Slashdot Mirror
Thunderbird 2.0 Alpha 1, Firefox 1.5.0.5 Available
nuyorker and hdm wrote to mention the new releases for Thunderbird and Firefox. hdm writes "This release of Firefox fixes 12 security holes, many of which can be used to execute malicious code. The Browser Fun project has provided an online demonstration of one of these flaws. This demonstration is capable of executing code on Windows, Linux, and both architectures of the Mac OS X platform; you're going to want to upgrade today!"
This made it to Debian Testing yesterday and Ubuntu this morning... slashdot's news pipeline is stalling :)
As in pushed out to you without asking you first. That was quite the surprise.
Firefox and Gecko devs really need to take security much more serious. It seems like they're just trying to rely on the browsers being open source and keeping security just an after thought.
Does anyone know if this latest release has gotten rid of some of the memory "features" that I've come to love in Firefox. I don't know what I would do if they got rid of them (other than have a smaller page file ;).
Thanks!
All glory to the Hypnotoad!
...I was pushed Thunderbird 1.5.0.5 earlier this morning, too.
Breakfast served all day!
Automatically recieved, downloaded, and installed. Automatic updates done right.
So, how many security holes does Internet Explorer usually see in a patch cycle?
This is getting insane. I'm thinking of switching to Opera if only for the added security, greatly reduced memory footprint, and greatly increased speed. Only thing keeping me with Firefox is AdBlock.
I tried the demo on my system (an up-to-date Gentoo w/ Firefox 1.5.0.4). It didn't work. I use the hardened sources w/ the hardened USE flag, so that may have something to do with it.
Ugh. Security holes? Malicious code? I knew there was a reason I switched to Firefox. This just proves IE is worthless.
Oh wait, this is about firefox?
Ummm... Hooray! Firefox is even more secure now!
I have really been waiting for this build of Thunderbird. It finally includes message tagging, which is something that I've been wanting natively in Thunderbird for a long time. Tagging now also apparently works with IMAP connections, although at least some users are having some problems with that feature. (Bug #344290).
It is a solemn thought: dead, the noblest man's meat is inferior to pork.
How would a person use this flaw to run a keylogger or other virus on a person's system? Is it possible to do this with this bug? I autopatched when the new version came out, but the behavior of the test site, with firefox crashing and the hard disk making the hard disk reading/writing noise, I've seen before the patch on some nonreputable websites...how bad could the damage be, and do I need to reformat? (NAV doesn't detect anything, but NAV never detects anything, including my homemade virii/keyloggers)
my Sinclair ZX81 isn't exploitable
take that! YUO L00ZER HAX0RZ
... between Windows and the other OS's is that generally, the average user for Windows has full admin privs. while the average user for Linux and OSX browse the internet with significantly less privs.
I know Java must be available because Java is WORA.
tha+t has Grown up
URL: about:config, filter for: memory, adjust relevant options. -1 for capacity indicates automatic.
When, oh when, will I learn to not click on things that say "Clicking this may crash your browser"?
I am running 1.5.0.5 (thanks, Firefox auto-updater thingy!), so it couldn't execute the test on my machine, but that didn't stop the browser crashing.
Web consulting +
unlike Microsoft who takes weeks, months, years...
Web consulting +
I just tried the exploit demonstration page, and it doesn't seem to do anything. Using Firefox 1.5.0.5 on Mac OS X. Any ideas?
Ceci n'est pas une sig
Seems that the really old Bon Echo (firefox 2 alpha) version I am using isn't vulnerable, that's weird
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
No lengthy and buggy "WGA" product check neccessary.
a 2006-45.html to a fix deployed : 1 day.
No advanced computer knowledge neccessary.
Browser restart is required, operating system restart is not.
(this is in the case of a Windows user).
Turnaround time from the reporting of http://www.mozilla.org/security/announce/2006/mfs
I'll leave the comparisons up to others.
