Slashdot Mirror
Serious Vulnerability In Firefox 2.0.0.12
Oh, Not Now writes "Mozilla Firefox 2.0.0.12, mere hours old, is vulnerable by default to a directory traversal trick, via the view-source mechanism. Although mitigated by the NoScript plug-in, this is quite a serious bug — the default installation is vulnerable from the get-go."
Good thing I just read this, I was in the middle of downloading that version :0
:)
What we can count on is that this bug will be fixed in a few days... maybe even hours, unlike all those Microsoft vulnerabilities that have taken months to fix
First post :
Just before I opened this session, I had upgraded.
Oh, well, just one more unlocked door in the grass hut I call a computer.
Is it just my observation, or are there way too many stupid people in the world?
I'm sick of following my dreams. I'm just going to ask where they're goin' and hook up with 'em later.
Why isn't NoScript just a mandatory extension at this point? It seems like it would be pretty unobtrusive with default settings at a slightly reduced paranoia level.
Insert self-referential sig here.
Maybe microsoft should have looked into mozilla instead of yahoo...
well that tears it.... the apocalypse is nye!
I've been using Iceweasl because the flash problems in Konquer were driving me nuts. You don't realize how much flash is on the web until it stops working.
Hopefully the Firefox 3 beta is not affected by this, that's what I've been running since Beta 2 came out. Anyone know?
If i had one dollar for every brain you dont have, i would have $1.
It makes me happy that this type of vulnerability is what we call serious these days. If you remember, just a couple of years ago microsoft was downplaying the WMF vulnerability. It was not considered "critical" because the target needed to manually visit a malicious website for the attacker to take over the target machine.
:-)
While this is a really neat find, and I am glad that it will be patched pretty soon, I don't think it is quite at the level of "sky falling" etc. From what I understand, an attacker that can execute javascript in your browser has the ability to read any file in the targets mozilla directory. This worst that I think an attacker could do would be to grab your stored password file. While this is definitely something to be concerned about, the headline had me pretty worried
Would that be why I caught a trojan right after installing that version and browsing sites of questionable trustworthiness?
You just got troll'd!
You gotta love Firefox apologists. They can turn a complete failure on behalf of Firefox development and release engineering into a discussion about how Microsoft is horrible and IE fails.
You're living in the past. Everyone knows IE6 was horrible. I'm running IE7 under protected mode. If you're going to talk shit, at least talk shit about current software. People who spend their time talking about how Windows 98 crashed a lot, IE5 and 6 were really insecure, and IIS 5 was the fastest way for a computer to get hacked on the net, are really starting to sound tired and sad. When we're running Windows 7, Internet Explorer 8.0 in Protected Mode, and IIS 7.0 on Windows Server 2008, fools like you are still going to be apologizing for every bug in by bringing up bugs from Microsoft products 5+ years ago.
And even if IE6 was the most horrible browser ever and they waited for "moths if not years" for patches, how does that make this Firefox vulnerability any better? If IE6 is so bad, why is it your example for trying to minimize this Firefox vulnerability?
Microsoft products are getting better. Deal with it. Quit living in the past.
Does anyone still think that it's a good idea to permanently store your passwords in your browser?
I use "Internet Explorer version 7.0" from a company called "Microsoft Corporation". I would recommend trying it out.
It seems to render most web pages accurately and is moderately fast. Yes, I know, it IS slower and uses WAY more memory than the two other dominant browsers (Firefox and Opera), but the company does seem to have a lot of programmers working for it, has been in business for a while, and seems to have some staying power. The company's CEO, a man by the name of "Bill Gates" seems to have his wits about him and seems to have invented a good thing here. I urge people to try it out. The only thing is, that the browser only seems to be available for a small number of available Operating Systems.... namely "Microsoft Windows" and also a small number of "Macintosh OS Ten"... and doesn't seem to be available for the mainline Linux OS, but perhaps they are working on it.
TDz.
>Microsoft products are getting better. Deal with it. Quit living in the past.
So are realplayer's products, but you don't see anyone telling anyone to install them.
