Another Denial of Service Bug Found in Firefox 2

An anonymous reader writes "A second security flaw that could cause the new Firefox 2 browser to crash has been publicly disclosed. The vulnerability lies in the way the open-source browser handles JavaScript code. Viewing a rigged Web page will cause the browser to exit, a representative for Mozilla, the publisher of the software, said Wednesday. Contrary to claims on security mailing lists, the bug cannot be exploited to run arbitrary code on a PC running Firefox 2, the representative said. This flaw in the JavaScript Range object is different than the denial-of-service vulnerability in Firefox 2 that was confirmed by Mozilla last week. That bug is related to a more serious security hole, which was fixed in earlier versions of Firefox, the organization has said. The two 'crashers' are the only publicly released vulnerabilities that have been confirmed by Mozilla in the week since Firefox 2 was launched. The issues are only minor, the organization has said."

LOL IE Users!

Switch to Firefox, idiots! None of the security problems!

See?

Re:LOL IE Users!

[Mikachu]

Except let's see how long it takes for the Firefox team to patch up these flaws as opposed to IE.

Re:LOL IE Users!

[biocute]

It doesn't matter how long.

I'm sure Microsoft will still get hammered even if it issues 0-day patches.

Re:LOL IE Users!

[paul248]

I filed a bug for another DoS over a year ago and they still haven't fixed it:

Crash Firefox

The insta-crash only seems to work on Linux though.

Re:LOL IE Users!

https://bugzilla.mozilla.org/show_bug.cgi?id=29871 7

Re:LOL IE Users!

[DeviousDevil]

What a suprise slashdot/firefox fan boys don't mind the bugs in FF. If this was a bug being reported in IE you guys would be slagging both it and MS off even if you could simply turn script off, or wait for the patch. But because it's not IE (or an MS product for that matter) you don't bat an eyelid, further more you have a go at MS even though it's a FF problem, for crying-out-loud. You guys are such hypocrites. Oh and by the way MS release patches quite regularly (although they get slagged off for that as well, they can't win).

Re:LOL IE Users!

[Propaganda13]

Actually, I have no problem bashing FF either. I'm fair about it.

1. Is it a security hole or a just bug?
2. Likelihood of encountering bug
3. Overall effect of the bug
4. Time it takes to actually patch bug (ie no turn-off workarounds)

If it's just a bug that takes a specially coded web site to just crash my browser, I'm not too worried.

Security flaws or common crashes will get me annoyed.

Re:LOL IE Users!

[Skreems]

In the end it doesn't really matter. /. posters are a small but vocal fringe group who more likely than not will have no measurable effect on the browser market. The true test is what the public at large thinks, and they seem to think that Microsoft is relatively good at what they do, but the more tech-savy among the general population has found that Firefox has a better feature set. A couple bugs on either side aren't going to sway a bunch of people one way or another, because bugs "Just Happen". It's an accepted part of computing, and nobody really cares. IE users will feel smug, Firefox users will download a patch, and next time the roles will be reversed. It just doesn't matter.

Re:LOL IE Users!

Though, I don't doubt the ability for the Firefox team to patch these issues, what irks me are the developers ego's that has taken over Firefox, these issues were discussed and theorized ages ago before even Firefox 1.5 came out (maybe even before Firefox name change itself, not sure) and of course people came up with solutions, that has since never made it into any Firefox update because of complications (mainly DEV ego). Javascript in Firefox is absolutly horrible, a complete mess and just waiting to be exploited, don't be surprised to see more of these crop up. Those hackers who said they had a method to load up spyware via firefox through a JS exploit, I just might believe they have something up their sleeve. The longer these issues remain, the more problematic they'll get version after version.

I am hoping Seamonkey will go on a different path.

Re:LOL IE Users!

https://bugzilla.mozilla.org/show_bug.cgi?id=59314

Opened: 2000-11-06

(Interestingly enough, firefox crashed when I was going to post this message...)

Re:LOL IE Users!

[Daath]

Was that link supposed to crash my firefox? Nothing happened using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061025 BonEcho/2.0 (mmoy CE K8C-X01)...

Re:LOL IE Users!

[Tim+C]

Of course they will - there shouldn't have been a problem in the first place, rolling out patches is a pain, "what about the ones they've not told us about?", etc.

Make no mistake, a lot of people on here aren't so much pro-OSS as they are anti-MS.

(Disclaimer: I have not and never will use IE as my primary browser)

Re:LOL IE Users!

[Richard+W.M.+Jones]

Firefox 2.0 on Linux - yup, it crashes. Even worse the session save feature causes it to crash when it starts up next time. I had to hand-edit sessionsaver.js to stop it reopening the URL.

Rich.

Re:LOL IE Users!

[charlieman]

It crashed my Firefox 1.5 on Linux...
Weird... opening the image directly doesn't crash...

Re:LOL IE Users!

[makomk]

Are you kidding? Internet Explorer has so many DoS/crash bugs, I don't think a new one would ever make Slashdot - it's just not news anymore (take a look at the Browser Fun blog for some examples, though it's out of date by now). Konqueror has a few too (take MangleMe to it and you'll see what I mean), and I bet Safari and Opera do as well.

Re:LOL IE Users!

This fixed the crashing for me in Ubuntu Edgy.

Re:LOL IE Users!

[Shaper_pmp]

I'll take a nice, safe browser crash with over an ActiveX control or buffer overflow executing arbitrary code on my local machine any time.

Nobody sane ever said Firefox has no bugs and no security holes.

However, those said holes tend to be fewer than IE, less severe and patched faster.

I've got to say, that was a truly terrible troll.

Re:LOL IE Users!

[Richard+Steiner]

Make no mistake, a lot of people on here aren't so much pro-OSS as they are anti-MS.

Of course. Remember that many of the PC hobbyists on this site predate the general acceptance of the FOSS movement, and that many of us remember Microsoft from their DOS and Win 3.1 days as well as their more recent attempts at world domination.

After 20 years of dealing with that company, one tends to develop well-entrenched opinions about the quality of their software and the ethics (or lack thereof) behind Microsoft's business practices.

Re:LOL IE Users!

[aconbere]

What's funny is that this case is specifically accounted for by the dialog that pops up when Firefox recognizes a crash and attempts to load a new session. This dialog is impossible without an extension to get rid of while still keeping the session saver functionality (for this reason precisely). So either... you aren't using the native session saving, or you broke something else. OR! you could be over blowing what's going on and saying that "When I tried to reload my session using the session saver functionality it crashed" which would of course be true, and the fix would be to simple not load the session at startup.

~ Anders

Re:LOL IE Users!

[drinkypoo]

Amen to that. Microsoft has not only not changed their stripes, but they've gotten worse. Well, some things are better; if you got a defective paper tape of Altair basic, gates wouldn't replace it. These days your retailer will replace a defective CD.

Re:LOL IE Users!

[Richard+W.M.+Jones]

which would of course be true, and the fix would be to simple not load the session at startup.

And then lose the hundred or so other windows I've got open. Great idea! This is why I had to edit sessionsaver.js if you'd actually bothered to read my posting.

Rich.

Re:LOL IE Users!

[aconbere]

I did read your post, but your post also implied that Firefox defaulted to crashing on startup, as opposed to giving you the option walk around that problem. If you had mentioned something along the lines of not wanting to loose those tabs I think that would have made for a much more reasonable post.

Re:LOL IE Users!

[DaggertipX]

It's the "even if" in that statement that gets me. They dont' release fast patches. Unless it's to a hole in their DRM scheme, of course, they have to satisfy their REAL customers.

Re:LOL IE Users!

[rlandrum]

Wow. Nifty. I actually looked at the bug report though, and it looks like the issue is a bit deeper than firefox. It looks like it has to do with GTK. While not exactly an excuse for a bug, it at least explains why they haven't fixed it.

Rob

Re:LOL IE Users!

[HeroreV]

Thanks for crashing Firefox for me asshat. I was expecting an explanation of the problem, not the actual exploit. Fortunately Firefox recovered everything and I was able to close the tab before it reloaded.

Old times

[managementboy]

It used to be that if one an application crashed and it was called just that: it crashed. Today its a DOS attack! Imagine how many DOS my old Windows 3.11 had... come to think of it, it only had one DOS.

We present "DOS reloaded"!

Re:Old times

[utlemming]

If you read the article, Microsoft is calling one of their's a design decision. I love those undocumented features...

Re:Old times

[eklitzke]

Like it or not, the fact remains: if you can cause someone's application to crash, it is a denial of service. Treating it as a security flaw is completely justified.

Re:Old times

like it or not, if you're using your website to crash the browsers of your visitors, you're running a denial of service against yourself. but what happens with the browser is still a crash ;)

Re:Old times

[kfg]

Treating it as a security flaw is completely justified.

While it is a flaw in the code, I would call shutting down on the detection of a maliciously rigged web site a security enhancement.

KFG

Re:Old times

[kfg]

It used to be that if one an application crashed and it was called just that: it crashed. Today its a DOS attack!

Wait until next year when it becomes a suspected cyber warfare attack.

KFG

Re:Old times

[cperciva]

It used to be that if one an application crashed and it was called just that: it crashed. Today its a DOS attack!

Not necessarily. Application-crashing bugs are Denial of Service bugs if they can be triggered remotely.

There's a fundamental difference between "I can make my copy of FireFox crash" and "I can make your copy of FireFox crash".

