Firefox Update Kills Bugs, Adds Mac Support

Juha-Matti Laurio writes "Several vulnerabilities are fixed in version Firefox 1.5.0.2, which was released on Thursday. In addition to security patches Firefox now includes some stability enhancements and, as expected, includes native support for Apple Computer's Macs with Intel processors. Secunia has a detailed advisory about vulnerabilities fixed with this release."

Themes and extensions keep working

This time around, almost all extension and theme authors got the version dependency right, so unlike after the previous update, your extensions and themes won't be disabled. It's a security update, so do install it.

Re:Themes and extensions keep working

[christopherfinke]

This is because the maxVersion in the extensions for 1.5.0.1 in the majority of cases is 1.5.0.*, so if your extensions work with 1.5.0.1 and 1.5.0.2, they'll be compatible with any future security upgrades for this branch.

Re:Themes and extensions keep working

[sisukapalli1]

Several extensions broke down. "Compact Menu" -- had to go to the home page to reinstall (Firefox said no updates found), "Cute Menus" broke completely. "Mnenhy" broke.

BTW, the update installation caught me by surprise. When FF asked confirmation for update, I checked the option "later" (meaning, ask later). Next time I started, FF updated itself, and broke some extensions.

S

Re:Themes and extensions keep working

[Ark42]

You didn't read the message when you clicked later. The message said that an updated was already downloaded and ready to be installed. It asksed if you wanted to install it now (and restart Firefox now) or install it later (when you next restart Firefox).

In the options under Advanced/Update the default is "Automatically download and install the update" but you can change that to "Ask me what I want to do" if you want. Of course, the "Warn me if this will disable extensions of themes" box is also checked by default, but I'm not sure how much that works. I think it just checks if the extension disabled itself because of the maxversion flag it has set maybe. That doesn't mean it will work for sure though, since extension authors can't predict these kind of things.

Patch

[Ryz0r]

Download the patch here!

haha, no, seriously.. i'm joking

..*ducks*

What's new in Firefox 1.5.0.2

[anandpur]

From Burning Edge:
http://www.squarefree.com/burningedge/releases/1.5 .0.2.html

Re:What's new in Firefox 1.5.0.2

[Wannabe+Code+Monkey]

264787 - [Mac] Ctrl+Tab and Ctrl+Shift+Tab Next/Previous Tab Keyboard Shortcuts no longer work (worked in Firefox 1.0.x).

Thank God! I've been waiting for this, I couldn't for the life of me understand why this no longer worked on the mac version. I also just found out that you can change firefox's keybindings to be emacs-like on any platform. Actually that article shows you how to change the keybindings to be like anything you want, they just use emacs as an example.

Some leaks fixed

[EggyToast]

Here's the big ones, IMO, from a mac user's perspective:

• Memory leaks
• 321283 - Using Find causes documents to leak.
• 323532 - Leak when using history autocomplete.
• 323377 - Lots of leaks in nsInternetSearchService.

Numerous times would I come home to see Firefox using over a gig of memory and eating up about 40% of my proc cycles. A quick quit/restart of the app would fix it, but still -- I regularly close tabs and don't develop long histories on multiple open tabs, so it didn't make any sense.

I just hope that those leaks are the ones I was actually experiencing...

Re:Some leaks fixed

[bahwi]

They fixed a serious bug that was affecting me in the moz branch, that was ported over to the xulrunner nightlies. Apparently I was creating too many JS Obj's and crashing out the system. Now it works perfectly with my thousands of javascript objects, mwa-ha-ha. =)

But seriously, it's a CRM app loading stats from an XML source on the server side, and when using E4X you get an XML Object for each XML file(or entry, depending) so it's easy and quick when running yearly stats to generate a bunch of objects. But now it works like a charm, smooth, and fast. The only prob is it's a 1.8.0.2 nightly, not a release. But working is working.

"Fixes some security issues"?

[YU+Nicks+NE+Way]

Sweet baby Jesus, it fixes 21 separate issues *all of which can be used to execute arbitrary code*! Did they have time to fix any vulnerabilities which were only "somewhat critical"?

Re:"Fixes some security issues"?

Considering how much Firefox gets touted as being superior to M$IE, I'm concerned about the sheer number of "arbitary code execution" fixes were in this 0.0.1 version increase. Maybe it's not as secure a codebase as the foundation thought?

How does a browser that doesn't even run activex GET arbitary code exploits???

Re:"Fixes some security issues"?