Where do you have to go that needs flash? I specifically use 64-bit Epiphany without flash so I don't have that load for the minor benefits. It's cheifly used for advertising, as far as I have observed, and video. For video, it's not that hard to fire up 32-bit firefox with flash when I do want to watch them. Why do you need flash so?
Well, bug and bug. Short story for those that don't know: Macromedia released a new version (r115) that relied on some functionality currently only in Firefox, but not in typical versions of Konqueror or release versions of Opera. This broke all the distros, including all old supported distros because Macromedia doesn't let repositories host old versions. Last I checked the possible solution was a big backport. Development versions of Konqueror (for hardy heron in my case) and Opera 9.5 supports it, but this is quite simply forced obsolesence on Macromedia's part.
Live today, because you never know what tomorrow brings
Opera is closed source so you have no idea what vulnerabilities are in it...
Politics is Treachery, Religion is Brainwashing
Is Firefox 3 Beta 2 also vulnerable to this exploit?
Microsoft "products" (software is not really a product anyway, that's a marketing lie) still don't work on my Linux system. Why should I give a fuck about them?
The file they're reading from in TFA (all.js) contains a portion of the default Firefox preferences, not your current settings. There may be other ways to exploit this problem, and web pages definitely shouldn't be allowed to read any file from your computer, but the proof of concept isn't as bad as they say it is. The majority of your personal information is in your profile directory (under Application Data on Windows), not the program directory.
There are quite a few corporate sites which incorporate flash to "enhance" their site, and there are some sites which won't even let you in unless you pass the flash-only home page. If you don't have flash, they don't want your business. (At least, that seem to be the opinion of the web IT staff, I haven't contacted corporate to see if they agree with that assessment). As for examples, Bath & Body Works used to be that way (I emailed them, they are no longer flash-limited...I don't believe those two things are linked, though). Rainforest Cafe is another. BBW didn't get my business back then, and Rainforest missed out on a dinner guest recently - I couldn't find their location, and couldn't use my mobile browser to get to their page. Will they care that they probably lost less than $100, of course not. But it certainly would have been nice if they wouldn't have had a "no flash, no service" sign out front.
Is it just my observation, or are there way too many stupid people in the world?
I prefer to stick with bugs I know how to fix, I can't say I have the money or balls to go out and blow money on bigger bugs than my dinky little roach motel is capable of handling. :P
(Especially considering I literally cannot even afford to put gas in my car to go apply for a job.)
Doesn't look like a vulerability to me. So it can read files in /usr/lib/firefox, but those are just the standard files from the firefox package. User configuration and stored passwords etc are not stored there... It still can't get to $HOME/.mozilla...
--- Hindsight is 20/20, but walking backwards is not the answer.
I'm confused, how is this a serious security problem? All it allows is reading files from the Firefox application directory, which isn't exactly sensitive data, since you can get the exact same files from just downloading Firefox from Mozilla's website. Your prefs, passwords, etc. are stored in your Firefox profile, which lives outside the Firefox application directory, so they *are not* accessible via this trick.
I literally just switched to Firefox yesterday from Opera, but even with this bad news, I'm going to stick with Firefox. Extensions are just too good a feature in a browser.
WINDOWS program vulnerability? Sure looks like it. Why isn't this made clear in the headline or summary then? How about the microsoft/mozilla stealth alliance make TWO names for the two different programs, or would that be giving away the crown jewel secret that's been hiding in plain sight even larger and more blatantly than the old SCO Microsoft stalking horse? How many times do we have to see a windows vulnerability ascribed to the entire mozilla package called "firefox" on an alarmist headline? Is it really so hard to rename the linux version to something else? Oh it is? "Too confusing" even though they really are two different programs? OK, then maybe could the article submitter or editor append the word windows or Microsoft to the headline to differentiate it? Call it by its real name, which is the Microsoft Windows Mozilla Firefox Browser version whatever, then go on to outline the new vulnerability.