Try to imagine writing a shell script that would cheerfully do a cd /usr/bin; rm *. Can you? Now look at this bug report:
bug 234479
One of the programmers (Andrew Schultz) can't imagine any way of dealing with version skew problems outside of completely erasing the installation directory in order to start from scratch.
For those not aware, thunderbird spam filter can use a little work. I've found a WONDERFUL extension that does just that... www.spamato.net for those interested.
- Joe
I have version 1.5.0.5 installed on my windows machine and the online demo still crashes my browser. I will await version 1.5.0.6. :)
Portable Firefox is now Mozilla Firefox - Portable Edition (or, Firefox Portable among friends) and a new version has been released. This new version sports some handy new features, including: CD support (aka Firefox Portable Live), partial update support, in-place upgrade support, full compatibility with Wine running on your favorite *nix distro, and more. It's available in three different versions: 1.5.0.5 for everyday use, 2.0 Beta 1 for testing the latest Firefox beta and 1.0.8 for web developers to test pages against. Full details are on the Firefox Portable Release Page.
Portable versions of Firefox, GIMP, LibreOffice, etc
but my Firefox crashed. :(
This release is buggy. The "dom inspector" and "livetalk" extension (the ones that come with firefox itself if you choose to install them" get disabled when updating due to incompatibility with the new version.
However, at work the update went file, so i dont know what exactly triggers it.
Open Source Java Web Forum with LDAP authentication
Just an fwi for anyone updating, after downloading this MLB.tv video appears to be broken. No idea why, the video just doesn't show
Portable Edition? I thought Firefox was already portable - it runs on Windows, various UN*X+X11 combinations, and OS X, right?
It created the file /tmp/METASPLOIT
Oh yeah, FF is SO secure. Just more proof that if hackers want to hack, they'll find a way. It irks me when I see those Mac commercials about not getting attacked by viruses. The more popular FF became the more the script kiddies had a reason to F with it.
Terrible karma and aiming lower, which in this environment of one-sided reason, is higher.
It may be disowned, but we love it all the same!
Seamonkey! my monkey! with your logo all of blue...
You're updated like the fox, yet no mention of you.
Your fatal flaw; the reason no one cares:
Failure to steal any IE market share!
Seamonkey 1.0.3 - http://www.mozilla.org/projects/seamonkey/releases /
Sometimes at night I imagine the darkness is filled with horrible things with too many teeth, like Julia Roberts.
No calculator was executed, but my Firefox footprint shot through the roof.
Business as usual then?
I keed! I keed!
I was surprised to find that when I used apt-get upgrade a few hours ago, Firefox was upgraded to 1.5.0.5. This was before I even knew it was released. Kudos to whoever is managing Firefox for Ubuntu!
Portable Firefox runs on a USB drive without leaving anything on the computer that you're running it on. It allows you to take your edition of Firefox to any PC (Not sure if it has to be Windows based, probably) and run it without any problems, with your favourites and extensions. I really loved this when i was in school and used different computers in the IT room.
It's also optimised to require very little read/write cycles to your USB drive seeing as they do have a limit. It's also a smaller install.
The best example would be the XUL exploit. Long fixed, but even longer on their bug list. The basic attitude was "There's no demonstration it's a real problem so we don't need to worry." Wasn't until someone released a proof of concept exploit (you may remember it, made front page Slashdot) that they finally got around to fixing it.
For that matter there are still non-security related bugs that persist such as the cliboard bug. Someitmes Firefox will just refuse to copy text. Best as I can figure out it's not realising that there's text selected, even though their clearly is. the system clipboard is still functioning correctly, just FF has problems. It's documented in a number of different reports on Bugzilla and has been around since as long as I've been using Firefox, still no fix.