[Zocalo]

I suspect that some of these are bugs found by HD Moore of The Metasploit Project in Firefox last month - some details here. We can probably expect a similar slew of updates from Microsoft in a future "cumulative update" for Internet Explorer since there were more than 50 brand new flaws (not all critical) found in IE as well.

Take a close look at the techniques used, and it's no wonder those "criminal cracker gangs" we keep hearing about have no apparent problem coming up with fresh 0-day exploits to sell if they are applying something like this. The only defence against this is going to be that you ship robust code that you can guarantee will handle any malformed data gracefully from day #1. That's going to take some getting used to in places like Redmond, WA where the "if it compiles, ship it" approach seems to have been the standard for so long.

Re:"Fixes some security issues"?

Because programmer errors cause exploits, not ActiveX. Don't swallow the groupthink you read on Slashdot.

Re:"Fixes some security issues"?

[Nasarius]

This is why Mozilla restricts access to security bug information. It's only an issue if it becomes public. By the way, I only count seven security-related bug fixes. Where are you getting 21?

Re:"Fixes some security issues"?

[YU+Nicks+NE+Way]

That's what I thought, too, but, in fact, no. Per Secunia's summary of sources:

1, 9, 10, 12, 18, 20) shutdown
2) Igor Bukanov
3) Bernd Mielke
4) Alden D'Souza
5) Martijn Wargers
6) Bob Clary
7) Tristor
8) Michael Krax
11, 14, 21) moz_bug_r_a4
13, 16) TippingPoint and the Zero Day Initiative
17) Claus Jørgensen and Jesse Ruderman
19) Georgi Guninski

Metasploit isn't mentioned anywhere.

Re:"Fixes some security issues"?

[molarmass192]

1%??? Ummm, FF has 12% market share and growing. My server logs show it closer to 20%, but then again we serve a specalized market.

Re:"Fixes some security issues"?

[Blisshead]

18% for us, and we sell yarn! Grandma knows what's up.

Re:"Fixes some security issues"?

[Jason1729]

How many Schroedinger's cats does it take to change a heisenbulb?

I'm uncertain.

SeaMonkey too

SeaMonkey was updated to version 1.0.1 for security reasons too

http://www.mozilla.org/projects/seamonkey/releases /

Re:It still leaks!

[somersault]

Isn't the memory 'leak' just the caching of pages, that you can disable by typing about:config in the title bar, and change "browser.sessionhistory.max_entries" to a lower value? Firefox keeps the last few pages in memory to increase speed when you browse to a previously used page.

Yeah

[springbox]

The original poster might want to read this: Firefox "Memory Leak" is a Feature

Re:Yeah

[starwed]

Also interesting is this thread in the mozillazine forums.

Re:It still leaks!

[Dan+Ost]

Could you be a little more descriptive of the memory leak problems that your experiencing?

What platform are you on?
What version of Firefox are you running?
What extensions to you have enabled?
What types of things are you doing when you notice the memory increasing?
Are you legitimately using more memory or is it actually a leak?

C'mon, man, give us something useful.

Mac Support

Just to clarify, Firefox has long had Mac support. This distribution adds Universal Binary support so that Firefox is now native for Intel Macs.

Re:It still leaks!

[hal9000(jr)]

I have found most of the memory leak issues are when using Java applets. Oh, and parsing a 35Mb XML file, memory usaged soared to over 1.5 GB and kept climbing.

still got memory leaks out the wazoo

[Tumbleweed]

But the good news is, that about:config trick where you minimize your window, then maximize it again still works.

Annoying update message

[LiquidCoooled]

It did it again.
I have firefox set to inform me that theres an update.

In my eyes that update check should only occur when I open a window, NOT when I'm in the middle of typing.
I saw a flash of something whilst I was typing and realised I had inadvertantly accepted a popup box.

I want to set Firefox to inform me of updates, but make sure it only does that when opening a new window or tab (so it knows I'm not actively typing).

Re:Annoying update message

[pen]

The pop-up is a good idea, but I think that it should have that delay feature that other pop-up dialogs have (where the buttons are disabled for a few seconds.)

Re:It is nice

[LiquidCoooled]

It still updates in the middle of use.
The default button is still focused and easy to accept.
If it only displayed this update message upon startup/New tab/window then I wouldn't have a problem, but if it detects an update mid session then it pops up then taking away focus.
I personally prefered the update throbber in the top right.

Re:It still leaks!

[shawn(at)fsu]

if it doesn't work as well for you, something else is wrong.
Just because it works fine on one machine is no guarantee that it will work just as well on other machines.