You can install KMplayer to get around it. It takes a few more steps than normal, but it works (and from my subjective experience is much faster running than the normal nspluginviewer way). Here are instructions for doing it: http://mikearthur.co.uk/?p=171
While I have to develop for it, I'm going to bitch about it. IE6 is still alive and well, and making up a significant proportion of site hits. It's still a piece of crap, and I still have to take it into consideration when I'm developing. Granted, the flaws I care about are rendering rather than security, but complaining about IE6 is most definitely not "living in the past".
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
gre is constant data. This report is FUD.
Firefox is open source; anyone who wants to view view-source:resource:///greprefs/all.js can just as easily load http://mxr.mozilla.org/mozilla1.8/source/modules/libpref/src/init/all.js?raw=1 it has the same content.
all.js is *not* user data, it's *public* app data. Your preferences are stored in prefs.js which are not exposed by greprefs.
Seriously, this title should be changed now (get rid of "Serious"), and a "!serious" tag added. The author of the article is an asshole who just waited for this release to fear monger and gain some attention. This bug exists in previous versions, this is not a new issue. The fact is, 2.0.0.12 fixes issues from previous issues, and does NOT introduce this "new" bug.
You should still upgrade. You are already vulnerable to this "attack" without it, but you can at least gain some new fixes for other issues.
You know, we're trying to promote open source software. To scream that firefox has a "serious vulnerability" when it in fact doesn't is IT treason.
Doesn't matter what browser you run, if you let anyone execute whatever code they want on your own machine via your browser it's the equivalent of running that trojan.exe you just downloaded from Messenger.
Is there a NoScript for IE 7 and Opera?
Hmmm...not a product. If you're trying to say what I think you're trying to say, you're using the same old tired lame-ass argument that software is 'Intellectual Property' and should not subject to patents, copyright, etc. etc. etc.
Really? What about books? Should we use the same argument? I can almost bet that you think music should be free also.
I'd bet that a long list of 'intellectual' items could be put into that 'non-patentable/non-copyrighted' category.
What would you pay for? What do you think should be patentable?
Do I think some things should be free? Yes. Especially research (or any product for that matter) that's paid-for with public money.
Now, if software is developed with public funds then it better be available to all!
How come when there's a security hole in an MS product it gets the 'haha' tag, but if it's an OSS project it doesn't?
> Everyone knows IE6 was horrible. I'm running IE7 under protected mode. If you're going to talk shit, at least talk shit about current software.
well in their defence more people still use ie6. so they are talking about current software.
http://www.w3schools.com/browsers/browsers_stats.asp
at my job it is split about 90% ie6 v 10% ie7 for internet explorer users. thankfully the number of ie users is dropping as more switch to firefox. ie7 has speeded up that switch as many hate the interface.
but to be on topic firefox has a serious bug. i expect it will be patched in a day or so. firefox is good at that.
> Microsoft products are getting better.
only because they have serious competition from firefox, apache etc.
> Deal with it. Quit living in the past.
i don't live in the past i use linux and mac osx.
