Slashdot Mirror
A Bad Month for Firefox
marty writes "Februrary is not a good month for Mozilla developers. Infoworld reports about the efforts of Polish researcher Michael Zalewski, who apparently kept finding new vulnerabilities in the popular browser on a daily basis through the month, first postponing the 2.0.0.2 update, and then finding a remotely exploitable flaw in it immediately after its release."
I'm still running 1.5.0.9 and it works a treat. Am I missing something besides, apparently, h4x?
--- Do you believe in the day?
Bottom line - the more people use Firefox, the more people look for bugs and vulnerabilities, the more people find them. The same thing happened with IE.
Granted, I do think Firefox is far superior to other browsers on the market, but I don't think that this should surprise anyone. At least Firefox is being fixed quickly. I suspect other software companies may not have held back their release times on upgrades to fix additional bugs. ("Don't worry now, just get this new version out before the deadline, we'll fix it later...")
I hope the land around you yields, a crop like all the other fields, and then your waiting might make sense...
Well, such headlines won't stop me from using FF. At least vulnerabilities are attended to in a way I believe (wrongly?) faster than most mammoth companies would. That said, this point from the article is interesting, making me believe researchers should (?) have incentives to disclose security bugs to Mozilla first and to the public only when the fix is distributed:
"Although Snyder said she would prefer it if Zalewski and other researchers would disclose vulnerabilities to Mozilla before taking them public, she said the company relies on such experts to help it keep customers protected from attacks, as painful as the reports may be."
Animoog.org
As the author of security software, I'm not happy to find flaws in my code, but I'd rather find them then not.
The measure of success is whether the bug(s) found in Feb are new additions added by sloppy coders, or legacy bugs that have so far escaped notice?
Tom
Someday, I'll have a real sig.
Could someone please explain how finding and fixing bugs/issues/problems/whatever is bad? Now, I understand that it is not particularly good from a PR perspective. However, it is not like they are ignoring these things or trying to spin it like they are not real problems (as certain commercial and proprietary software vendors are prone to do). This is, in fact, quite good for the users.
Good month. Finding lots of bugs, and fixing them, is a good thing. We don't need to pretend it's perfect and rosy and all nicely secure and won't ever need a patch or an update. We're realists on this side of the OSS fence. We know that software is only as good as the people working on it.
I'd like to extend a hearty thank you to this researcher for making Firefox even better.
http://twitter.com/onion2k
Solution: Stick with IE. Shoudda known.
This comment is printed on 100% recycled electrons.
I hardly see this as being Firefox's fault. It's been a more common denominator to have Javascript as the culprit. There's always been some "handling" issue in just about every browser ever coded. So with this continuing, I'd be pointing all fingers at Javascript and nothing else.
Compliance should be the next target of finger pointing too. If Firefox seems have its act together and it keeps falling prey to, and having to adapt to, issues of external development, I really think it's time for an overhaul on some highly exploitable Javascript code.
I don't know anyone who has lost faith in Firefox or switched back to anything else. It's still a great browser and seems to be getting better. There will always be problems with software. The thing that's interesting here is that all of Firefox's good aspects and bad aspects are out in the open. That's what makes it work.
Yeah, I'm as old as my UID would suggest.
No. It's how it work with microsoft, it's not how it works with open source software.
With Firefox, if you disclose a hole to the public there's also a higher chance that someone outside the foundation, from the public, could try to fix the hole. (Which could be not to much difficult for an outsider if the fix is just adding a check to avoid invalid input). If you only disclose to Mozilla, the list of potential patcher is small and most of these are already busy fixing the other holes and developing, and you take the risk that in the meantime some cracker group discovers the problem independently and write an exploit script.
Whereas with microsoft products, if you disclose the problem to the public, they can't do much apart from switching to another product or wait until microsoft developer finally fix the problem. So from the company's view point, there're no usefullness to disclose a hole to the public.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Buffer overruns happen. Security models have holes. This is nothing new, and you'll find it in damn near every software project of any complexity.
The rational ways of dealing with this are a very dictatorial style of project management to get it right the first time (See: OpenBSD) or a quick and responsive way to kill security-affecting bugs dead. Firefox, with its gazillions of volunteer and paid programmers, opt for the latter. Too often, closed source developers just sit on these bugs, or sue the people trying to find and publish them, or use their marketing department to cover for their developers' shortcomings.
I'm pleased and reassured that Firefox is having these issues. Active and open security research will always result in a stronger product, and delays to deal with them are acceptable so long as the software is better for it. Even OpenBSD's been hacked a few times, and it's how you deal with it that's more important.
Microsoft's stuff is broken for =years=, which allows a security nightmare. Firefox is broken for a few days, or a month or two... too quick for all but the most dedicated and talented black-hats to take advantage of. Give me this over Internet Exploder any day.
