Slashdot Mirror
Thunderbird 2.0 Alpha 1, Firefox 1.5.0.5 Available
nuyorker and hdm wrote to mention the new releases for Thunderbird and Firefox. hdm writes "This release of Firefox fixes 12 security holes, many of which can be used to execute malicious code. The Browser Fun project has provided an online demonstration of one of these flaws. This demonstration is capable of executing code on Windows, Linux, and both architectures of the Mac OS X platform; you're going to want to upgrade today!"
This made it to Debian Testing yesterday and Ubuntu this morning... slashdot's news pipeline is stalling :)
As in pushed out to you without asking you first. That was quite the surprise.
Does anyone know if this latest release has gotten rid of some of the memory "features" that I've come to love in Firefox. I don't know what I would do if they got rid of them (other than have a smaller page file ;).
Thanks!
All glory to the Hypnotoad!
...I was pushed Thunderbird 1.5.0.5 earlier this morning, too.
Breakfast served all day!
Automatically recieved, downloaded, and installed. Automatic updates done right.
So, how many security holes does Internet Explorer usually see in a patch cycle?
This is getting insane. I'm thinking of switching to Opera if only for the added security, greatly reduced memory footprint, and greatly increased speed. Only thing keeping me with Firefox is AdBlock.
I tried the demo on my system (an up-to-date Gentoo w/ Firefox 1.5.0.4). It didn't work. I use the hardened sources w/ the hardened USE flag, so that may have something to do with it.
Repeat after me "ALL software has bugs and security issues" you should be more interested in how long it takes to fix said issues not if they occur because they WILL occur, that goes for IE, firefox, opera, konq, and safari.
I think the invisible hand of the market has its middle finger extended
--A wise old fart named SC0RN
Security holes were found. Security holes were fixed. I don't see a lack of attention to security.
If this signature is witty enough, maybe somebody will like me.
Ugh. Security holes? Malicious code? I knew there was a reason I switched to Firefox. This just proves IE is worthless.
Oh wait, this is about firefox?
Ummm... Hooray! Firefox is even more secure now!
Doesn't work in Opera :-(
iexplore's BSOD large image hack does not work either
I guess FireFox is more MS-compatible
Obama likes poor people so much, he wants to make more of them.
Probably this is a more general issue than just security. They should take the whole testing process more serious. Having millions of users it is not enough to ensure product quality, even if it helps to some extent.
If you don't fail at least 90 percent of the time, you're not aiming high enough. (Alan Kay)
I have really been waiting for this build of Thunderbird. It finally includes message tagging, which is something that I've been wanting natively in Thunderbird for a long time. Tagging now also apparently works with IMAP connections, although at least some users are having some problems with that feature. (Bug #344290).
It is a solemn thought: dead, the noblest man's meat is inferior to pork.
How would a person use this flaw to run a keylogger or other virus on a person's system? Is it possible to do this with this bug? I autopatched when the new version came out, but the behavior of the test site, with firefox crashing and the hard disk making the hard disk reading/writing noise, I've seen before the patch on some nonreputable websites...how bad could the damage be, and do I need to reformat? (NAV doesn't detect anything, but NAV never detects anything, including my homemade virii/keyloggers)
my Sinclair ZX81 isn't exploitable
take that! YUO L00ZER HAX0RZ
They are concerned. 12 Security flaws were just fixed with this release, if you look at the previous change logs they have been constantly fixing security problems. Really, it would be close to impossible to make a browser fully secure from every type of vulnerability, especially free ones.
... between Windows and the other OS's is that generally, the average user for Windows has full admin privs. while the average user for Linux and OSX browse the internet with significantly less privs.
I know Java must be available because Java is WORA.
Yes it is a more general issue.
Ignoring bug reports for 5+ years is a serious issue. Especially when it's something like "Mozilla and Firefox store your credit card numbers in plaintext by default"
I've had enough abrasive sigs. Kittens are cute and fuzzy.
That's not always true. You can write provably secure systems. I know that's missing the point, but you made "all" in capitals. :)
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Aww, you must feel so left out. How about the memory corruption bug instead which neither Firefox nor IE suffered from. Feel better now?
But that's what people give MS shit for, finding and fixing security holes. The attitude is that, had there been better design, the holes would not have existed in the first place. I've often seen it preached that OSS doesn't have the same problems since many eyes look at it and thus find all the bugs. That is, of course, not the case. I think the GP was simply pointing that out. some people feel like running Firefox is a magical security shield, that it doesn't have problem. Well, it does, they just don't seem to be getting exploited before there's a chance to fix them.