lol, serious stuff 300: file:///C:/Program%20Files/Mozilla%20Firefox/ 200: filename content-length last-modified file-type 201: .autoreg 0 Mon,%2005%20Nov%202007%2016:16:28%20GMT FILE
201: AccessibleMarshal.dll 13952 Fri,%2008%20Feb%202008%2019:42:30%20GMT FILE
201: LICENSE 30869 Thu,%2026%20Jul%202007%2002:39:20%20GMT FILE
201: README.txt 177 Thu,%2026%20Jul%202007%2002:39:20%20GMT FILE
201: browserconfig.properties 232 Thu,%2026%20Jul%202007%2002:39:26%20GMT FILE
201: chrome 0 Fri,%2008%20Feb%202008%2019:42:39%20GMT DIRECTORY
201: components 0 Fri,%2008%20Feb%202008%2019:42:39%20GMT DIRECTORY
201: defaults 0 Fri,%2028%20Sep%202007%2022:59:30%20GMT DIRECTORY
201: dictionaries 0 Fri,%2028%20Sep%202007%2022:59:30%20GMT DIRECTORY
201: extensions 0 Fri,%2021%20Dec%202007%2011:21:24%20GMT DIRECTORY
201: firefox.exe 7655024 Fri,%2008%20Feb%202008%2019:42:35%20GMT FILE
201: freebl3.chk 476 Fri,%2008%20Feb%202008%2019:42:35%20GMT FILE
201: freebl3.dll 200829 Fri,%2008%20Feb%202008%2019:42:35%20GMT FILE
201: greprefs 0 Fri,%2008%20Feb%202008%2019:42:40%20GMT DIRECTORY
201: install.log 28197 Fri,%2021%20Dec%202007%2011:20:32%20GMT FILE
201: js3250.dll 456808 Fri,%2008%20Feb%202008%2019:42:35%20GMT FILE
201: nspr4.dll 161392 Fri,%2008%20Feb%202008%2019:42:35%20GMT FILE
201: nss3.dll 378472 Fri,%2008%20Feb%202008%2019:42:36%20GMT FILE
201: nssckbi.dll 271984 Fri,%2008%20Feb%202008%2019:42:37%20GMT FILE
201: old-homepage-default.properties 112 Thu,%2026%20Jul%202007%2002:39:26%20GMT FILE
201: plc4.dll 34424 Fri,%2008%20Feb%202008%2019:42:37%20GMT FILE
201: plds4.dll 30320 Fri,%2008%20Feb%202008%2019:42:37%20GMT FILE
201: plugins 0 Fri,%2008%20Feb%202008%2019:42:42%20GMT DIRECTORY
201: res 0 Fri,%2028%20Sep%202007%2022:59:27%20GMT DIRECTORY
201: searchplugins 0 Fri,%2028%20Sep%202007%2022:59:30%20GMT DIRECTORY
201: smime3.dll 112232 Fri,%2008%20Feb%202008%2019:42:37%20GMT FILE
201: softokn3.chk 476 Fri,%2008%20Feb%202008%2019:42:37%20GMT FILE
201: softokn3.dll 254060 Fri,%2008%20Feb%202008%2019:42:37%20GMT FILE
201: ssl3.dll 132712 Fri,%2008%20Feb%202008%2019:42:37%20GMT FILE
201: uninstall 0 Fri,%2008%20Feb%202008%2019:42:48%20GMT DIRECTORY
201: updater.exe 132232 Fri,%2008%20Feb%202008%2019:42:38%20GMT FILE
201: updater.ini 709 Fri,%2019%20Oct%202007%2013:36:24%20GMT FILE
201: xpcom.dll 13416 Fri,%2008%20Feb%202008%2019:42:39%20GMT FILE
201: xpcom_compat.dll 73848 Fri,%2008%20Feb%202008%2019:42:38%20GMT FILE
201: xpcom_core.dll 422000 Fri,%2008%20Feb%202008%2019:42:39%20GMT FILE
201: xpicleanup.exe 73336 Fri,%2008%20Feb%202008%2019:42:39%20GMT FILE
201: xpistub.dll 12400 Fri,%2008%20Feb%202008%2019:42:39%20GMT FILE
or not
As someone who uses Linux because I was able to customise it to be exactly compatible with the way I think, and so I'm unable to run Internet Explorer or IIS, I have to say you make an excellent point.
To everyone else: Do you remember before the browser wars, when Netscape was the big, bloated dominant player and Internet Explorer was the fast and light competitor which needed to prove itself (even if it did so by cheating)? Do you remember the time between the wars, when Internet Explorer was buggy and insecure? Now we are in the second browser wars and Internet Explorer is trying to compete. And it's a good thing. The Mozilla foundation cannot afford to sit on their laurels or Firefox will be the also-ran that the Mozilla suite is. Never hold yourself to someone else's standards: Be the very best you can be, and it'll always be better.
And be grateful for it — we on Linux pretty much have no choice but Firefox (or Firefox-based browsers) if we want a vaguely native, somewhat integrated system (well, there's Konqueror if you use KDE but it's not up to the same level as Firefox and Internet Explorer). There's no competition, no choice, and no reason for Mozilla to focus their development effort over on this side of the fence. And we suffer for it, with form widgets that don't look right and menus that don't work properly.
