from the last one (where you could essentially spoof a domain name by using unicode characters that look exactly the same as ascii characters, but are in fact, different).
Someone give me one good reason why I should EVER enable IDN?
Ironically, the word ironically is often used incorrectly.
1. It says: "You should only install software from sources that you trust"
2. It comes from ftp.mozilla.org
3. But the patch is "unsigned".
Would a signature elevate the level of trust, or are we talking some other type of signature, here ?
So, disabling the feature that is buggy is now called a patch?
Sad to see how low Firefox has fallen since it is widely used by AOLers and Windows-lusers.
You were probably deleted from the blog for FUD statements like that.
It's not FUD if it's true. Remember that XUL spoofing vulnerability that was marked non-public in Bugzilla so it could linger for over two years without being fixed?
Mozilla and Firefox are pretty bad when it comes to security. Not as bad as Internet Explorer but still pretty damn bad. It's a process problem more than anything else, and the OP's questions are certainly in need of answering.
Also, I can tell you who is responsible for testing and QA failures: you are.
That attitude is reminiscent of the infamous Bill Gates interview where he said that bugs was the end users' fault.
Mozilla's strategy, with its far fewer security vulnerabilities
Since the release of Firefox 1.0, I believe there have been about the same number of vulnerabilities found in both browsers. Sure, that's pretty bad considering Internet Explorer is supposed to be a mature application that stopped development four years ago, but don't try and pretend there are "far fewer security vulnerabilities". It's not true.
I have better things to do than spread FUD.
No, you spend your time bing a fanboy instead. That's just as bad, the bias is merely in the opposite direction.
News: discovered vulnerability Mozilla: patch next day after article. Microsoft: patch next black tuesday. The only reason you see patches before announcements with microsoft is because the security groups dont want to deal with litigation-hell microsoft might try to inflict on them. Mozilla on the other hand doesn't have that advantange with all groups. So please keep your stupid comments to yourself.
[!] No, I can't see my comments. They are not worthy of +3 moderation.
Removed wayward colon.
Ewwwwwww.
Slashdot - where whining about luck is the new way to make the world you want.
This Ferris guy seems to have it in for Firefox. He gave them only 48 hours notice before publishing the exploit to the buffer overrun.e r+IE+flaw+report/2100-1002_3-5844431.html?tag=nl), however he in this case no exploit details were given at all.
However, he also discovered some exploits in IE (http://news.com.com/Microsoft+investigates+anoth
Not really a patch, is it? Turning something off? That sounds like Microsoft saying to turn off ActiveX controls, until a real patch can be made...
When Firefox releases a real "patch" that lets you use the "True" setting, and it works correctly, then its "patched". Right now its just "Band-Aided".
Yuma, AZ...You will never find a more wretched hive of scum and villainy. We must be cautious.
How about we just kill off IDN entirely instead?
Finally! A year of moderation! Ready for 2019?
Most people using the browser have no use for those URLs. Being vulnerable to an exploit twice due to a feature most people don't need is positively Microsoft-ish.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
SIGFEH
"Unpatched" a month or 2 after the developer's were notified of the issue could me lazy......could. It could also be that hard to fix, but most buffer overruns aren't going to be that hard to find and fix once you know they exist.
"Unpatched" 4 days after notification isn't lazy at all. I think that was the point.
You know, why don't they fix it with the "check for updates" thing?
For all of you dinosuars who, like me, still use and prefer mozilla suite, this applies to us also. And for all of you lazy slashdot readers who, like me, hate to track down a link in another comment, here's that link:
What Firefox and Mozilla users should know about the IDN buffer overflow security issue
Move on. There's nothing to see here.
It's not fixed, they're just disabling that part of the browser. What they're doing is like saying that there's a vulerability in the way Windows shares files, so the patch is to stop sharing files.
Here is a list of every currently exploitable problem in Microsoft products that a SINGLE company has found.
h tml
http://www.eeye.com/html/research/upcoming/index.
They have currently been waiting 165 days for a patch for remote code execution.
Anyone that moderated this Insightful needs to be hit with a really big fucking clue stick. IDN is International Domain Names -- it allows for non-ASCII characters in the domain name for non-English languages.
Did you not notice that it's an open source project? Because its open source there is no "team" of testers
Did you not notice that Mozilla has started up a for profit? Your open source arguement is irrelevant. The moment someone gets paid for their work or benefits economically from it then they are responsible for doing a decent job.