Of course one has to wonder what will happen as it becomes more popular. Plenty of people installed it before it started auto updating. Not too long ago I came across a grad student's laptop that was still running a pre 1.0 version. They figured they were safe and there was no reason to update since what they had worked.
URL: about:config, filter for: memory, adjust relevant options. -1 for capacity indicates automatic.
When, oh when, will I learn to not click on things that say "Clicking this may crash your browser"?
I am running 1.5.0.5 (thanks, Firefox auto-updater thingy!), so it couldn't execute the test on my machine, but that didn't stop the browser crashing.
Web consulting +
unlike Microsoft who takes weeks, months, years...
Web consulting +
I just tried the exploit demonstration page, and it doesn't seem to do anything. Using Firefox 1.5.0.5 on Mac OS X. Any ideas?
Ceci n'est pas une sig
Seems that the really old Bon Echo (firefox 2 alpha) version I am using isn't vulnerable, that's weird
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
Huh? What are you talking about, the cache?
I suspect quite a bit of the complaint comes from both the pure number of holes and the ratio of found holes to fixed holes. The number of holes is related to the design of the software.
Care about electronic freedom? Consider donating to the EFF!
Form autocomplete is on by default and will save your credit card numbers and full information in plaintext, ripe for any malware to grab.
Simply not storing form autocomplete on SSL forms would fix it.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
to be fair i actually use IE and what people complain about is that it takes so long for security holes to be fixed
I have discovered a truly remarkable sig which this post is too small to contain.
No lengthy and buggy "WGA" product check neccessary.
a 2006-45.html to a fix deployed : 1 day.
No advanced computer knowledge neccessary.
Browser restart is required, operating system restart is not.
(this is in the case of a Windows user).
Turnaround time from the reporting of http://www.mozilla.org/security/announce/2006/mfs
I'll leave the comparisons up to others.
I've often seen it preached that OSS doesn't have the same problems since many eyes look at it and thus find all the bugs.
Must be a rosy freaking world you live in where ALL the bugs in software can be fixed. Do I give MS more shit than Mozilla? Considering they make a couple million dallars profit a DAY I'd expect a bit more from them. Besides which much of the problems with IE are based off of their Active X technology which people have said would be a huge security disaster from the very beginning.
And yeah, Firefox is a big security shield because if I feel it is no longer secure I can UNINSTALL IT.
Try to imagine writing a shell script that would cheerfully do a cd /usr/bin; rm *. Can you? Now look at this bug report:
bug 234479
One of the programmers (Andrew Schultz) can't imagine any way of dealing with version skew problems outside of completely erasing the installation directory in order to start from scratch.
For those not aware, thunderbird spam filter can use a little work. I've found a WONDERFUL extension that does just that... www.spamato.net for those interested.
- Joe
Uhh... no. People give MS shit for finding and not fixing security holes. Since we're talking about browsers, I give you IE6, which hasn't received a serious overhaul in over half a decade and has proved to be an extremely insecure application.
Microsoft has a history of leaving known (as in having exploits in the wild) security flaws unpatched. Some argue they do this because hackers can then reverse-engineer patches and create exploits of the bugs, but that logic is a bit dubious to me. If your software has security problems, they should be addressed. Period. And this is exactly what Mozilla does.
About your last point, that's one of the key improvements in version 1.5. Updates are downloaded and installed automatically. Users will be up to date unless they specifically set it otherwise. Users of previous versions still have to upgrade manually, but I think in time most will.
Favorite quote: "
I have version 1.5.0.5 installed on my windows machine and the online demo still crashes my browser. I will await version 1.5.0.6. :)
Actually people complain about MS finding and then NOT fixing security holes. Look at the update record of their browser, compaired to FF, Firefox has about a week to a month fix rate, MS has about 1 year to never fix rate. People also complain that IE is UNFIXABLE due to its dependance on Active-X, which basically gives malware a pass to the kernel.
Firefox finds bug, fixes bug, no news here.
I really have no qualms about Firefox fixing a bug, it shows that their on it. Nobody claims that OSS is bug free, or security risk free, since this is impossible, from closed or open software. Code is a complex beast, like the hydra, you chop off one bug/security hole, and you probably open up more. That is intrinsic in coding, and design. The difference is the flexability of OSS, where bugs are easily seen, and easily remedied.