I'm up to 80 megs used with only 4 tabs open (CNN /. Gmail, Milk&Cookies). I changed the setting in about.config weeks ago.

Firefox doesn't release memory like it should. It jumped from 50 to 75 when I opened a new window to view a QuickTime movie, when I closed it the memory wasn't release. If I watch a wmv file it will routinely jumped in to the high 90's low 100's. I opened the same pages with IE and when I close the window with the QuickTime movie the memory jumps back down.

Hold on there

[dereference]

With only 1% of users on Firefox, they can hardly be considered critical. Any vulnerability in Internet Explorer is automatically 99 times as bad, due to its user base.

Be careful with this line of reasoning. All along there's been this mantra of "Firefox is inherently more secure, and would be even if it were the dominant browser" spouted continuously. Well, I happen think the GP makes a great point about this, and your reasoning seems to fly in the face of the mantra. Don't get me wrong--I'm one of these said spouters--but I'm honestly feeling more than a bit hypocritical at this moment. These are some damn serious issues, and it's not just a handful.

Now, I suspect the reason for this is that the Firefox community as a whole (users and developers) are far more pre-disposed to actually finding and publicly disclosing such bugs. My guess is that we really only see the tip of the IE iceberg in terms of security.

However, we still can't have it both ways; these are indeed very critical bugs, and to dismiss them otherwise may seem beneficial, but it's actually a great disservice.

Re:It still leaks!

[everphilski]

When you close those 60 tabs, firefox should free the memory. It doesn't.

Who cares?

Seeing as that memory is now lost and unusable you **should** care. It is a sign of sloppy design anyways and the other two (Opera and IE) don't seem to have problems with memory leaks...

Re:colgroup bug still exists

[hclyff]

Maybe it's because there isn't supposed to be an 'align' attribute?

http://www.w3.org/TR/html4/struct/tables.html#h-11 .2.4

FF configuration to reclaim leaked memory

[Tumbleweed]

Here's the URL I got it from:
reclaim leaked memory

In case this poor bastard's site gets Slashdotted, here's the trick:

      1. Open Firefox and go to the Address Bar. Type in about:config and then press Enter.
      2. Right Click in the page and select New -> Boolean.
      3. In the box that pops up enter config.trim_on_minimize. Press Enter.
      4. Now select True and then press Enter.
      5. Restart Firefox.

Once you've restarted, and been using FF awhile, minimize it, then bring it back, and the system (under Windows, anyway) will have reclaimed leaked memory (often LOTS of it). A new notice on that page says this works with Thunderbird, too, so I'll have to try that when I get to work.

Re:FF configuration to reclaim leaked memory

[starwed]

You do realise that, if this works, it isn't really leaked memory?

In other news...

[Rytis]

Firefox is reported to pass the ACID2 test as well. Though it's just a development branch and there's still a load of work to do, it's nice to see they are finally getting to the finish.

Re:It still leaks!

[Dan+Ost]

Set browser.sessionhistory.max_total_viewers to 0 and see if that helps. If it does, then
you're not dealing with a memory leak (or at least, not an accidental one...they put this
in there on purpose).

I'm running 1.5.0.1 on gentoo linux (no gnome or kde) and experience no memory leak. I often
leave it running for days and, while my memory footprint varies with usage, it doesn't appear
to be behaving baddly (memory usage always approaches a base level after I finish most of my
browsing).

Re:colgroup bug still exists

[CTho9305]

Maybe because the Mozilla Foundation is smart enough not to take big risks with security releases? They got a lot of heat with 1.0.x from distributors, since they included more fixes than just the security fixes and major stability fixes, so now the 0.0.0.1 increments will only fix very very low risk (or very high-impact) issues in security releases.

It might seem like a fix is simple, but when you have a really large codebase and millions of web pages doing strange things, it's very easy for a "simple fix" to significantly change rendering results. Sure, in this case you personally would like the change, but imagine if you had a corporate intranet which for some reason depended on that specific alignment being unsupported. You distribute the security update, and suddenly it looks wrong. You'd be flaming the Mozilla Foundation for changing non-critical things in a minor point release.

That's why old branches are supported (i.e. Firefox 1.0.x) long after a new release is available - people don't want to have to worry about non-critical changes breaking things for point releases.

Re:It still leaks!

[fimbulvetr]

But...but...but
XML and Java APPLETS are teh BESTEST thing ever!! How could they possibly cause problems? They are the glue of the internet! Fast, efficient guarenteed to work everywhere and anywhare!!!!

Heretic!

This *would* have been news...