Mozilla would do well to invest its money in decent testing and bug fixing rather than wasting it on advertisements and exploit bounties.
All but one bug I ever filed were confirmed but none of them has actually been fixed as of yet. The longest running is coming up on it's 8th month anniversary. Amazing turnaround there.
Just to cut off the predictable "if you care so much, look at the source, fix it yourself and contribute it back in": developers are getting paid to produce code for Firefox and Mozilla benefits financially from Firefox. I'm all for the open community but not when Mozilla gets to cash in on what others donated freely.
Sorry to say this, but it sounds like you were removed for being a habitual trolling attention-whore. Just the way that you ask your questions is offensive: as if some naughty QA monkey needs to be publically whipped. How many times did people try to explain to you how ignorant you are of the open source development process before they took action? Be honest.
The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...
It's better to respond in a day and prevent any exploitation at all than it is to do seemingly nothing.
They can fix the actual problem for the next release and re-enable IDN.
If it is the Mozilla Foundation that you're thinking of, it is a non-profit organization. (Unless the referenced page has out of date information.)
The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...
Based on your own little post, I don't blame Asa for deleting your posts. How would an answer to your questions by Asa actually help anything? What would blaming some single person do to help the security situation? Not knowing who you are or what your connection with the Mozilla Developers is, but what business of yours is any of this anyway?
You may be entirely correct in your beliefs and assertions, but because of they way you've said things, it won't matter; you've destroyed your own credibility. Arguing or being persuasive is not the same as whining or demanding, whether you are right or not. Posting A/C about this here doesn't help get your point across either.
Sort of, but IDN isn't something that's that critical for many people like Active-X, which is at the centre of Microsoft's incompatibility war.
IDN is (necessarily) a bit of a kludge for the most part anyways. The International Domain Name stuff opens up it's own can of worms in that you can come up with Domain names that look a lot like a well known one by grabbing a domain name with one letter changed to an IDN character that looks enough like the original one to fool people. example: hötmail.çom replaces both the O in hotmail and the c in com. botth relatively obvious but good enough to fool some into thinking that it's a rendering error. (( Slashdot filters out almost all international characters, which makes it hard to give a really good IDN example )).
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
You think that it's acceptable for a product update to be released to almost 100m users without regression testing security vulnerabilities? Note: this isn't about NEW holes, this is about not testing an old one. That's stupid beyond belief!
This isn't about open source/closed source, except to the extent that Slashbots seem to be blinded to Mozilla's flaws.
Comment removed based on user account deletion
Maybe if you identified yourself instead of hiding behind the mask of AC, I might consider it, but for now, you look to be no more than another useless troll.
"My God...it's full of trolls!"
Yet another valid security question is deflected by a Mozilla fan. So the world turns.
"Sufferin' succotash."
I'm amazed at how surprised some people are at the fact that Firefox has serious exploit.
I'm amazed that a slashdot reader doesn't understand the difference between an exploit and a vulnerability.
I do agree Asa has a dark side, it's quite obvious when you check not only his blog entries but the comments, and his comments in bugzilla. I also agree that many Mozilla policies are poor, and cause security issues. For example there's a feature request in bugzilla asking for extension blacklisting. This is a very good feature because anyone could write a nasty xpi with a nice name and it would cause much PR trouble. But the bug request was put "on hold" because their priorities are "elsewhere". On the other hand, Firefox is and always has been much more secure than IE. Not only in the number of vulnerabilities, but the fact that they were all proofs of concept, and not actual vulnerabilities found on malicious web sites. The security process is also a lot more transparant, meaning patches are provided more quickly. So it's a bit of both really.
There's also the for-profit Mozilla Corporation.
Ouch! That's got to hurt! ;P (Note to humour impaired mods: This is a use of good humour. Mod appropriately)
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
Yes, because as we all know, security problems go away when they are complained about by an AC.
After a few months
Just another crappy blog
And if this is fresh news, do people care of their internet security at all? Or just bad memory?
Here's the link to Ferris's site's article on this: Ferris vuln report
Also, that page apparently has some (quite simple) test code "linked" to here: vuln test code
I must say, I don't appreciate having to scramble because he wanted some notoriety. 2 days from notify to disclose? Greetz indeed.
Ferris -1, Jerk
This isnt insightful, but its quite obvious that your a dick. I know some real dicks, and even when they are right, no one wants to hear them. Maybe you are right, perhaps your not, but because your such a dick about it, who cares?