I'm not trying to give FF shit here, I think that's it's a fine product. I certianly like it more than IE hence why I'm typing this post in it right now. However it is not this haven of security and their fix rate is nothing I'm particularly impressed with. Being OSS doesn't really seem to have changed things. After all, it's still people behind it. Some bugs are hard to deal with and thus get left to languish (like the clipboard bug) some aren't fun to fix and don't seem important and thus are ingored till someone proves otherwise (like the XUL bug). Bug just happen because, regardless of how many people look at something, it's just hard to write unerring code, espically if you want to keep a reasonably efficient release schedule and to run on all kinds of different platforms.
All I'm saying is that when FF fixes a list of bugs, there are those that are too inclined to herald this as a great thing with OSS, even if many of the bugs were things that should have been looked at earlier. When MS fixes a list of bugs, there are those that act as though they suck and the only reason there were bugs in the first place is their closed source methadology.
Thunderbird spam filter needs more than a little work - it just doesn't block spam effectively. I recently installed Cactus spam which is turning out to be the best spam filter I've ever used.
In theory, there's no difference between theory and practice; in practice there is.
It did do a heck of a job at making my system fairly unusable but it seemed to want to use all of my gig of swap space before it could create /tmp/METASPLOIT. I killed the process before it got that far but I think I would have done the same thing in any other situation where Firefox was making my machine unusable. So anyway it didn't seem to be fast enough to work for me.
Endorsing security-by-obscurity on
Firefox 1.5.0.5 .ZIP package.
The links are usually posted here, but 1.5.0.5 hadn't been posted there yet.
I don't know if it's an illusion or not, but 2.0a1 feels faster than 1.5.0.5.
on Dropline Gnome 2.14.2.
Looks like Firefox 1.5.0.6 will be released very quickly to fix a bug in some streaming media links in 1.5.0.5. Specifically, Windows Media ".wmv" when called using "mms://", maybe real using "rm://", does not work. Breaks streamining video links on http://mlb.com/ Release candidates for Firefox 1.5.0.6 are already on the way.
Wonder why Seamonkey gets close to nil attention here, thinking ./ users would want the extra functionality/control of Seamonkey over FF's pretty face.
ALways wonder why if both use Gecko, FF supports horizontal scrolls while SM doesn't. Plus touchpad zoom 'just works' in FF and even IE, and 'just doesn't' in SM.
Just the other day I updgrade to 1.5 so I can use an extention. Unknow to me that turns on automatic updates. Turn my box on today and am told update is ready. Grumble, OK. Enter endless loop of Firefox unable to complete update (because I don't run as admin). Can't EVEN LOG OFF. Have to kill firefox from process list. I guess I'll run IE for an hour to feel better about Firefox again.
Redtail
A new Thunderbird release? Does this one have any strings attached?
While a lot of people are inclined to bring back the debate of IE vs FF, from a user point of view, it is as simple as we will change when something better came along. Say if something better than FF comes along, has relatively small memory footprint, lesser security problems, and other benefits, I am sure that a lot of people will be using it.
Damn... potential cross platform exploits. Seems like Firefox is creating their own browser monoculture... and a multi-OS one at that. It's a shame they didn't take the time to program it securely the first time.
After reading the 'what's new' for the a-release and its bug fixes, it still boils down to one thing: Thunderbird still can't let you add address book records using LDAP. I was hoping this issue would get resolved soon enough but no dice. Someone, PLEASE tell me how wrong I am. I beg you!
This is frustrating because in my experience, Outlook is such an irrational piece of software when it comes to IMAP/LDAP and Thunderbird (to me anyway) only provides a superior IMAP portion. Still does wonders for me but how would a small office synchronize their address book otherwise?
Luckily there is a Thunderbird plugin that performs that trick by using regular files -- SyncMab.
It's getting to be time to update my Mozilla Suite anyway - is 2.0xx cooked enough to use, or is it better to go to 1.5.0.5 and wait for 2.0 final to update again?