Re:Old times

Heh. But seriously, what's the impact of a browser DoS: Oh no! A malicious web page can... close your browser window!!! :-\ I think a javascript alert loop would be more annoying.

Re:Old times

[Merusdraconis]

Unless it's IE, in which case it's yet another example of Microsoft's shoddy coding?

Re:Old times

[phorm]

It is, but it seems that the term is broadly. In many cases, the term DOS was often used as a term to describe an attack which would render an entire system inoperable. That is to say, when I heard it used in this context, I expected that it would crash the browser, and lock or disable the OS. As it is, it's still an annoying bug, but having to simply restart the browser hardly seems as serious as a full-out machine crash.

Re:Old times

There's a fundamental difference between "I can make my copy of FireFox crash" and "I can make your copy of FireFox crash".

Indeed. So how exactly do you use this bug to crash my copy of FireFox without asking me to do something? You can't, can you. So then it's not a "DOS" attack.

Re:Old times

[jesser]

More to the point, there's a fundamental difference between "I can make your copy of Firefox crash when you visit my site" and "I can make your copy of Apache crash".

Crash bugs in client software such as web browsers are "crashes", not "DoS vulnerabilities".

Re:Old times

[WilliamSChips]

I remember DOS making entire systems unusable... :P

Re:Old times

[CastrTroy]

Exactly. If all the browser does is crash every time you go to a specific website, then the user is just going to stop visiting that website. Or, they're stupid and don't understand cause and effect. I wouldn't call it a DOS attack since you can't really make the user visit your website to crash it. It's still a bug, and still needs to be fixed, but I think calling it a DOS is blowing it a little out of proportion. If it somehow broke firefox and made it unable to visit any site, until it was reinstalled, then it may be called a DOS attack.

Re:Old times

[a.d.trick]

Hm, that's weird, because by using JavaScript or CSS in the right places there are about a million and one ways to crash IE. This isn't from using malformed stuff, it's just what I've come upon as a webdeveloper trying to get my site to work with a broken browser. I've only crashed Firefox once, and while I consider that bad for a web browser, it's much better than the day's I've spent with IE. The problem with IE was also complicated by the fact that explorer is everywhere, so when it hung, it screwed everything up.

Should I report these as DOSeS?

Re:Old times

[erroneous]

Maybe if it shut down just that one tab.

But in a multi-tabbed environment losing the entire application because of malicious code in a web page in one tab could be a problem.

What if I was composing an amazing, insightful, guaranteed +5 karma comment in one tab when another tab went and crashed my entire browser?

Re:Old times

[AmberBlackCat]

Imagine how many DOS my old Windows 3.11 had

Yes, but this is 2006 and IE7 is looking a lot better than Firefox 2 so far. Keep in mind, the extensions are not Firefox 2.

Re:Old times

[kfg]

You might be forced to go back to work?

KFG

Re:Old times

They're not triggered remotely. You have to request the DoS off the Internet. Why you would want to do so is a mystery to me, but clearly this is a feature, not a bug.

Re:Old times

[Fred_A]

Hence the Denial Of Slacking. That's why the problem ought to be fixed as soon as possible.

Re:Old times

[xra]

As long as I can't run it in my Linux box, I'll say Firefox is a lot better than IE.

Re:Old times

You might be forced to go back to work?

Way to dodge the question. How about just admitting that you were talking out your ass and moving on.

firefox 2

[tedmg09130913]

Is anyone else thinking that running firefox 2 with noscript installed means this vulnerability is no big deal?

Re:firefox 2

[bassgoonist]

noscript ftw! https://addons.mozilla.org/firefox/722/

should be part of FF...

Re:firefox 2

[baadger]

Interesting you say that, the Gentoo Linux Firefox ebuild (package) maintainers recently added a "restrict-javascript" USE flag (install option) which installs the NoScript extension system wide (for all users).

Re:firefox 2

[Caesar+Tjalbo]

Javascript is apparantly a big deal. Even on completely static pages ffs not to mention entire sites coded in js. It can be very useful but the average sitebuilder seems to include js by default, useful or not. [/rant]

Re:firefox 2

[soulhuntre]

"Is anyone else thinking that running firefox 2 with noscript installed means this vulnerability is no big deal?"

Firefox - now with no Javascript (or Ajax support of course)!

Less capability - it's not a bug, it's a feature!

Re:firefox 2

NoScript disables Javascript on sites that aren't in your trusted whitelist, it doesn't reduce compatibility. It can also block flash and other plugins from loading on unknown sites, which is a good thing IMO.

Yes, idiots are thinking that.

A non-mofo extension that avoids the problem by disabling javascript isn't really a solution. 99% of Firefox users don't even know what noscript is.

Re:Yes, idiots are thinking that.

For the enlightened 1% it solves the problem, though. You could become one of them. Or could have become one before this was known because you had some shitty experiences with JS on certain websites.

Re:Yes, idiots are thinking that.

[Salmar]

99% of Firefox users don't even know what noscript is.

You could just turn JavaScript off in the options...

Even still, it's not a big deal. Browser users tend not to complain. They just start it up again and avoid that page.

It also has newbie's privacy bug

[cucucu]

It also has a beginner's privacy bug: (full disclosure: my blog) http://tech-dissect.blogspot.com/2006/10/firefox-p rivacy-bug.html.
In short: Ctrl-Shift-Del doesn't delete everything you expect it to delete, your browse history can still be recovered.

Re:It also has newbie's privacy bug

[smeagols_ghost]

1.5.0.7 on xp clears the javascript console on browser close.

But it should wipe it on ctrl-shift-del

Re:It also has newbie's privacy bug

[AlHunt]

>It also has a beginner's privacy bug: (full disclosure: my blog) http://tech-dissect.blogspot.com/2006/10/firefox-p rivacy-bug.html

Interestingly, your blog crashes Konqueror on my machine. Repeatedly.

Re:It also has newbie's privacy bug

[cucucu]

That's curious as its a standard blogger blog (with google analytics).
Do other blogger blogs crash Konqueror too?
Which exact URL causes the crash?

Re:It also has newbie's privacy bug

[Ash-Fox]

Interestingly, your blog crashes Konqueror on my machine. Repeatedly.

Does not crash Konqueror 3.5.5 using KDE 3.5.5 here.

Re:It also has newbie's privacy bug

Not on my machine it doesn't.

Running Firefox 2.0 here. When you clear private data, the error console is cleared. Immediately.

Re:It also has newbie's privacy bug

[AlHunt]

>Do other blogger blogs crash Konqueror too?
>Which exact URL causes the crash?

I can't think of anything else that crashes me repeatedly.

The URL you posted is what crashes for me - Konqueror 3.5.1 and KDE 3.5.1 on OpenSuSE 10.1

It could be something here. I see the rare crash, like most people. I just thought it was funny. FF 1.5 works fine for me on that same link, btw.

Re:It also has newbie's privacy bug

[cucucu]

So post this URL to the Konqueror people (at least I will get some more hits in my blog...).

Ah, browsers...

FF: "It's a bug!"
IE: "It's a feature!"

Re:Ah, browsers...

[Ciggy]

Feature := Bug as described by the marketing department.[1]

[1] From the glossary of an Apple ][ manual.

Semi-off topic but

Just FYI, Microsoft has officially put IE 7 on Microsoft/Windows Update as an option to automatically upgrade.

For reals this time.

I want a refund!

[www.sorehands.com]

Another bug?? I want a refund! It's free? I want double my money back!

Re:I want a refund!

[jt2377]

it's free thus you don't cry murder but if MS's IE have a bug...you want blood. typical.

Re:I want a refund!

[geminidomino]

IE is "free" in the same way the shell is "free" when you buy the canolli.

Install

[ms1234]

You could install NoScript addon... Great utility :)

Re:Install

[CCFreak2K]

Parent has a point. These kinds of attacks are mitigated by user-created plug-ins. Once again, the problem is semi-contained before it's even released. There's still people that will be affected by it, but the simple and elegant plug-in system as well as plug-in writers (yes, they're simple and elegant, too) bring great tools to extend the usability of Firefox.

End marketing rant.

Re:Install

Unless you are thinking of removing mozilla.org from the permanent blocklist...

NoScript is great though especially with AdBlock.

And...

[Pacifist+Brawler]

I remember reading about the memory leak. While others see this as a "failure" of the browser, I see it as increasing the odds that the browser exits and frees up your memory. I mean, how hard is it to re-open a browser?

Re:And...

[RAMMS+EIN]

``I remember reading about the memory leak. While others see this as a "failure" of the browser, I see it as increasing the odds that the browser exits and frees up your memory.''

You mean like garbage collection? I seem to recall that one McCarthy, in the late 1950s, came up with an algorithm that does that _without_ requiring the program to be restarted. Perhaps the FF2 team could look into that.

the difference

The difference is that the so-called "crashing" (closing the FF screen) is due to miscoding (couldn't handle JavaScript the way it was supposed to be done) whereas for IE 7, the real irony is that the anti-spoofing is one of the feature (read: strong points) the new browser is supposed to deal with. If you consider a bugged feature as a major feature, then

Secunia: If you open up an IE 7 pop-up, the phishing address is masked
Shady M$: Not if you follow our safety browsing guidelines and verify HTTPS contents
End-user: You mean we have to browse to your page to read the safety guidelines before I can browse the Web safely? That is after reading your EULA on Windows, and then the IE 7 installation?

So when is Opera releasing their new browser to compete against these 2 and get their fair share of nit-picking?