If you don't vote, you don't matter, so don't waste your time telling me your opinion
example: hötmail.çom
Actually, I don't think you can change the ".com" - the TLDs need to match still - but you can do even better: the Cyrillic and Greek alphabets contain numerous letters that look exactly like Roman letters.
Including archaic and variant forms present in Unicode, the following lower-case characters can be spoofed:
Cyrillic has a, e, o, p, c, y, x, and s.
Greek has v, o, c, j.
And that's before you start on the close matches (gamma, rho, upsilon, omega.) which might easily be mistaken at small point sizes.
If your comment title says 'Re: Foo', I'm not likely to read it.
From the Mozilla corp site:
"On August 3rd, 2005, the Mozilla Foundation, a non-profit public benefit software development organization, launched a wholly owned subsidiary, the Mozilla Corporation. The Mozilla Corporation is a taxable subsidiary that serves the non-profit, public benefit goals of its parent, the Mozilla Foundation, and will be responsible for product development, marketing and distribution of Mozilla products."
Seems to indicate that it's just a way of raising funds for the non-profit foundation. While it might be "for-profit", the only place those profits are going is into the non-profit foundation. This seems pretty acceptable to me...
[All Your Fish Are Belong To Us]
If you don't want to disable IDN, or if you want to help test the change so Mozilla can release updated versions faster, try these nightly builds:
Today's Gecko 1.8 branch nightly - Firefox 1.5 Beta 1 plus the fix for this security hole.
Today's Aviary 1.0.1 branch nightly - Firefox 1.0.6 plus the fix for this security hole. There isn't a Linux build here; I don't know why.
The shareholder is always right.
When using Firefox, you can just drag the link onto the tab bar. It'll open it up as if you had typed the address, so it won't appear to come from slashdot.
This is a workaround. It disables the feature that has the flaw. I wouldn't call this patching the bug. When the real patch comes around, this will be even more evident
It works on so many levels!
"A thousand eyes, all bugs are shallow". Oops!
"So wager what you will, but I bet you in return that your bet is based on ignorance rather than facts."
Most likely based on the same myopia you see in the US (even the Canadians know better). The world revolves around all things English (and American). The "turn it off" solution is one we see commonly used to solve Windows problems. Not Linux problems...until now.
as a reply to a reply stated doing this doesn't gain you much, if you run as a low privilage user you just end up with all your valuable data owned by that low privilage user and therefore vulnerable.
you could run the web browser as its own user which would limit damage if it was comprimised but this would still leave your cookies (which may contain valuable authentication information) browsing history etc vulnerable and would make downloading stuff a pain.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
so firefox isn't exactly turning off something lots of sites are going to be relying on
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
It's not stupid beyond belief, it's a standard screwup that happens all over the software world, open and closed source. It takes a tremendous amount of discipline to "do the right thing" and write a unit test to be added to an automated regression suite. Of course it's the right thing to do. (No shit, Sherlock.) Nobody has suggested that the absence of such testing is a good idea. The only thing that I've suggested is that some anonymous blowhard shouldn't be surprised if their insistence that a specific QA guy be identified and spanked is not welcomed with open arms. I wouldn't be able to finger a specific QA specialist that dropped the ball on an Internet Explorer regression either, and I'd get my account yanked for relentlessly pressing that issue on a Microsoft forum too.
The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...
If you think it's a valid security question, I'll give you the benefit of the doubt: rephrase it in such a way that it is worthy and answerable.
The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...
Also, I can tell you who is responsible for testing and QA failures: you are.
That attitude is reminiscent of the infamous Bill Gates interview where he said that bugs was the end users' fault.
Not end users but beta testers. Thats why there are betas. Mozilla always requests for people to run the betas, find bugs, and report them. Heres the note for the 1.5 beta (Deer Park):
Note: This is not the final release of our Web browser, it has been made available for testing purposes only, with no end-user support. If that sounds scary, you'd probably be better off with the latest version of Firefox 1.0.
Since the release of Firefox 1.0, I believe there have been about the same number of vulnerabilities found in both browsers.
Your contradicting yourself. From you in the same post:
Mozilla and Firefox are pretty bad when it comes to security. Not as bad as Internet Explorer but still pretty damn bad.
So what is it? Are you saying its less, equal, or better security? Please make up your mind.