When will we see a stable and secure project? That's an important question when dealing with closed source products. On something like Mozilla, with an open development model, the project goals and progress aren't company secrets... we actually know exactly why something has been pushed back, and can make reasonable judgements about when it will be back on track for ourselves. This is one of the more important aspects of open source that corporate IT overlooks... the ability to plan for and work around changes in the release schedule.
So, yeah, setbacks happen. To everyone. How the setbacks are dealt with is where the rubber meets the road. Firefox is generally ahead of the industry here, too.
There is one problem with the flaw, it's very hard to reproduce, I think I reproduced it once in a 1.8 branch build, but not afterwards.
If anyone can reproduce it consistently, and has a 1.8 debug branch build, it would be great if he could try and give a useful stacktrace in the bug.
I bet if Lcamtuf heard he's being called a 'researcher' he'd be rolling in his grave.
After dropping dead on place, that is.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
When it comes to software performance, it's pretty useless to compare the performance of your software to a previous version of that same software. You need to compare your performance to that of the current leader in the same market.
Maybe Firefox 2 is faster than Firefox 1.5. But compared to Opera, Konqueror and Safari, it's still quite slow and extremely bloated. Apparently it's also quite insecure, too.
KDE 4 is getting very close to being released. It's native support for Windows will bring Konqueror to a whole new audience, thus drastically changing the Windows browser landscape. Unless the Firefox developers really get their asses in gear, which apparently isn't happening, Konqueror will come along and smite Firefox.
If the beta released today is any indication of what the final KDE 4 release will be like, then Firefox had better watch out. This new version of Konqueror already has the speed. It has the stability. It has extremely low memory usage (but still higher than Opera). I don't know if Firefox will be able to compete unless a massive rewrite is undertaken. But if they do wish to remain competitive, they'd better get going.
"Conclusion? Apache has predictably shown more vulnerabilities than IIS versions over the same time period"
Conclusion? Apache has predictably reported more vulnerabilities than IIS versions over the same time period
FYP
My turnips listen for the soft cry of your love
Most Critical Firefox Flaw Remains Unzapped!!!
e _firefox_flaws_hunted_down_1.html
Interesting read at http://securitywatch.eweek.com/open_source/all_th
You've got a Live Bookmark to "Latest BBC Headlines." It's in the default installation. A live bookmark is basically the subject lines from an RSS feed in a submenu. Not very useful, but not exactly a bug either -- technically, you are subscribed to a feed, you just don't know it.
It's located in Bookmarks -> Bookmarks toolbar folder (at least on my installation), and in the bookmarks toolbar.
Is Scobby Doo writing the posts these days? What's "Februrary?" The month after "Janrurary?" Right before "Marrrrrch?"
The defect information is fed back to the Toyota engineers, and they redesign the defective parts of the Camry. The third-year release of the Camry should be quite reliable. (Toyota [msn.com] has some of the highest rates of recalls [thestar.com] in the automotive industry. Toyota typically recalls nearly 10% of its vehicles -- versus "only" 7% for General Motors.)
If you are using your Web browser to do critical jobs like online banking, you should continue to use the latest iteration of Firefox 1.5. The latest iteration is version 1.5.0.10. If you are still using Firefox 1.5, look under the "Help" option to find the option, "Check for Updates", which will enable your to upgrade to 1.5.0.10.
Don't you find your advice and your example conflicting. You're urging us to use the second-year release of Camry versus the third-year release.
Just because it was called "2.0" doesn't mean it's really that new compared to 1.5. In fact there were more changes to the core of Firefox between 1.0 and 1.5, than 1.5 and 2.0.
What you see are mostly changes on the surface: new (uglier) icons, new (uglier) tabs, couple of usability changes to the UI. The core is virtually unchanged (except the regular minor patches).
Ok, so it appears to be that bug is already fixed on the 2.0.0.2 release of Firefox.
So maybe the post can be updated?
first postponing the 2.0.0.2 update, and then finding a remotely exploitable flaw in it immediately after its release
The remotely exploitable flaw, bug 371321, was reported at 5:35 pm (California time) on Thursday. We had been planning to release Firefox 2.0.0.2 on Friday morning. After some discussion, we decided to go ahead with the release and then follow up with a quick 2.0.0.3 once we had a patch for the newly discovered hole.
After releasing Firefox 2.0.0.2, we realized that bug 371321 didn't affect it, thanks to another patch that went into Firefox 2.0.0.2 for non-security reasons. So although we didn't know it at the time, we released a fixed version of Firefox about 16 hours after the most serious hole was reported.
The testcase in bug 371321 did lead to a fix for a similar bug that existed on trunk, though.
The shareholder is always right.