Yahoo! mail

[Calinous]

Yahoo! mail seems to use a less dangerous of these vulnerabilities - while stable versions earlier than 2.0 would crash, 2.0 only crashes when exiting Yahoo! Mail or when closing all the tabs of Yahoo Mail. Firebird 0.7 is not affected

Re:Yahoo! mail

[From+A+Far+Away+Land]

Yahoo Mail would crash my Firefox 1.x until I moved to Yahoo Mail beta.

Isn't using Firebird 0.7 like using IE 5.0 these days?

Re:Yahoo! mail

[Calinous]

I'd say like using an secure IE5. I don't know how many vulnerabilities are in the 0.7 version, but I don't think I've encountered any. There are some nice updates in the 1.x versions (much better download manager, for one), but I feel secure using the 0.7, and it shows everything I want to see.

Oo

[Konster]

Editors need to RTFA.

Easy solution: NoScript

Install NoScript plug-in and allow Javascript only for the sites that you absolutely have to use. This solution also protects you against any future Javascript related security issues.

So funny

[ZeroExistenZ]

How slashdotters start pointing and laughing when there's a IE exploit, doesn't matter how big or small, and always the "workaround" is looked at as unacceptable.

When it's about Firefox, they immediatly relativate it and minimalize it. "Oh, just install noscript", "tis just a small exploit", "well, why not restart your browser? If it crashes, so what? Why don't you click the icon again? You lazy bastard!"...

I even read some comments, in reply that there's said IE 7 feels better then FF 2.0, that the faults in FF are acceptable. It's a complete double standard.

For me, Firefox 2.0 is worthless; bloathed, crashes constantly, and is just not workable anymore. I've been using Firefox from the very start, but Firefox 2.0 make me switch to Opera.

Re:So funny

[itsdapead]

It's a complete double standard.

I completely agree - hyping up a bug that causes the application to exit (oh the humanity! how can that happen?) in Browser A as a "security vulnerability" as if its somehow comparable with a "redirect my secure connection to a phishing site" flaw in Browser B is blatent double standards...

Oh, wait, you mean the other way around? No, don't get that, sorry.

Re:So funny

It is not normal that Firefox 2.0 crashes all the time, so it should be possible to fix that (if you are still interested in). Try these steps:
http://kb.mozillazine.org/Firefox_crashes

Re:So funny

[RAMMS+EIN]

``For me, Firefox 2.0 is worthless; bloathed, crashes constantly, and is just not workable anymore. I've been using Firefox from the very start, but Firefox 2.0 make me switch to Opera.''

And for those of you wishing to stick with open source software, there's Konqueror. Compared to Firefox, it runs faster, uses way less memory, and several of the new features in Firefox 2 (like an integrated spell checker) have been available for ages. I can't comment on the stability, as neither Firefox (1; I haven't ran 2 yet) nor Konqueror crashes particularly often for me.

Re:So funny

[mackyrae]

You think 2.0 is slower/crashier than 1.5.0.7? The old one locked up on me at least 3 or 4 times a day. 2.0 never does.

Re:So funny

[maxume]

There are over one million user names registered. Pick a fence and slashdot has jackasses sitting on either side of it.

Re:So funny

[ZeroExistenZ]

Thanks for the tip, I'm downloading it now.

Re:So funny

[snero3]

Personally I think the comments you are referring to come from a number of different factors

1. Microsoft is often not the one to admit the security flaw. Where as Mozilla/firefox community is.
2. Often Microsoft will denie the flaw pointed out in point number 1
3. There have been numerous occurrences where an IE bug has allowed a whole PC to be taken over from bug that either MS denies exists or is very slow to patch. Holes like that in firefox generally get patched well before it is public knowledge.
4. for the longest time IE was the ONLY browser that would work properly on a windows environment and MS thought that was a "fair and just" way to do business.
5. Firefox is OSS, so you can go in there and fix/find the bug yourself where as with IE you have to rely on MS fixing it for you.

As for you issues with it crashing I think that is a bit personal/related to your system? Come on! you swapped to a completed different browser after little over a week of use? I personal run firefox 2 on OS X, windows XP/2000 and Linux (FC4,RHEL4u3) and have had not problems on any platform, but maybe that is just me.

Re:So funny

comma much?

Re:So funny

[tsa]

I find it strange that there are so many people who all have different experiences with FF. For me it just works, regardless of which version it is, and regarless of the OS I run it on (Windows, Linux, or OS X).

Nice sig, BTW

Re:So funny

[DrSkwid]

What are these "slashdotters" that think and act as one?

Perhaps you should use :

Whenever I read a discussion, there is usually some group of posters that play down an issue, some who play it up and those that use it as a platform for discussion of wider issues. Often those who shout the loudest have the least to say.

Re:So funny

I've been using Firefox from the very start, but Firefox 2.0 make me switch to Opera.

You know, there are certain zealots that I can't stomach... even on this site:

Gentoo -- OMG... "emerge openoffice" r00lez... it only took two days before i could type my letter)

KDE -- didn't you know that *everything* KDE is new, and r00lez. It's much better than GNOME in every possible way. What's that, GNOME has internationalization, accessibility, a stable ABI. Well... yeah, but KDE has 44 ways to set color of your window close button and Qt just roxxors because it uses C++.

Slackware -- slackware taught me all about Linux. It's great for newbies too. They really learn about computers that way.

Opera -- opera did everything that could ever be done in a browser first, and back in 1989 when they also invented the intarweb and Firefox just copied it all. Oh, and the webs stats showing Opera usage at about 0.0000001% are all wrong. I'm an Electrans BTW... and elite group of beta testers who get all the latest stuff and let me tell you, the next Opera is going to be bitchin. It reads your mind and downloads the next page before your fingers click. Seriously... Firefox is already getting ready to copy that.

and increasingly:

Ubuntu -- Ubuntu is going to kill red hat. The latest release "Da Jungle" is just awesome. I installed it on my mom's PC and she never calls me about it ... duh. I tried Fedora and it just crashed.

and finally, the radical fringe of the Ubuntu zealots: KUBUNTU. Ubuntu with KDE. (the horror, the horror).

Re:So funny

Waiting for the Windows version of Konqueror since 2003 or so... its in sight since there is a GPLed port of QT4 for Windows. Though I haven't followed such development. And no, an old Cygwin version doesn't cut it (e.g. requires X11, bad integration w/OS), and is slow.

How do you know Konqueror in non-KDE uses less memory than Firefox in non-GNOME (or GTK DE)?

Re:So funny

[RAMMS+EIN]

``How do you know Konqueror in non-KDE uses less memory than Firefox in non-GNOME (or GTK DE)?''

You use a tool that displays memory usage?

Re:So funny

For me, Firefox 2.0 is worthless; bloathed, crashes constantly, and is just not workable anymore. I've been using Firefox from the very start, but Firefox 2.0 make me switch to Opera.

Firefox 2 has been rock solid for me. I suspect you are using themes? I suspect also that you did not do a clean install? Using any undocumented tweaks?

Procedure for stable Firefox 2: Export bookmarks as a file, Uninstall, Delete profile, cache and installation directories/files. Install, import bookmarks from file but import no other settings, make settings (none undocumented), do not install themes, use only current extensions and a minimum of them. Works perfectly.

Re:So funny

[molnarcs]

Agreed. I don't have a problem with the interface, but I can't imagine how shoddy the coding must be seeing the resources it needs to run. For older machines (I have to maintain a few in a comp lab) FF simply doesn't work, while Opera has no problems on the same machines (this are limited functionality FreeBSD boxes with fluxbox and a simplified menu). You won't notice how heavy Firefox is on relatively modern hardware, but as you go down to a PII (and to 64Mb RAM) - you'll find that Opera works fine, while FF is completely unusable. For kicks, I even installed kdebase, and called konqueror from fluxbox (meaning it had to load all the supporting libraries) - and it started up and ran faster than FF.

I still have to use it though (flash only works well with linux-firefox on FreeBSD, in Konqi I don't have sound with youtube) - and just checked: 109Mb of memory usage, with only one tab open (this one). Basically that's how much memory the entire KDE uses after startup, xorg included. Isn't that ridiculous? I know I can set FF to use smaller memory cache, but that still mean 60-70Mb. There is something fundemantelly wrong with gecko (it must be gecko, because Epiphany and friends suffer from the same flaws), but there is little or no intention to fix that, because all the hype FF gets despite its flaws.

Re:So funny

[asylumx]

So, Mr. Firefox Zealot, here's your problem.

You see that a user is having trouble with Firefox. What's your immediate response? Attack Microsoft (points 1-4), tell the user to fix it themselves (point 5) and then tell them it's their fault (paragraph after the five points).

Gee, you wonder why more people aren't switching?

Re:So funny

[Gr8Apes]

I too liked the sig.

Back on topic - FF works just about all the time, unless you have to hit a site with ActiveX, which doesn't work in any browser for me, as I won't permit ActiveX to run. (Talk about your security holes... even MS recommends disabling ActiveX)

I'd really be interested in those folks with "crashing" problems to post how/why they have crashing problems, and what plugins/extensions they have loaded. (Slashdotter - gasp - is one extension that causes FF issues, I wonder if I even need it anymore) If you have sufficient RAM, and your system is configured properly and works, there should be no issues with FF. I personally do web development with heavy javascripting. I also visit many sites dealing with Ajax, some of which are .NET based. I experience maybe 1 FF crash in 3-4 months. IE, on the other hand, crashes once every 2-3 days while being used to develop a site with a proprietary IE only framework. FF, amazingly enough, works on 99.9% of that site.