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
When are we going to stop writing large programs in C? For small things where potability is critical and lines of code are low, C can be a good choice for a certain class of application where low-level access and/or high efficiency is needed. However, with something massive like Firefox, it isn't possible to keep tabs on things. The result is a number of security holes surfacing constantly -- Not an ideal situation. Why not move to a more secure language like Cyclone? Programmer portability in such a situation is high and entire classes of bugs would disappear. The performance penalty would be minimal.
Why aren't more people using such language? Why not use Cycling, or even higher level languages where they can reduce lines of code and keep things more maintainable in less performance critical sections? I can only attribute it to laziness and blubism:
"As long as our hypothetical Blub programmer is looking down the power continuum, he knows he's looking down. Languages less powerful than Blub are obviously less powerful, because they're missing some feature he's used to. But when our hypothetical Blub programmer looks in the other direction, up the power continuum, he doesn't realize he's looking up. What he sees are merely weird languages. He probably considers them about equivalent in power to Blub, but with all this other hairy stuff thrown in as well. Blub is good enough for him, because he thinks in Blub." - Paul Graham
Sigh. It would seem the Slashdot website lets you type more characters into the Subject field than it actually uses... which is just plain odd. The full subject line of that comment was:
Firefox Portable 1.5.0.5 & 2.0 b1: Works on USB & CD
Portable versions of Firefox, GIMP, LibreOffice, etc
Unfortunately they missed the chance to supply a well-documented and easily usable API (that would not require you to be a seasoned XUL/Javascript/Thunderbird programmer) for the spam filter functionality. I am sure that this would have motivated many more people to contribute spamfilter "plugins". There a *lots* of people and groups out there who have worked and still are working on spam filtering. The Thunderbird designers failed to create an infrastructure that would have motivated them to make their stuff work with Thunderbird.
What makes firefox safer than IE is that its developers do worry about vulnerabilities and try to fix them ASAP . Unlike IE which can keep a vulnerability for years.
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
I tried the demonstation exploit with the new Firefox-1.5.0.5 on linux and it still managed to crash the browser (but only after I told NoScript to allow javascript from metasploit.com). What I noticed happening was an attempt to create a file on /tmp (which failed) followed by dramatic memory use increase until it crashed. So perhaps a little more work needs to be done on this.
BTW, Thunderbird-1.5.0.5 is also available now.
Does it finally include vCard/iCard support for the address book?
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
If you are using a restricted account -- like you should -- then nothin will be pushed or forced onto you system.
You'll have to switch to an administrative account, and then manually trigge the update, or download he whole install.
(p.s. I am talking about Windows)
Does Thurderbird read local maildirs yet so I can get off of Evolution?
I've worked with good programs written in C, and bad programs written in C or C++. The Mozilla code base is not one of the good ones. I went into it once to try and chase down a proxy problem, and I ended up giving up... I couldn't figure out the call tree from entering a URL through to the proxies being applied to the actual connection.
Maybe it's better now, I don't know, I don't really care. Because on top of that the whole design of Firefox has gone down the same path as Internet Explorer (though, hopefully, not so far), with the same components responsible for evaluating trusted and untrusted objects. I originally believed that they had followed the same design as KHTML and created a sandboxed rendering engine that had additional components (I/O slaves) embedded when it knew it was dealing with trusted objects. Instead there have been many bugs that could only have occurred if an untrusted object was being checked for trustedness at run time. I suppose they had to do that to implement the XPI installer so you could install components directly from web sites.
Which is, of course, a bad idea to begin with.
I would love to be proven wrong, and I wish there was a good KHTML-based browser for Windows, or at least a good Gecko-based browser that didn't use XUL or anything like it.
I tried the test page and it popped up a dialog indicating that someone was trying to start a shell on a high port, and the browser hung.
:)
Is Camino vulnerable to an exploit or just a DOS?
Where is Camino 1.0.3?
Hmm. Maybe I'm just lucky, but it seems to work quite effectively. A lot better then Evolution, at any rate.