Remember that XUL spoofing vulnerability that was marked non-public in Bugzilla so it could linger for over two years without being fixed?
If I remember right, the XUL spoofing vulnerability was fixed prior to the public release of Firefox version 1.
Asa, it's good to see (putatively) competent posters on this topic. Please know that this is not intended as a troll. You see, one thing is a config change, but if it doesn't *actually* solve the problem then it'll just be noise in the config file.
7 7 that said this IDN config change isn't gonna work, and this worries me. If the publicized workaround is not effective then I think I'd be better off taking my chances on watching URLs myself, rather than having IDN 'faux disabled' (this may become effective at a later time when I'm not aware of it).
I mean, I came across https://bugzilla.mozilla.org/show_bug.cgi?id=2813
Can you say anything about these issues?
(PS. I'm still on v1.0.6 because 1.5b1 breaks my extensions.)
"Good news, everyone!"
I know a few fonts where "0" and "o" look the same. :-)
Karma: It's all a bunch of tree-huggin' hippy crap!
Or maybe the answer he was expecting (or rather, fearing...) was "Oops, we don't have any QA test department...".
The question wasn't to start a blame game against the (non-existant) QA monkey who failed to spot the bug, but rather against the project manager who failed to create a QA department in the first place...
That's a GREAT link there...
Anyone using a slightly older version of Firefox gets redirected to a "you need to upgrade" page. How nice, I can't find out about a security vulnerability that exists in both new and old versions of Firefox, because I'm not using a more recent version of Firefox...
I can read that page using any non-Mozilla-based browser though! So the title of that page: "What Firefox and Mozilla users should know" is quite ironic, since it's inordinately hard for Firefox/Mozilla users to SEE that page.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
True, except the 's'. There is no such a thing in Cyrillic [...]
Actually, there is: it's used in the Macedonian version of the Cyrillic alphabet.
It's in Unicode, too: U+0455 CYRILLIC SMALL LETTER DZE
If your comment title says 'Re: Foo', I'm not likely to read it.
Read the statement again. It says "Goals" does not necessarily mean the profits will go back to the Mozilla Foundation. There is no explicit statement that "We will give the profits back to the MoFo." Their dubious press release is the usual bullshit that corporations put out.
Right now Firefox has the ability to change the URL box colour to show that it is a secure site.
/. won't work so copy and paste URL and remove spaces):
8 49
Well, why not as part of the anti-phishing concept, make it so all IDN sites cause that same URL window to show a different colour, so once again the user gets a visible prompt to be extra vigilant that the site is legit.
Those that use IDN due to their nationality can thereby continue to use IDN where necessary (and as with all Firefox stuff, customise userchrome.css to NOT change the colour if they want).
Personally I already customise my security colours with custom graphics to make it really obvious when security gets broken. It's a trivial step to do the same with IDN. For more info on my customisation you can visit Mozillazine (direct link from
http://forums.mozillazine.org/viewtopic.php?t=128
Visceral Psyche Films
Not end users but beta testers.
You told somebody you don't know that they were responsible for testing and QA failures. That person didn't identify themselves as being a beta tester or have any special connection with Mozilla.org - for all you know, they are an end user.
Your contradicting yourself.
No I'm not. You said that Internet Explorer had more security holes - over the course of its lifetime, that might be true, but when you take a representative sample - i.e. a sampling over a specific period of time when they are both publically released - they are equal. Your claim that Internet Explorer has more holes is not true.
In addition, you can also argue that Internet Explorer is less secure in general because it is supposed to be a finished product for four years and is still being patched up. These two points are not mutually exclusive - it could well be that the Mozilla codebase will end up being much more secure than Internet Explorer when it's reached the level of maturity as Internet Explorer, but that doesn't change the fact that, today, an objective bug count leaves them tied.
If I remember right, the XUL spoofing vulnerability was fixed prior to the public release of Firefox version 1.
Irrelevant. It hung around for two years while the Mozilla devs practiced security by obscurity, and also affected the release versions of the Mozilla Suite.
I'm a Firefox user, but this cavalier attitude to security and stability has me worried. When the next version of Konqueror comes out, which will have its own version of Adblock, I'll probably switch. Firefox is showing all the hallmarks of a couple of smart developers who don't have much experience, but have large enough egos to think that whatever they do is right. That typically results in an originally good idea going down the toilet.
some perspective please. Not all bugs/flaws/vunerabilities are the same.