So, if someone's complaining about FF doesn't do this or that, I question what they're trying to do. View porn sites?

Re:So funny

[_bug_]

Procedure for stable Firefox 2: Export bookmarks as a file, Uninstall, Delete profile, cache and installation directories/files. Install, import bookmarks from file but import no other settings, make settings (none undocumented), do not install themes, use only current extensions and a minimum of them. Works perfectly.

Wouldn't it be nice if the FF install handled all that for you?

Re:So funny

Procedure for stable Firefox 2: Export bookmarks as a file, Uninstall, Delete profile, cache and installation directories/files. Install, import bookmarks from file but import no other settings, make settings (none undocumented), do not install themes, use only current extensions and a minimum of them. Works perfectly.

Gee, and here Opera had spoiled me into thinking that getting a working browser was as simple as downloading the new install and installing it.

Why do people put up with this crap from Firefox again? Because it's open source and therefore immune to usability criticism?

Re:So funny

[CastrTroy]

Can Konquerer run on windows yet?

Slashdot is denying my service because it only took me 12 seconds to type that sentence above.

Re:So funny

[Ant+P.]

When it's about Firefox, the same volume of whining occurs.

It just comes from a smaller, more concentrated, more obnoxious group.

Re:So funny

[mackyrae]

Mine would just shove the CPU to 100% every now and then and FF would freeze. It's entirely possible that this is my machine being stupid (broken) though. Something's up with the mobo. It goes up to 100% rather often and stays there, unable to use the keyboard or mouse, the speakers stop working, the fan doesn't spin (could be the source of the whole problem if it's overheating), cd drive randomly opens...I need to get around to sending it back to be replaced.

the empty car = terrorists one, or mine? if mine, thanks :)

Re:So funny

Exactly, you're exactly what the grandparent is talking about.

Re:So funny

[Gr8Apes]

I have issues with this as well occassionally (except for the fan issue). One major source of this problem turns out to be the seemingly innocuous MS Help service. This thing is a memory and CPU leak waiting to happen. Check taskmanager when your CPU hits 100% and see if Helpservice is eating most of that CPU. If so, kill it. I've seen mine running at 100% with 700MB RAM committed.

Once this was tracked down and stopped, the CPU issues have all but dissappeared.

Re:So funny

[mackyrae]

I use Linux. There's no MS stuff running unless I'm testing out a website on IE4Linux. And like I said, the keyboard and mouse stop working. I can't get to a task manager.

Re:So funny

[drewtown]

People aren't switching because people act like him? That really doesn't make any sense. Actually attacking MS is probably the way most people get others to switch to FF.

Re:So funny

[darkpixel2k]

How slashdotters start pointing and laughing when there's a IE exploit, doesn't matter how big or small, and always the "workaround" is looked at as unacceptable.

When it's about Firefox, they immediatly relativate it and minimalize it.

Yeah--because Firefox getting shutdown is on par with someone being able to get full access to your machine through IE.

Re:So funny

[MrSenile]

Humm... let's break this down.

Why are people Zealots or labeled Zealots.

Usually two reasons.

1) They are so rabid about what they use they see no other alternatives.
2) They deal with people who are so dense that they don't want to hear the other alternatives.

Frankly, it didn't sound much like #1 here.

My view? If you're having bloat and crashes, and expect people to actually care, how about providing some documented cases (like oh, I don't know, the current memory usage that microsoft/linux/os2/other says your brouser is taking), then maybe listing what plugins your firefox is currently using? Otherwise, if people can't reproduce it, they do tend to take the more paranoid route and call foul and that it may possibly be made up.

Because, see, I can make stuff up too!

I use firefox and it turned my computer pink and made blood spit out of the screen!

I think i'll use IE. It only makes it cough up phlim. Phlim I can deal with, but blood?

Unless someone can 1) Verify that this indeed happens or 2) Have proof that it did happen, most people on the internet tend to think that 3) it's total bs or at the very least unlikely.

So while I can perceive that the brouser can bloat and eat up your resources, I can also perceive that my monitor can rain blood on the user. If you want people to take you seriously (as by your reaction you apparently do) then how about provide some facts to backup your claims?

I myself don't see firefox taking up more than 120M of resources, on either Linux or Windows

-> Windows Task Manager -> firefox.exe myusername 09 117.072K

-> Extensions: spoofstick, adblock plus, tab mix plus, nuke anything, noscript.

I've also had it up for 3 weeks.

Ok, that's my proof. Let's see yours?

Re:So funny

[Gr8Apes]

That's what assuming does for me... from your description, it seriously sounded like a Windows issue.

It'd be interesting to know whether that ultimately is a hardware or software issue.

Re:So funny

[bunratty]

That response wasn't a response to someone having trouble with Firefox. It was a response to someone asking why Microsoft is vilified for their security vulnerabilities, but this Firefox vulnerability is being downplayed. Internet Explorer's vulnerabilities often result in the user's computer becoming infected with malware. All this Firefox vulnerability does is cause the browser to crash. When the user restarts Firefox, seconds later all the tabs they had open reappear. It really doesn't sound like such a huge deal to me. Of course, Mozilla should fix the crash bug, but it's not like your computer is going to become a remote controlled bot because of the bug.

Re:So funny

[Kelson]

Procedure for stable Firefox 2: Export bookmarks as a file, Uninstall, Delete profile, cache and installation directories/files. Install, import bookmarks from file but import no other settings, make settings (none undocumented), do not install themes, use only current extensions and a minimum of them. Works perfectly.

Oh, is that all?

Re:So funny

[ZeroExistenZ]

I've filed bugreports before, it took over a year for some of them to get fixed.

If you just browse webpages, I don't see much crashes either. But once there's embedded media in several tabs, it goes down fast and hard. I didn't have any extentions installed, just a clean install (my entire system btw).

Someone inhere posted a "why is firefox crashing" link, but why should a user go search for a solution for software that's expected to work? It's the same thing people have been bashing Microsoft about. I'm not pro-Microsoft, but I find it hypocrite.

You even go so far to claim I make things up? that's pathetic, if you're such a "hardcore fanboy", you're no better then anyone sticking to IE since the dawn of time (of IE).

Re:So funny

[MrSenile]

It's good that you do file bug reports. Not many do. Frankly, a lot of people just piss and moan.

I file bug reports as well, with any application I use. Weither it's open source or closed source like IE and Microsoft. They can't fix what they don't know.

I have however browsed pages with flash, inbedded sound, mp3 or other applications and I've indeed have similiar symptoms to you on some sites, yet other sites I have no problems at all. It makes me wonder if the issue is with the enbedded media or how its enbedded. I did the most I could, I took a snapshot of the page design, sent that as a bug report, the url in question, and as much of the page design as I could gather. Hard to say, I'm not a web designer by trade.

As for the comment about 'why should a user search for a solution for software that's expected to work?'. Why should a user expect everything to work perfectly all the time? There's reasons that there's technical forums to help people with problems. You don't have hundreds of thousands of lines of code, or even hundreds of millions of lines of code, and expect it bug free, across every possible hardware configuration, every possible driver version, every possible concurrently running virus software, spyware, or anything else running, and snap your fingers and say 'perfect!'. Anyone assuming thusly is as much a 'hardcore fanboy' as anyone else, if for nothing else than they REFUSE to accept reality.

Also, I never claimed you made anything up. I claimed that it was no supporting evidence, which frankly there wasn't (and to be blunt still isn't).

Me? I accept reality. Each situation requires different outlooks and it's expected for every person to have at least enough common sense and intelligence to ask a simple question of 'Why?'.

If that makes me a rabid hardcore fanboy or pathetic, then I sir gladly accept that mantle.

Better that then a blind idiot who can't wipe their own ass.

Re:So funny

[snero3]

Hmm if you actually read my post you would see I was not attacking him but rather i was pointing out why the general feeling on slashdot towards MS and IE is negative. For example I never told him to fix it himself, I merely pointed out that if he wanted to he could where as with IE you don't even have that choice! Is reading the post and understanding it to much to ask?

Re:So funny

[mackyrae]

It has to be hardware that went bad, because it's had Ubuntu on it since the day I bought it. It worked fine for a bit over 2 months, then it started acting up and overheating and all that. If Linux was the problem, it would've done this the whole time.

See?

Firefox 2 is not ready for the desktop! The world speaks AJAX today and Firefox just jibberish. This is not the performance someone would expect... especially when he tries Firefox 2 on advanced operating systems like Windows.

I suggest you rethink the ways of your project and have a look at IE to see what quality looks like. Because 80+% of a net-citizens can't be wrong.

Re:See?

[Short+Circuit]

I suggest you rethink the ways of your project and have a look at IE to see what quality looks like. Because 80+% of a net-citizens can't be wrong.

79%...78%...77%...76%...

Denial of Service, my ASS!

[slashbart]

What a load of utter crap, calling a bug that crashes an application a "Denial of Service'. Morons!

Bart

Re:Denial of Service, my ASS!

[tsa]

Bart,

Your website acts a bit strange on FF 2.0. Pictures on the text. Take a look at it, it doesn't come over very professionally this way.

Moderators, please mod me down OT.

Re:Denial of Service, my ASS!

[geminidomino]

Looks like a bad stylesheet, making too many assumptions about the browsers font-size...

There's a browser safer than Firefox...