When the market share hits critical mass, things should get fun, though. But the openess of OSS still will keep it from reaching IE proportions. And shame on those who think that Firefox = security, the internet is still a bad place, no matter what you run. Good software is no substitute for intelligence, ever.
A patriot must always be ready to defend his country against his government. -edward abbey
Portable Firefox is now Mozilla Firefox - Portable Edition (or, Firefox Portable among friends) and a new version has been released. This new version sports some handy new features, including: CD support (aka Firefox Portable Live), partial update support, in-place upgrade support, full compatibility with Wine running on your favorite *nix distro, and more. It's available in three different versions: 1.5.0.5 for everyday use, 2.0 Beta 1 for testing the latest Firefox beta and 1.0.8 for web developers to test pages against. Full details are on the Firefox Portable Release Page.
Portable versions of Firefox, GIMP, LibreOffice, etc
but my Firefox crashed. :(
This release is buggy. The "dom inspector" and "livetalk" extension (the ones that come with firefox itself if you choose to install them" get disabled when updating due to incompatibility with the new version.
However, at work the update went file, so i dont know what exactly triggers it.
Open Source Java Web Forum with LDAP authentication
But that's what people give MS shit for, finding and fixing security holes.
No, people give MS shit because it can take them in excess of 6 months to release a patch after someone else finds the holes for them.... though if you look at the graph for 2005, it would appear that they are getting better at patching faster.... but your average linux program gets patched within days of a published vulnerability.
Oh god, that woman is John Romero!
Just an fwi for anyone updating, after downloading this MLB.tv video appears to be broken. No idea why, the video just doesn't show
Portable Edition? I thought Firefox was already portable - it runs on Windows, various UN*X+X11 combinations, and OS X, right?
It created the file /tmp/METASPLOIT
Why not store form entries on SSL pages? That's what the "Remember this..." bits are used for. If you don't want it 'remembered', don't store it. I use this feature a lot, for non-sensitive information anyway. Not everything is critical... I'd think that the most common use of this would be username/password combos, which are already stored securely.
Your suggestion is inelegant to say the least. A change in the 'Remember this information' pop up form to add a check box if you want the information stored securely would be much more worthwhile.
Thanks for the idea though - I'd been meaning to pick up a software project to work on!
You are correct but on the mozilla foundations budget I'm pretty sure thats not going to happen :)
I think the invisible hand of the market has its middle finger extended
--A wise old fart named SC0RN
It may be disowned, but we love it all the same!
Seamonkey! my monkey! with your logo all of blue...
You're updated like the fox, yet no mention of you.
Your fatal flaw; the reason no one cares:
Failure to steal any IE market share!
Seamonkey 1.0.3 - http://www.mozilla.org/projects/seamonkey/releases /
Sometimes at night I imagine the darkness is filled with horrible things with too many teeth, like Julia Roberts.
No calculator was executed, but my Firefox footprint shot through the roof.
Business as usual then?
I keed! I keed!
If I had a dime for every time I hit C-x C-s while writing a post...
You need XKeymacs.
I was surprised to find that when I used apt-get upgrade a few hours ago, Firefox was upgraded to 1.5.0.5. This was before I even knew it was released. Kudos to whoever is managing Firefox for Ubuntu!
Portable Firefox runs on a USB drive without leaving anything on the computer that you're running it on. It allows you to take your edition of Firefox to any PC (Not sure if it has to be Windows based, probably) and run it without any problems, with your favourites and extensions. I really loved this when i was in school and used different computers in the IT room.
It's also optimised to require very little read/write cycles to your USB drive seeing as they do have a limit. It's also a smaller install.
The best example would be the XUL exploit. Long fixed, but even longer on their bug list. The basic attitude was "There's no demonstration it's a real problem so we don't need to worry." Wasn't until someone released a proof of concept exploit (you may remember it, made front page Slashdot) that they finally got around to fixing it.
For that matter there are still non-security related bugs that persist such as the cliboard bug. Someitmes Firefox will just refuse to copy text. Best as I can figure out it's not realising that there's text selected, even though their clearly is. the system clipboard is still functioning correctly, just FF has problems. It's documented in a number of different reports on Bugzilla and has been around since as long as I've been using Firefox, still no fix.
I'm not trying to give FF shit here, I think that's it's a fine product. I certianly like it more than IE hence why I'm typing this post in it right now. However it is not this haven of security and their fix rate is nothing I'm particularly impressed with. Being OSS doesn't really seem to have changed things. After all, it's still people behind it. Some bugs are hard to deal with and thus get left to languish (like the clipboard bug) some aren't fun to fix and don't seem important and thus are ingored till someone proves otherwise (like the XUL bug). Bug just happen because, regardless of how many people look at something, it's just hard to write unerring code, espically if you want to keep a reasonably efficient release schedule and to run on all kinds of different platforms.