If Microsoft says on monday there is a flaw, or it is reported, and the 'fix' is to disable said component, then they usually point that out.
Of course, I have no idea how many LOC this took o fix, if it was trivial or not, or how it was exploitable, so maybe I shoudl shut up, then again, since when has knowing the facts been a prerequisite for slashdotting.... um tee...
To confirm you're not a script,
please type the word in this image: domestic
random letters - if you are visually impaired, please email us at pater@slashdot.org
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
You told somebody you don't know that they were responsible for testing and QA failures. That person didn't identify themselves as being a beta tester or have any special connection with Mozilla.org - for all you know, they are an end user.
What?! Okay, I can't figure out what you are trying to say. Two other people had a look at your posting and were equally confused. All we could figure (guess really) is that you are trying to say that there is confusion between what an end-user and a beta tester are. Typically, people who run beta versions of software know that they are running betas since there are notices throughout the download and installation that informs them of this. If they some how have completely missed all these warnings they clearly only have themselves to blame.
No I'm not. You said that Internet Explorer had more security holes - over the course of its lifetime, that might be true, but when you take a representative sample - i.e. a sampling over a specific period of time when they are both publically released - they are equal. Your claim that Internet Explorer has more holes is not true.
Again, an example of your lack of knowledge about Firefox. Firefox base code came from the Mozilla browser. Mozilla's browser base code came from the Netscape browser. Netscape browser was out before Internet Explorer. Add all security holes over the years of Netscape, Mozilla(both pre Firefox), and Firefox and you still have less security exploits than Internet Explorer despite the fact that much of the code that makes Firefox has been around longer.
Irrelevant.
Actually its very relevent since you were claiming Firefox had security holes that were going unfixed for long periods of time.
but this cavalier attitude to security and stability has me worried.
Oh my gawd I am soooo tired of hearing people whine about some programmers on an open source project being arrogant or snooty. Its like not liking a movie because you disagree with the way one of the actors behaves while he/she is offscreen. Firefox is a product. Get over it.
When the next version of Konqueror comes out, which will have its own version of Adblock, I'll probably switch.
Good. Thats the power of choice.
Okay, I can't figure out what you are trying to say.
I'll make it simple by summarising how I saw the conversation going.
Typically, people who run beta versions of software...
The QA problem affects *all* users of the Mozilla.org codebase, not just the beta testers.
Again, an example of your lack of knowledge about Firefox.
Again, you jumping to conclusions.
Firefox base code came from the Mozilla browser. Mozilla's browser base code came from the Netscape browser. Netscape browser was out before Internet Explorer.
I know all that.
Add all security holes over the years of Netscape...
Netscape 4.x and below are essentially a completely different codebase. Surely you know this if you are willing to accuse others of being ignorant about the Mozilla.org codebase's roots?
you still have less security exploits than Internet Explorer despite the fact that much of the code that makes Firefox has been around longer.
Well that's a simple lie, isn't it? Practically all of Firefox's code hasn't been around longer than Internet Explorer, no matter which way you try and spin it.
Actually its very relevent since you were claiming Firefox had security holes that were going unfixed for long periods of time.
And that's true.
Oh my gawd I am soooo tired of hearing people whine about some programmers on an open source project being arrogant or snooty.
I'm not whining about them being arrogant. I'm pointing out that the effect that arrogance has on the quality of the product is causing me to switch browser.
Good. Thats the power of choice.
And it doesn't occur to you that people actively moving away from Firefox because of these things means that the OP *just might* have had a point when he asked Asa about the QA procedures? And that ignoring such complaints is arrogant and detrimental to the project?
Like I said before, I quite like Firefox as a browser. But I can't expect security from it any longer. I think the OP had a point. And if you want to ignore that, then that's your prerogative. But if you want to ignore it, then ignore it instead of making shit up and telling half-truths.
Since when does "unpatched" mean lazy?
It implies lazy. Read the GP again.
This about:config method works in the newest Netscape 8.0.3.3 http://www.frsirt.com/english/advisories/2005/1691 too.
True, but calling it "unpatched" when it's also "brand-spanking-new" implies something not being done.
Since when does "unpatched" mean lazy?
It's negative connotation and implies (at least, I inferred) that a bug has been found (true) that is not patched (true), and implication/inference of: for a period of time longer than reasonable to come up with a patch.
BTW, I agree with poster who said it's more like "band-aided" than patched when the patch is turning off a feature.