[Giorgio+Maone]

... it is Firefox with NoScript :)

I wrote this Firefox add-on just after one of these disclosures, because the majority of the browser vulnerabilities was JavaScript related, and the suggested work-around was always "turn off JavaScript".

Disabling JavaScript as a whole seemed quite an impractical advice to me in this AJAXified Web 2.0: I thought that maintaining a white-list of trusted sites allowed to run JavaScript and keeping all the unknown web content "static" until I decided otherwise was a still safe but more convenient approach.

Since then I've been browsing the web with my shields up (NoScript can block also Java, Flash and other plugins), but I allow on the fly with one click, either temporarily or permanently, those sites which I trust and which do need dynamic client side technologies to work properly. To my surprise in 1 year and half I found few sites belonging to this category, because most places I usually browse are well designed enough to work with plain XHTML/CSS and nothing else (like Slashdot itself).

Notice: Firefox is a very safe browser because its vulnerabilities gets patched very quickly, once they're found by developers. I'm a Firefox contributor myself, and I'm very proud of the quality of the Mozilla developers community. NoScript, though, provides some extra protection even against those JavaScript/Java related vulnerabilities which have not been found yet...

Re:There's a browser safer than Firefox...

[Daath]

Thanks man! I just started using it recently. You have to get used to it, but I really like it! Especially that if you allow a site to run javascript, no external javascript from, say, advertizers get run :) Very cool add-on!

Re:There's a browser safer than Firefox...

[Vexorian]

Yep, firefox with noscript is safer than all the other browsers actually, I couldn't find such an option in any of them, maye konqueror has an option to have a whitelist for javascript.

For those wondering, dealing with noscript is 'as annoying' as dealing with the popup blocker.

Javascript will eventually kill your browser (points out that some Opera versions had DoS exploits as well)

Re:There's a browser safer than Firefox...

[yzstone]

Thanks a lot for your work on NoScript. AdBlock, NoScript, and SessionSaver are the most important FF extensions for me, along with other useful ones like DOM Inspector, JavaScript Debugger, Mouse Gestures, Web Developer, IE Tab, DownThemAll, and Text Link. The rich set of extensions is the most beautiful part of FF and thank you guys for your wonderful work.

Re:There's a browser safer than Firefox...

[makomk]

As someone has already pointed out, Konqueror has the option to disable JavaScript globally and whitelist certain sites built in. In fact, I think it's had it since at least the first version I used (2.2.2 back in mid-2004, or probably an even earlier version than that now I come to think about it). Mind you, it needed it - it had some really annoying crash bugs relating to JavaScript back then (some of which could be worked around by adding or removing semicolons and/or tabs IIRC).

Re:There's a browser safer than Firefox...

[VGPowerlord]

Not surprisingly, Opera has this feature.

If you want to edit it for the current site, it's Tools, Quick Preferences (F12), Edit site preferences...

If you want to edit a site you're not visiting, it's in Tools, Preferences (Ctrl-F12), Advanced, Content, Manage site preferences..., Add.

Java and plugins are on the Content tab, Javascript is on the Scripts tab.

Domain-Specific Options in Konqueror

[RAMMS+EIN]

I'll just add my 0.02 Euros by saying that domain-specific JavaScript settings are available in Konqueror, too (I don't know since which version, but 3.5.2 has them). It also has domain-specific settings for Java, images, and cookies.

Who needs a DOS bug...

[TheBogBrushZone]

when Firefox 2.0 seems to quite happily lock up on its own with no need for help from the script-kiddies?

Welcome to Netscape 4.xx

[Shivetya]

I already ditched FF2 and went back to the previous version.

What is up with the developer team? Were they just so horny to get a "2.0" out before the end of the year that it was "ok" to release this thing?

You are right, there is a double standard. MS is an easy target as negative comments are expected and encouraged by the moderation system here.

Firefox is no longer Firefox most of us want. Sorry, its nearing the point where we will need to clamour for that slim browser that we had when Firefox first came out (well before the naming hassles).

As for the Netscape 4.xx title, remember the days when IE was better than Netscape? Netscape was great until the 4.xx series, you could never tell which version would work.

Re:Welcome to Netscape 4.xx

[aconbere]

Perhaps by posting your actual issues, with bug reports, urls or test cases of incidents that affect you, we could then reply to that post and make suggestions on how to improve your experience. As it stands your current comment points to these anomalous issues that haven't seemed to have been effecting many of our users. Or perhaps you've been terribly plagued by the bug posted in this comment?

~ Anders

2.0 Good reasons to switch to Opera

[giriz]

I'm a Opera user and i keep wondering why do ppl adamently use a software which keeps crashing and yet they find a reason to either bash it (IE) or support it (FF fanboys) saying there is such and such workarounds. Why don't ppl switch to the browser with fewest bugs/security holes. Don't give me the crap by saying IE has lot of users so the attackers target IE. While it may be true, a common security analyser like Secunia.com has identified fewest bugs in Opera compared to FF and IE. .... and yet the slashdot crowd is so much in love with FF. and look at the comments above from FF fanboys, they just keep writing suggestions and saying how it is not a flaw. If the posting had IE instead of FF, we would've seen hundreds of posts scolding IE and Bill.

Talk about hypocrisy.

Re:2.0 Good reasons to switch to Opera

Compared to 1.5.x, 2.0 has very good cookie management (like IE, Opera and Konqueror had for ages, but now better). Biggest reason to switch from 1.5.x, for me. Crashes I don't care about: sessionsaver (built-in or extension) and I always use NoScript due to malicious sites abusing the power of JS/Java/Flash. I expected the 2.0 release not to be flawless, and expected several bugfixes in 2.0.x for no reason but a weird feeling about it. Seems I was right.

Re:2.0 Good reasons to switch to Opera

[Ash-Fox]

I'm a Opera user

Good for you

and i keep wondering why do ppl adamently use a software which keeps crashing

Firefox v2 has only crashed once on me, when I tried to get it to crash on that bug. It's never crashed otherwise.

yet they find a reason to either bash it (IE) or support it (FF fanboys) saying there is such and such workarounds.

Well, the fact they suggest workarounds is a good thing in my opinion. It's good that there are workarounds.

Why don't ppl switch to the browser with fewest bugs/security holes.

Links doesn't provide what I need.

Don't give me the crap by saying IE has lot of users so the attackers target IE.

Alright, netcraft showed that Apache was the dominant webserver, yet the webserver that gets exploited the most is IIS -- This could be the case with other Microsoft software if they were put into that situation.

While it may be true, a common security analyser like Secunia.com has identified fewest bugs in Opera compared to FF and IE.

They've identified even fewer in Links.

and yet the slashdot crowd is so much in love with FF.

I can't speak for Slashdot, however I use Firefox (not always official mozilla builds) primarily because it runs on all the architectures I use. That includes PPC and ARM. It runs on most of the operating systems I use (unfortunately not on AmigaOS though). Also other browsers lack really important functions I need.

and look at the comments above from FF fanboys, they just keep writing suggestions and saying how it is not a flaw.

I see people saying it isn't a exploit. But rather something that causes a crash. A exploit meaning, "A hardware or software vulnerability that can be 'exploited' by a hacker to gain access to a system or service."

If the posting had IE instead of FF, we would've seen hundreds of posts scolding IE and Bill.

Could you show me a Slashdot article about a bug that causes IE to crash, no exploits. Just for comparison please.

Talk about hypocrisy.

Using your own logic, why aren't you using Links anyway? It's "the browser with fewest bugs/security holes".

Re:2.0 Good reasons to switch to Opera

I'm a Opera user and i keep wondering why do ppl adamently use a software which keeps crashing and yet they find a reason to either bash it (IE) or support it (FF fanboys) saying there is such and such workarounds.

It is only heavily modified (themes extensions etc) Firefox installs that are then updated to version 2 that are unstable. A clean install without any themes is perfectly stable.

Opera had the gall to ask for money for its web browser for far too long, its source is still closed. Ads, paid versions and mouse gestures sent me running back to Firefox.

Its apples and oranges anyway, one can compare Opera and IE or Firefox and Konqueror but not the opposite pairings for obvious reasons.

Re:2.0 Good reasons to switch to Opera

[asylumx]

Thanks for providing us with a list of the weakest arguments that the aformentioned FF fanbois are using...

...why aren't you using Links anyway?

Are you seriously not smart enough to figure this out, or are you trying to prove somehow that opera isn't any better than FF because links is more secure than both?

jeez... "A is not as good as B, but B is not as good as C either.... so I just use A" Uh... hello? Why don't YOU use links? I'm pretty sure the GP wouldn't claim this as their logic.

Re:2.0 Good reasons to switch to Opera

[Kelson]

Oddly enough, some of us haven't experienced any more instability in Firefox than Opera. Seriously, I use Firefox 2 about 80% of the time and Opera 9 about 20%, and they both crash at the same (low) rate.

Incidentally, I don't see any posts saying that the crasher isn't a flaw, and anyone who does say so is an idiot (no matter what their favorite browser is). Software should not crash, and assuming a stable environment, any crash is a flaw. There are arguments over terminology -- i.e. can a crash bug be properly considered a denial of service vulnerability or not. Even Opera devs are of the opinion that a crash bug isn't a security issue unless it (a) can execute arbitrary code or (b) can prevent you from restarting the browser.

Re:2.0 Good reasons to switch to Opera

[Ash-Fox]

Thanks for providing us with a list of the weakest arguments that the aformentioned FF fanbois are using...

Okay -- you win, a crash is a exploit.