[Dhar]

...if Firefox hadn't updated itself before I got to read the article.

-g.

Re:Optimized Builds

[tomstdenis]

How would SSE2 speed up rendering HTML?

If you think about it your webbrowser is for the most part a on-the-fly compiler, parsing HTML, XHTML, JS, etc and compiling it into onscreen "stuff".

Your question is like asking when GCC will support SSE2 natively to speed itself up.

There may be a few graphic algorithms that can benefit from SSE2 but for the most part nothing else.

Tom

Re:It is nice

[jthill]

But popping a focused "accept" button at random times is near criminal, no matter who does it. Yah, go ahead. "Redundant". I say that bears saying until everyone on the planet is sick of hearing it, and then saying it some more. Kind of like telling kids to look both ways before crossing the street.

Re:Why not 1.5.1?

[Kelson]

Because they switched to a more detailed numbering scheme with 1.5.

Given: x.y.z.w

x.y are the major/minor version numbers.
z is for an update that changes the API.
w is for an update that doesn't change the API.

This way they can distinguish between updates that are likely to break* extensions (Firefox 1.5.1) and those that theoretically should not (Firefox 1.5.0.2).

*By which I mean actually breaking functionality, requiring programming changes to the extension -- not just needing to bump the extension's compatibility label.

Accurate firefox usage information

[elliott666]

It would be interesting to see how many times the automatic update is downloaded. At first glance it seems like that might be a good way to get some sort of idea as to how many people really are using Firefox.

Acting Like Spyware

[opensrvtech]

This update scared the hell out of me. I couldn't tell if a 3rd party app had mysteriously been installed or if it was a trusted update from Mozilla... There was no information available in the popup itself and the update/release notes had not yet been released, we're not loaded into a tab or window and had not hit the web or cleared my ISP's cache. Yet, I get a popup telling me that, basicly, I may or may not be fucked if and when I permit Firefox to reload. It's important to facilitate end user verification and awareness of what a trusted 3rd party is about to do to their machine.

This is bad protocol. Many (and I mean MANY) 3rd party nightmares identify themselves as proper patches for trusted titles. Firefox's update looked exactly like several of them. It's IMPORTANT TO CLARIFY WHO YOU ARE AND WHAT YOU'RE DOING. This could be resolved in any number of convenient, non-frightening, ways (All of them, too obvious to list).

It would be of tremendous value to the more paranoid side of geekdom if Mozilla/Firefox also forced release notes to load at the time of notification of an update. It took me more than 4 hours to give in and run a complete system backup to dvd... all because my browser wanted a restart.

Re:LEAKS ARE NOT A FEATURE!

[dveditz]

The developers say that the memory cache explains the leaks.

THEY ARE LIEING.

One developer blogged that the memory cache explains some of the leaks.

We've also said bugs in popular extensions cause some of the leaks. http://kb.mozillazine.org/Problematic_extensions

But anyone who watches the project will see that we know leaks are bugs and are actively fixing them. Look in bugzilla, or look at the change logs of recent releases, for example: http://www.squarefree.com/burningedge/releases/1.5 .0.2.html

Re:Arguable

[dereference]

Good grief; I must have fallen for a troll. Sorry, I really thought we were have a nice healthy discourse, but it seems you aren't listening except to yourself. I'm not attacking your precious browser, for crying out loud I use it myself. I'm just trying to get you to open your eyes just a bit wider.

I'm simply trying to point out the difference between a vulnerability that could, theoretically, be used for arbitrary code execution, and one that IS being used daily for arbitrary code execution, drive-by installations, etc.

Yes, I know; I understood that from the beginning. I never disputed this.

Mozilla is the one being honest, but if you look at the sheer numbers and not the descriptions of the vulnerabilities, it often appears that FF has 3 times as many "critical" vulnerabilities as IE, when just the opposite may be true.

Well, this is where I realized you weren't paying attention. I explained in three different postings that I was not just counting the damn vulnerabilities. This is all about the *severity* of the issues. Yes, it's all self-reported, and yes, Mozilla is over-reacting relative to Microsoft.

So, I get your point, but I think you're still missing mine. These are bad flaws. No matter how much you want to spin it, or to discount it due to Mozilla's over-reaction tendencies, these are *still* really serious problems.

My point is that we're wearing this cool shiny Firefox armor and feeling relatively invincible, but it's possible--just maybe--that we've got a false sense of security here.

A false sense of security is often far worse than no security at all. Yes it will probably get better, and yes it will probably get better far faster than Microsoft could ever imagine, but we're definitely not there yet.