All I'm saying is that when FF fixes a list of bugs, there are those that are too inclined to herald this as a great thing with OSS, even if many of the bugs were things that should have been looked at earlier. When MS fixes a list of bugs, there are those that act as though they suck and the only reason there were bugs in the first place is their closed source methadology.
Thunderbird spam filter needs more than a little work - it just doesn't block spam effectively. I recently installed Cactus spam which is turning out to be the best spam filter I've ever used.
In theory, there's no difference between theory and practice; in practice there is.
It did do a heck of a job at making my system fairly unusable but it seemed to want to use all of my gig of swap space before it could create /tmp/METASPLOIT. I killed the process before it got that far but I think I would have done the same thing in any other situation where Firefox was making my machine unusable. So anyway it didn't seem to be fast enough to work for me.
But if you have malware on your computer, it's likely acting as a keylogger, so keeping your Credit card numbers encrypted would not help very much. Next time you typed it in, it would record it. Also, smart malware would read the values from all the text boxes appearing in your browser to try an capture values where were already stored by autocomplete. If it's displaying it on the screen, it's in memory somewhere unencrypted. It would just have to wait for the browser to make a call to it's unencryption algorithm, and then take the number.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Endorsing security-by-obscurity on
Firefox 1.5.0.5 .ZIP package.
The links are usually posted here, but 1.5.0.5 hadn't been posted there yet.
I don't know if it's an illusion or not, but 2.0a1 feels faster than 1.5.0.5.
on Dropline Gnome 2.14.2.
Looks like Firefox 1.5.0.6 will be released very quickly to fix a bug in some streaming media links in 1.5.0.5. Specifically, Windows Media ".wmv" when called using "mms://", maybe real using "rm://", does not work. Breaks streamining video links on http://mlb.com/ Release candidates for Firefox 1.5.0.6 are already on the way.
Wonder why Seamonkey gets close to nil attention here, thinking ./ users would want the extra functionality/control of Seamonkey over FF's pretty face.
ALways wonder why if both use Gecko, FF supports horizontal scrolls while SM doesn't. Plus touchpad zoom 'just works' in FF and even IE, and 'just doesn't' in SM.
Just the other day I updgrade to 1.5 so I can use an extention. Unknow to me that turns on automatic updates. Turn my box on today and am told update is ready. Grumble, OK. Enter endless loop of Firefox unable to complete update (because I don't run as admin). Can't EVEN LOG OFF. Have to kill firefox from process list. I guess I'll run IE for an hour to feel better about Firefox again.
Redtail
A new Thunderbird release? Does this one have any strings attached?
While a lot of people are inclined to bring back the debate of IE vs FF, from a user point of view, it is as simple as we will change when something better came along. Say if something better than FF comes along, has relatively small memory footprint, lesser security problems, and other benefits, I am sure that a lot of people will be using it.
Damn... potential cross platform exploits. Seems like Firefox is creating their own browser monoculture... and a multi-OS one at that. It's a shame they didn't take the time to program it securely the first time.
After reading the 'what's new' for the a-release and its bug fixes, it still boils down to one thing: Thunderbird still can't let you add address book records using LDAP. I was hoping this issue would get resolved soon enough but no dice. Someone, PLEASE tell me how wrong I am. I beg you!
This is frustrating because in my experience, Outlook is such an irrational piece of software when it comes to IMAP/LDAP and Thunderbird (to me anyway) only provides a superior IMAP portion. Still does wonders for me but how would a small office synchronize their address book otherwise?
Luckily there is a Thunderbird plugin that performs that trick by using regular files -- SyncMab.
It's getting to be time to update my Mozilla Suite anyway - is 2.0xx cooked enough to use, or is it better to go to 1.5.0.5 and wait for 2.0 final to update again?
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
When are we going to stop writing large programs in C? For small things where potability is critical and lines of code are low, C can be a good choice for a certain class of application where low-level access and/or high efficiency is needed. However, with something massive like Firefox, it isn't possible to keep tabs on things. The result is a number of security holes surfacing constantly -- Not an ideal situation. Why not move to a more secure language like Cyclone? Programmer portability in such a situation is high and entire classes of bugs would disappear. The performance penalty would be minimal.