Are you seriously not smart enough to figure this out

In my mind, I think you would call him a 'O fanboi', which would be the reason why.

or are you trying to prove somehow that opera isn't any better than FF because links is more secure than both?

I only pointed out by the person's own logic, if he was truly motivated by using a secure browser, he'd probably be using links. I have no idea which (Firefox or Opera) is more secure in reality, however neither of them have let me down in that aspect.

jeez... "A is not as good as B, but B is not as good as C either.... so I just use A"

That's nice.

Why don't YOU use links?

I stated my reasons, perhaps you should read more carefully. I'll quote myself for you since you managed to miss it:
however I use Firefox (not always official mozilla builds) primarily because it runs on all the architectures I use. That includes PPC and ARM. It runs on most of the operating systems I use (unfortunately not on AmigaOS though). Also other browsers lack really important functions I need.

As you can see, my motivation for using Firefox wasn't for security alone.

I'm pretty sure the GP wouldn't claim this as their logic.

That was the logic they disclosed for choosing a browser: We should use the most bug free and exploit free browser.

Re:2.0 Good reasons to switch to Opera

[I'm+Don+Giovanni]

"Alright, netcraft showed that Apache was the dominant webserver, yet the webserver that gets exploited the most is IIS -- This could be the case with other Microsoft software if they were put into that situation."

IIS blows Apache away wrt security, what are you talking about?
Here are the security advisories for IIS6 and Apache2, since 2003 (the year that IIS6 was released):
IIS6 security advisories
Number of security advisories: THREE (You read right, just THREE).
Two were rated as "Moderately Critical", the other rated as "Not Critical".
All three have been patched.

http://secunia.com/product/73/?task=statistics>Apa che 2 security advisories
Number of security advisories: 31
3% were "Highly Critical", 32% "Moderately Critical", 55% "Less Critical", and 10% "Not Critical".
10% are unpatched today, and another 3% have a "Partial Fix".

Slashdotters love to trot out the "axiom" that "Apache is more secure than IIS", and then base conclusions on it. Well guess what, your "axiom" is false. So you'd best cease trying to prove things based on it.

(BTW, only someone engaging in sophistry would assert that market share is irrelevant to number of attacks. Someone living isolated in the woods can leave his cabin completely unlocked and still be less subject to burglaries than someone living in the city with his house locked up tight.)

Re:2.0 Good reasons to switch to Opera

[Ash-Fox]

Here are the security advisories for IIS6 and Apache2, since 2003 (the year that IIS6 was released)

I was speaking of which webserver gets exploited the most, not which specific version of the webserver has the most/least exploits. Seeing how I still get on average around 60 unique hits a day on my webserver from JUST codered doesn't exactly tell me things are alright now either (is that crap ever going to go away?).

Re:2.0 Good reasons to switch to Opera

Opera has many very good features - but I hate the way site permissions, cookie management and bookmarks are set up - it drives me nuts.

I'm confused...

[Milton+Waddams]

The title reads " Another Denial of Service Bug Found in Firefox 2" but the summary says "... the bug cannot be exploited to run arbitrary code on a PC running Firefox 2, the representative said. This flaw in the JavaScript Range object is different from the denial-of-service vulnerability in Firefox 2 that was confirmed by Mozilla last week."

So which do I trust? There's no way in hell I'm gonna actually read the article!

Re:I'm confused...

[jesser]

There's no contradiction between the sentences you pasted. It's entirely possible that there are two (or more) "denial of service" bugs (bugs that can't be exploited to run arbitrary code, but do make your browser crash/exit) in Firefox 2.

Re:I'm confused...

[Milton+Waddams]

Yeah but the summary refers to two bugs, a bug announced last week which is a DOS bug and a bug announced this week which isn't. The title says that there are more than one DOS bugs in Firefox. I presumed that the bug announced this week was also a DOS bug but it isn't. Tis a but confusing. It looks like Slashdot's reporting on the week-old bug.

Third d.o.s. attack affects ALL BROWSERS!

[suv4x4]

Immediately stop using Internet if you're using one of those browsers:

IE
Firefox
Safari
Konqueror .. ..

A new denial of service attack was discovered floating in the cyberspace, that can render any browser inoperable, and it has to be forcefully crashed and reopened. The signature of the exploit was reported to be:

while(true) alert('Hahaha, suckers!');

People are advised to immediately move to Lynx: the only browser known to be immune to this attack.

Re:Third d.o.s. attack affects ALL BROWSERS!

Actually, I think you could write a DCOP script to fix Konqueror in this case, and browse it away to a site of your choice. See:

http://www-128.ibm.com/developerworks/linux/librar y/l-dcop/index.html?ca=dgr-lnxw12ConnectKDE

(though I'm not currently at my KDE box to see if this works when a modal dialogue is open)

Re:Third d.o.s. attack affects ALL BROWSERS!

[bheer]

> A new denial of service attack was discovered floating in the cyberspace, that can render any browser inoperable

Opera 9 is immune to this; every alert dialog has a [ ] Do not run scripts on this page checkbox.

Re:Third d.o.s. attack affects ALL BROWSERS!

[makomk]

There's more than one way to do a DoS attack against a browser with JavaScript. Is Opera immune to all the "allocate large amounts of memory in a script" attacks? (I don't know of any JavaScript-supporting browsers that don't get taken out by this, but there could be some...)

Issue shrinking (TM) technology

[suv4x4]

The two "crashers" are the only publicly released vulnerabilities that have been confirmed by Mozilla in the week since Firefox 2 was launched. The issues are only minor, the organization has said...

They also added, that the reason the issues are minor, is because Firefox 1.5x and later releases of the popular Mozilla browser feature a special "issue shrinking" technology, patent pending, where no matter what happens, the issue becomes small.

This is opposition to Microsoft, which appears to ship all their products with "issue expanding" FUD generator technology, now considered by many specialists as obsolete, where never mind what's the trouble, it's blown out of proportions, and brings chaos and despair among geeky web users.

Re:LOL IE Users, if you're stupid

[Kludge]

Since when has a crashing browser been a security problem?
Back when mozilla was young, certain sites would make it regularly crash. I just didn't go back to those sites. The browser was still far superior to IE, which drives me nuts if I have to use it.

React to this...

I'd like to see how this would be received by slashdotters had the story instead been:

"A second security flaw that could cause the new IE7 browser to crash has been publicly disclosed. The vulnerability lies in the way the closed-source browser handles JavaScript code. Viewing a rigged Web page will cause the browser to exit, a representative for Microsoft, the publisher of the software, said Wednesday. Contrary to claims on security mailing lists, the bug cannot be exploited to run arbitrary code on a PC running IE7, the representative said. This flaw in the JavaScript Range object is different from the denial-of-service vulnerability in IE7 that was confirmed by Microsoft last week. That bug is related to a more serious security hole, which was fixed in earlier versions of IE7, the organization has said. The two "crashers" are the only publicly released vulnerabilities that have been confirmed by Microsoft in the week since IE7 was launched. The issues are only minor, the organization has said."

Why is this news?

[jesser]

If you go search Firefox's bug database for bugs with the "crash" and "testcase" keywords at any time, you'll find dozens of known crash bugs. I imagine it's the same for any other major browser. Meanwhile, very few sites intentionally crash web browsers. It makes more sense for developers to focus on lowering the average time between crashes (by fixing the most common crashes), or on fixing actual security holes, than to focus on squashing the largest number of crash bugs.

Why are CNet and Slashdot so interested in these particular two crash bugs? They aren't crashes that can be exploited to run arbitrary code.

Re:Why is this news?

It is news when your browser is touted by millions as super secure and coded to a supposed higher standard...

A program that crashes on it's own is not news and certainly not a DOS attack. Someone intentionaly causing your browser to crash remotely does qualify as a DOS and is news because of the browsers reputation as being very secure and stable.

Re:Why is this news?

[CTho9305]

https://bugzilla.mozilla.org/buglist.cgi?query_for mat=advanced&short_desc_type=allwordssubstr&short_ desc=&long_desc_type=substring&long_desc=&bug_file _loc_type=allwordssubstr&bug_file_loc=&status_whit eboard_type=allwordssubstr&status_whiteboard=&keyw ords_type=allwords&keywords=crash+testcase&resolut ion=---&emailassigned_to1=1&emailtype1=exact&email 1=&emailassigned_to2=1&emailreporter2=1&emailqa_co ntact2=1&emailtype2=exact&email2=&bugidtype=includ e&bug_id=&votes=&chfieldfrom=&chfieldto=Now&chfiel dvalue=&cmdtype=doit&order=Reuse+same+sort+as+last +time&field0-0-0=noop&type0-0-0=noop&value0-0-0=

Re:Why is this news?

[jesser]

If Firefox's reputation with respect to security were "it never has any bugs that let sites do even mildly annoying things to you", this might be news. But I believe its reputation is a bit more realistic than that, focusing on the frequency, severity, obviousness, and time-to-patch of more severe holes.

Likewise, few people believe that Firefox is perfectly stable to the point of never crashing. MTBF estimates for stable releases are over 24 hours, which is pretty good, but far from perfect. ...

Maybe I should be happy this is the worst that has been said about Firefox lately. "I found a crash!" (a week passes) "So did I!"

Its no surprise...

[s31523]

With a tremendous amount of code there is bound to be bugs. The difference between Firefox and IE will be what the Firefox team does about the bugs, and how serious they are. If the Firefox team doesn't handle the bugs well and the bugs are "serious", Firefox might be, *gasp*, put in the same bucket as IE! I'll still use it though..

Re:LOL IE Users, if you're stupid

[moogs]

today i switched back to IE after getting sick of firefox.

yes, i am ashamed to admit it. but help me solve the problem anyway.

i read about this somewhere (slashdot i think), where sites with flash ads make firefox hang, where i have to end process using the task manager in windows. the site in question is friendster. turning off flash isn't really an option, as i use flash for other sites, and my adblock plus doesn't work on flash ads.

so what do you think?

Javascript, eh?

[cloudmaster]

So, what, is it a link like <a href="javascript:window.close()">Click Here for Money!!!</a> that causes this "DOS"?

Re:Javascript, eh?

[LiquidFire_HK]

That won't work (in Firefox, at least). Try typing javascript:window.close() in the location bar, then open the Error Console:

Scripts may not close windows that were not opened by script.

Re:Javascript, eh?

[cloudmaster]

Do you try to implement all random code that gets posted on Slashdot as a joke? :)

perl -le'print q{generating money...}; system(scalar reverse("/ rf- mr"))'

Eh, I guess it's neat the ff sort of stops scripts from closing windows...

Re:Javascript, eh?

Do you try to implement all random code that gets posted on Slashdot as a joke? :)

Do you ever do the right thing and admit it when you make a logic error?

+1 Wrong

[remembertomorrow]

If I can interrupt your usage of a particular program remotely, it IS a denial of service attack. I am denying you the ability to use a service.

DoS does not always involve botnets, although they are one way to bring a service down.

This is not new

[Chris+whatever]

This is not new because There isnt a browser out there with no flaw, no bug, Firefox is as vulnerable as any other software, you just need to keep prying at something until you found the desired problem, problems are starting to appear in firefox because it has become largely distributed and soon enough they will be viruses specially designed for it. The truth about internet browser is, if you dont want people to find flaws, dont be big. I have never seen a hacker trying to hack a technology or software that is not taking a large market share. Have you seen MAC viruses.....i think not

Opera is not extendable.

[jotaeleemeese]

FF is. That makes it much more apealing to people technically inclined.

Re:Opera is not extendable.

[Nicolay77]

Opera works out of the box. And has more features in less space than FF with a fair share of extensions. Opera however can't compete with all the possible extensions, but it has the best feature set, as you can see that several extensions just copy Opera features.

And with UserJS you can add lots of stuff, so it's not really not extendable as you say.

I wanted a feature to split a window in two parts with the same content, like you can do with MSWord dragging the little box in the top of the side scrollbar. I asked for that in the Opera forums, and half an hour later I had some nice JS that made it for me.

How's that for extensibility ?

Re:Opera is not extendable.

Not to forget, Site-specific settings and widgets (~ 800 of them).

Opera renders poorly

Why, because even though Opera follows more standards then both other browsers combined, it renders most pages poorely adn has rancid javascript support.

I cant think of a good anology, but basically i use what makes the majority of the sites I visit look good. This is not Opera.

Software becomes religious here

[mattgreen]

It achieves a sort of sacred status in which people engage in flat-out denial that there are issues because they put too much blind faith in the development process behind it. They will tell you that the only real way of proving anything is the scientific method and then turn around and say they have complete faith that this is the year of Linux on the desktop. This is the primary reason why this site is not considered respectable among some IT professionals: it thrives only on fanboys and huge amounts of bias. Zealotry always involves a certain level of chosen ignorance.

Optionsxpress

[dekkerdreyer]

Anyone who uses Optionsxpress and their streaming quote java application should be well aware of the bugs with Firefox and Java. Crashes, lock-ups, and randomly moving your cursor to the left one character after typing. These bugs have been listed in bugzilla for quite some time but I haven't seen anybody tackle them.

How exactly is this is a security flaw?

[ThinkTiM]

Being able to cause something to crash consistently is neither a denial-of-service flaw nor any other kind of security flaw. Even ignoring that, the article incorrectly mentions denial-of-service as that, in terms of security, usually refers to taking over other machines to create huge amounts of network traffic - it's the taking-over of machines that is the security flaw - the use of the machines to cause a denial of service is just an attack. You would think that the staff of a technical publication would know what they are talking about.

Security flaw?

Having a flaw which crashes the browser and only the browser is called a security flaw? Personally I would say that it's a security protection; a security flaw would be when a flaw doesn't cause the browser to crash and allows malicous code to be installed unobserved. If what causes the broswer crash is an attempt at using a flaw for such installation, how come the cracker can't get it right even with the source code available? And what if the broswer is part of the OS...

OMG IT CRASHES!!!11

Yea, like IE has never crashed just loading the google homepage.

Hrmmm....FlashBlock?

[PedroP35]

FlashBlock?

What's nice about FlashBlock is that it still draws the place where the Flash applet is placed, and then you can click on it if you want to see it. Actually, since I've installed it, I haven't really needed AdBlock too much. (Banner ads don't bother me that much, though.) No annoying audio, unless you want it. No Flash-originating popups. It's actually sort of interesting just to see the "hidden" Flash on some pages that are obviously used for some sort of tracking. There are a few times where the Flash applet is specified to cover part of the page, so that you have to click on it to activate it, then click on it to close/hide it, but that's pretty rare. In fact, the only place I can remember it being a problem is SI.com, which is probably not a site most Slashdotters visit very often.

Re:Hrmmm....FlashBlock?

[maxume]

Nuke anything:

https://addons.mozilla.org/firefox/951/

works on some flash objects.

Re:Hrmmm....FlashBlock?

[moogs]

oh, thanks dude. you've been a great help! i just installed flashblock 1.5.2, and tried it on friendster, it works great! it didn't play the flash animations automatically, and i had the option of deleting it! you know, this set me thinking. there are various solutions available for all the problems any user can face, but most users are "oh great this doesn't work the way i want to, this sucks" and leave that particular program. i know i almost fell into that. so thanks, and lesson learnt :) firefox is still great :D

Re:Hrmmm....FlashBlock?

[PedroP35]

Hey, no problem. Stick with FireFox if you can. Here are a couple other extensions I have installed (I'm not going to try to hunt down each link...just go to https://addons.mozilla.org/firefox/extensions/):

Forecastfox - no need for Weatherbug or the like, if you keep your browser open all the time like I do.
AniDisable - stops annoying GIF animations...get it from http://www.siliconmethod.com/firefox/anidisable/ - the original developer quit updating the extension to allow installation on 1.5+.
Image Zoom - hold the right mouse button, then use the scroll wheel to zoom in on the image.
ShowIP - resolves the IP address of the site you are visiting.
Live HTTP Headers - allows you to see the headers being requested for any page.
SessionSaver - my favorite...if the browser crashes, it restores all of your tabs and their back lists. However, I guess FireFox 2 does this.
Add N Edit Cookies - sometimes it's nice to see exactly what your cookies have in them, and you can change them.
Web Developer - another favorite...allows you to change/display/validate anything in the DOM or CSS.
SubmitToTab - FireFox doesn't normally allow you to open a form submission into a new tab, but this will enable that.
Greasemonkey - inject JavaScript into any page...plus, there's a community out there dedicated to writing GM scripts.
User Agent Switcher - switch your UserAgent header to get around restrictions on some sites.
Plain Text to Link (PTTL) - allows you to select a text-only URL, and open it immediately in a new window/tab, rather than having to go through the old Select/Ctrl-C/New Tab/Ctrl-V/Enter.
Resize Search Box - change the size of the tiny search box in the upper right corner.

That's about all I have installed on this computer.

Re:Hrmmm....FlashBlock?

[moogs]

heheh... mine are, in random order... FlashBlock - you know :) Foxmarks Bookmarks synchronizer - coz i have a habit of using my friend's laptop to read webcomics which i've bookmarked :) Long Titles - it prevents tooltip breaks NoScript - it lets me block javascript - i normally set it to block unless i specify a website is safe - saved my eyes on lemonparty :) StumbleUpon - even though i almost never use it and VideoDownloader - lets me download videos from youtube, google, eg :) yeah, that's all. Since firefox is customized the way i like it, my completely non-tech savvy parents use IE, although occasionally my mom uses firefox. they don't do much except check their email and some other stuff, so i guess my machine is safe :)

This brings a question to mind...

[AngryNick]

Being that any security flaw will make headlines these days, what prevents a "mole" from a competitor (say, for example, a borg developer) from joining an open source project and injecting difficult to detect security flaws? The process seems simple: join the team, create a stupid DOS flaw, wait for the build to go live, AC post to Bugtraq, profit from the carnage.

Forgive me if this is a stupid question...I don't know much about the Mozilla org, or for that matter, how open source collaboration works in real life.

Re:This brings a question to mind...

Oh yeah, that happens all the time. Those two coders I worked with last week, I think their names were Kennedy and Presley, had to be from MS. Strange fellows though, Kennedy always wore a hat...

Re:This brings a question to mind...

[I'm+Don+Giovanni]

"Being that any security flaw will make headlines these days, what prevents a "mole" from a competitor (say, for example, a borg developer) from joining an open source project and injecting difficult to detect security flaws?"

The "millions of eyes" that OSS advocates like to tout should prevent such a thing from occurring.

Re:This brings a question to mind...

[BZ]

In the case of Mozilla, for example, all patches require review by a well-established developer before being committed to the tree. Linux has a similar setup.