Why aren't more people using such language? Why not use Cycling, or even higher level languages where they can reduce lines of code and keep things more maintainable in less performance critical sections? I can only attribute it to laziness and blubism:
"As long as our hypothetical Blub programmer is looking down the power continuum, he knows he's looking down. Languages less powerful than Blub are obviously less powerful, because they're missing some feature he's used to. But when our hypothetical Blub programmer looks in the other direction, up the power continuum, he doesn't realize he's looking up. What he sees are merely weird languages. He probably considers them about equivalent in power to Blub, but with all this other hairy stuff thrown in as well. Blub is good enough for him, because he thinks in Blub." - Paul Graham
Sigh. It would seem the Slashdot website lets you type more characters into the Subject field than it actually uses... which is just plain odd. The full subject line of that comment was:
Firefox Portable 1.5.0.5 & 2.0 b1: Works on USB & CD
Portable versions of Firefox, GIMP, LibreOffice, etc
Unfortunately they missed the chance to supply a well-documented and easily usable API (that would not require you to be a seasoned XUL/Javascript/Thunderbird programmer) for the spam filter functionality. I am sure that this would have motivated many more people to contribute spamfilter "plugins". There a *lots* of people and groups out there who have worked and still are working on spam filtering. The Thunderbird designers failed to create an infrastructure that would have motivated them to make their stuff work with Thunderbird.
What makes firefox safer than IE is that its developers do worry about vulnerabilities and try to fix them ASAP . Unlike IE which can keep a vulnerability for years.
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
I tried the demonstation exploit with the new Firefox-1.5.0.5 on linux and it still managed to crash the browser (but only after I told NoScript to allow javascript from metasploit.com). What I noticed happening was an attempt to create a file on /tmp (which failed) followed by dramatic memory use increase until it crashed. So perhaps a little more work needs to be done on this.
BTW, Thunderbird-1.5.0.5 is also available now.
Does it finally include vCard/iCard support for the address book?
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
If you are using a restricted account -- like you should -- then nothin will be pushed or forced onto you system.
You'll have to switch to an administrative account, and then manually trigge the update, or download he whole install.
(p.s. I am talking about Windows)
Make sure to read the bug report about this before you go into it.
The arrogance of the mozilla devs regarding this issue makes it likely your patch would be for naught.
BTW - It does it automatically, without warning or asking you if you want to save the info. After my fresh install I said "sure ok lets try this form autocomplete" the first time I went on Google or something. Then later on I was typing in my credit card number on some site and Firefox popped a drop down showing my entire credit card number. I'm a programmer. If I got burned by it imagine how Joe Schmoe would handle it.
Also you can't ignore public terminals. Yes in theory people wouldn't enter such things on public terminals, and the people setting them up would disable all that stuff, or wipe the user data every log out.
But insecure-by-default is something that software in general is moving away from strongly. Trusting the end user to turn off dangerous options is not accepted as best practice anymore.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Does Thurderbird read local maildirs yet so I can get off of Evolution?
I've worked with good programs written in C, and bad programs written in C or C++. The Mozilla code base is not one of the good ones. I went into it once to try and chase down a proxy problem, and I ended up giving up... I couldn't figure out the call tree from entering a URL through to the proxies being applied to the actual connection.
Maybe it's better now, I don't know, I don't really care. Because on top of that the whole design of Firefox has gone down the same path as Internet Explorer (though, hopefully, not so far), with the same components responsible for evaluating trusted and untrusted objects. I originally believed that they had followed the same design as KHTML and created a sandboxed rendering engine that had additional components (I/O slaves) embedded when it knew it was dealing with trusted objects. Instead there have been many bugs that could only have occurred if an untrusted object was being checked for trustedness at run time. I suppose they had to do that to implement the XPI installer so you could install components directly from web sites.
Which is, of course, a bad idea to begin with.
I would love to be proven wrong, and I wish there was a good KHTML-based browser for Windows, or at least a good Gecko-based browser that didn't use XUL or anything like it.
I tried the test page and it popped up a dialog indicating that someone was trying to start a shell on a high port, and the browser hung.
:)
Is Camino vulnerable to an exploit or just a DOS?
Where is Camino 1.0.3?
Hmm. Maybe I'm just lucky, but it seems to work quite effectively. A lot better then Evolution, at any rate.
Actually, that's just a normal crash bug and not exploitable.
Clever signature text goes here.
Yeah, I know. I was just karma whoring for the funny mod-point. :-)
I'll make sure to point that out to HD and try to prod him to find an exploitable one.