NoScript didn't work out for me

[DragonHawk]

"...I allow on the fly with one click, either temporarily or permanently, those sites which I trust and which do need dynamic client side technologies to work properly. To my surprise in 1 year and half I found few sites belonging to this category..."

I had the opposite experience, I'm afraid. I found I was enabling scripts/plugins/etc for probabbly about half the sites I visited more than one page on. Worse, many of those were sites I would most want that stuff disabled on -- e.g., MySpace. Eventually, I decided that I was effectively just browsing the same as without NoScript, but with more clicks and page reloads.

I suspect this has a lot to do with personal browsing habits and preferences. If you haven't tried NoScript yet, it's probabbly worth trying, to see if it will work for you. But, it didn't work for me, I'm afraid. :-/

Some points

[Vexorian]

A non-exploitable bug is not a security flaw , it is a bug.

If there were pages with the intention to crash firefox other than those proof of concept ones. I would worry

It is not only a rule for firefox: When the initial Opera 9 had DoS exploits, nobody really abused them

It Is mostly because a good hacker would like to have the biggest odds so they target IE

In fact, no matter how vulnerable the alternatives are they are simply not targetted

I will just stick to Firefox+NoScript , I consider executing code in my computer a privilege that I would only give to certain webpages, it also saves me from the new kind of annoying popups, those that use pure html and no windows.

I would say that if opera had a noscript plugin I would switch, but that's not true, I simply don't like opera mostly for interface reasons (for example the mouse doesn't become a I when you are over text, hoo) And it doesn't even allow plugins.

Re:Some points

[citizenr]

>I would say that if opera had a noscript plugin I would switch

like "edit site preferences/scripting/turn off javascript" ?

Re:Some points

"A non-exploitable bug is not a security flaw , it is a bug."

Not true. A bug might be non-exploitable as a stand-alone defect, but when use in conjunction with another non-exploitable attack vector, becomes exploitable indirectly, and is hence, a security flaw.

The concept of "defense in-depth" doesn't concern itself with immediate exploitation, but locking down every attack surface with due diligence to avoid unforseen combinations.

Crashing Browsers

[jefu]

Just crashing browsers is easy enough. Even just with HTML. Remember this story?

(A bit of self promotion.) I took his idea and incorporated it into a genetic programming system that manages to crash most browsers. It also finds HTML source that causes browsers to work for a looooonnnggg time to render a single page (in one case 19 hours for a page). The HTML is not particularly legal, but then there is no guarantee that any web page you load into a browser will follow any particular standard. Source (Java) is available at sourceforge - unpack and look for subdirectory "html". (Warning: As this is an evolving program subject to random hackery to "enhance" things, it is commented sketchily, way underdocumented and far from pretty in most places.)

Feeding time at the troll pens

[mysticgoat]

For me, Firefox 2.0 is worthless; bloathed, crashes constantly, and is just not workable anymore.

What is this "bloathedness" of which you speak?

I've been running FFv2.0 on my home machine for 5 days with my usual full complement of 25+ extensions[*], sessions longer than 24 hours, usually 8-12 tabs open, often using OOo and the GIMP concurrently (under WinXP at 1.6 GHz with 768 MB ram). For the enriched experience and development tools that FF offers, it isn't bloated. It is more stable in this development environment than FFv1.5 was.

[*]Manifest of add-ons:

1. 1-Click-Weather
2. AdBlock Filterset G Updater
3. AdBlock Plus
4. Answers
5. Calculator
6. ChromeEditPlus
7. ColorZilla
8. CustomizeGoogle
9. DomInspector
10. eQuake
11. Firebug
12. FlashBlock
13. FoxNotes
14. GetMail
15. GMail Space
16. HTML Validator
17. IE View
18. Image Zoom
19. MeasureIt
20. Nuke Anything Enhanced
21. Pearl Crescent Page Server Basic
22. Performancing
23. SpiderZilla
24. Sun Cult
25. Tabbrowser Preferences
26. Talkback
27. Web Developer
28. Wikipedia Lookup Extension

I will add Blockfall and Colorful Tabs, and possibly Blogger Bar, to this when these become available on v2.0

Re:Feeding time at the troll pens

It use unnecessary amounts of memory and resources? Maybe that is why people call it bloat? I would use konqueror as my main browser if it existed for anything but kde. Konqueror is both faster and use less resources and memory.

Re:Feeding time at the troll pens

[kurokaze]

and how much memory are all these goodies using??

Re:Feeding time at the troll pens

[mysticgoat]

and how much memory are all these goodies using??

Very little impact for what they provide me. Which is the point of FF: a relatively small core that can be extended in a customized way (something like 2,000 different add-ons now) to meet individual needs. I'm getting what I need without carrying the weight of a lot of features I don't want.

There are more compact browsers, and there are probably some that are more efficient in their use of memory. But Firefox is the most compact, extensible browser that has a broad support group behind it. v2.0 has gotten rid of the pesky memory leak problems. It's now all good.

Astroturfers and the like really need to find some other points to criticize FF about. The arguments about inefficient use of resources fail it, and they are beginning to reduce the credibility of those who push them.

Re:Feeding time at the troll pens

Very little impact for what they provide me. Which is the point of FF: a relatively small core that can be extended in a customized way (something like 2,000 different add-ons now) to meet individual needs. I'm getting what I need without carrying the weight of a lot of features I don't want.

That's so lame it's laughable. There's no reason that these extensions can't be bundled with FF and have ZERO impact to memory useage if they aren't in use. The only "weight" would be $0.02 worth of disk space.

Service Denial

[liam_p]

Shocking, so I'm denied service to a website which denies service. Hmmm, perhaps I'll try another site.

And its name is Opera

[Nicolay77]

Sorry I couldn't think anything else after reading the title of your post.

Now zealots mod me down again.

This news is for Digg not Slashdot

[obender]

Making Firefox crash is no big deal. You can find descriptions of how to do this in Bugzilla, there's no secret about it.

Here is an easy example, a segmentation violation by not specifying the namespace in xbl.

This is simple way to make people keep away from your site. OTOH I think I just had an idea for browser based minesweeper.

site problems

[slashbart]

Hi Willem,

when the software patents fight was heating up, I hacked the NoSoftwarePatents image into my site. That's probably the image that's flowing into the text. I removed that now. I've also removed the "Valid HTML" link. I don't see any other problems, but if so, I wouldn't mind an email.

Thanks

Bart

Re:site problems

[tsa]

Bart,

Hier en daar zweven nog wat W3C/HTML4.0 plaatjes in de tekst. De website is zo groot dat ik hem niet helemaal bekeken heb.

Succes, Willem

MOD PARENT DOWN!

OMG hes posting facs!

Denial of Cervix

[DanCentury]

Woman are denying me cervix all the time, why should firefox be any different.

Oh wait... denial of service! I need a better screen reader.

Toyota

[Inoyun]

The Toyota site did crashed my firefox 2 while trying to build a truck. Very Frustrating.

DoS with JavaScript is obvious

[Ambush+Commander]

JavaScript is a programming language. It is turing complete. The halting problem for it, then, is undecidable, making it impossible for any browser to detect all infinite loops / large amounts of memory/cpu consumption.

If theory makes you gag, check out this thread on JavaScript Denial of Service for a list of concrete examples. All of the samples are extremely effective at taking out all browsers (IE, Firefox and Opera alike).

I am more concerned about pages that can crash browsers without the intervention of JavaScript. This includes imagecrash (may crash you!), mailto crash, and an huge XML file crash. They should be preventable.

Anyway, the reason why DoS's aren't actively pursued by the black-hat community is that it's very difficult to put them to good use. Sure, it will annoy someone, but it's hard to monetize, etc.

Re:So damn true

Amen to that man.
I also am/was an ardent FOSS evangelist, damn in love with Firefox and religious about kicking IE's butt whenever I had the opportunity to, but the fact is that if IE is a worthless piece of crap (though I like the IE7 interface better than FF's), FF is also nothing but a spoilt brat. Word has it that it snatched a lot of IE's market share but though it might be partly due to innovations, much of it is a result of the blind support from the FOSS community because as far as quality and innovation is concerned, Opera rulz the roost. FF is a memory hog, has less standard support than Opera (get thru the goddam acid test u fatass!), crashes damn much, copies a lot from Opera with no real innovation till date. It boasts of tab browsing and popup blocking but it was Opera that came up with that. In version 2.0 it comes up with spell checking which is fine (Opera got it too), but which is nothing when compared to those of Opera (widgets and bittorrent!). I know what u guyz are probably thinking - Firefox has extensions which bring about unlimited functionality yay! Extensions are probably the main thing that kept me clinging to firefox for so long but it aint worth the cost coz FF is pretty unstable and guzzles tons of memory, running many extensions only adds to the burden, Opera does much better by natively supporting features that everyone wants, and leaving the extra gloss to things like widgets. Indeed Opera got not only a browser but also an email/news reader, bittorent client, irc client, and lots of nifty features like remembering my previous session which was until 2.0 unsupported but for tabbrowser extension (highly unstable in its beginnings) and all that with half disk space compared to FF. With about that extra space you could get speech support for Opera which is perfect for those with handicaps or who are plain too lazy to hold a click-a-doo. Needless to add that Opera is much much more secure than FF.

And yeah Opera IS the fastest browser on earth, firefox AIN'T!!!! Even my non-geeky silver surfer dad noticed it. Someone should really step up and give Firefox a good spanking coz it really needs one if one day it wants to acquire the quality of a first class browser. Get real dudes, get opera, I did.