Look out!
Well it appears they are attacking an MS box, by the Program Files part of the filename string. I doubt this would do much on a *nix box with proper access permissions set up. So yes, this is indirectly MSs' fault if theirs is the only platform vulnerable, which is likely.
Unfortunately, too many sites use it for navigation and crap like that. The wire image viewers for most major newspapers use it. Embedded media in various blogs, etc.
dude, you just blew my mind.
Maybe Ron Paul is the one to help wipe out browser vulnerabilities!
Your sig is an advertisement. Do you know that it reflects poorly upon you and ruins the integrity of your posts?
It uses a lot of memory at times for me personally, but well within reason. 200mb max (4-6+ hour session) with 2gigs RAM. Not wholly unreasonable. I seem to recall, tho certainly can't say definitively, never seeing it top 80mb on another box I have with 512mb.
I've been using Noscript for a while now, and personally it hasn't really effected my peak memory usage for better or worse. I also have constant access to CPU/Memory usage percentages through my G-15 keyboard's display, so I tend keep an eye on that more than most people.
I'm sick of following my dreams. I'm just going to ask where they're goin' and hook up with 'em later.
Thanks to the OP. Just (less than 5 minutes) before I read the article, I'd upgraded to the latest version of Firefox. NoScript is now installed.
linquendum tondere
Something else weird that happened to me when I upgraded:
I've got Firefox as my default browser on XP, and after the upgrade to 2.0.0.12, all of a sudden IE showed up as my browser at the top of my Start menu. When I went into the control panel to "set program access and defaults", Firefox doesn't even show up as an option. WTF?
It's still installed, as it's in the programs folder, and it runs fine....also doesn't as me if I need to set it as default, so it still is, but Windows has completely lost the fact that it's a browser.
Anybody else have this happen?
"City hall" in German is "Rathaus" Kinda explains a few things......
Are you seriously asking this question?
/., security vulnerabilities in MS products are always much more severe and worthy of ridicule than those in open source products?
Are you at all surprised that, here on
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
As an web developer I thought this meant MY web server directory - maybe it does? Sounds more like the directories on the client. I guess in any case its windows based - but perhaps autoupdate should be turned off on all OSes.
I thought it was a good idea
No vulnerabilities have been shown.
The "PoC" lists only the user's DEFAULTs. Every Firefox installation has the same fucking defaults, and they are no secret.
There is no directory traversal vulnerability either; you can only load the DEFAULT INSTALLED FILES, which are the same for all fucking users, and are obviously no secret.
This isn't a problem just with Firefox, but with all full browsers today (the various midget text-mode ones excluded).
Any non-trivial program contains bugs and vulnerabilities proportional to its size, and the relationship between size and inherent problem-count is probably a lot worse than linear. This is true for all programs and all systems, but it is especially true for monolithic ones, and to a very large extent the main body of modern browsers is quite monolithic. Even the plugins load into the same address space in most cases, although there are exceptions to this in the browser world.
The present situation is not good, and everyone is familiar with the consequences of it: the web browser is by far the most crash-prone of all applications present in our operating systems today.
Is there a solution to this on the horizon? Not at present, because developers in all the most popular programming languages almost always implement monolithic systems (because the languages encourage it and the courses teach it), and are highly adverse to extreme modularization. Again, there are exceptions, but they are rare.
We are living in a bit of a Dark Age in this area currently, and I don't forsee any change within the next five years at least.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
If you take a look at what this is doing, there's much less to it than meets the eye.
The way the page works is that it is able to load the file all.js in the greprefs directory inside your firefox installation. However, it is not *reading* this file and making it available to the javascript interpreter, it is *executing* the file. The file is a big list of browser preferences, each set with a call to a function with the signature pref(name, value). There is no code in there other than calls to pref. What the page does is define its own pref(name, value) which gets called, and the names and values are therefore available to the javascript interpreter.
So:
I would additionally point out that the view-source: part of the URI appears to be unnecessary, since at least for me (Ubuntu FF 2.0.0.12) the "exploit" worked just fine without it.
Umm, can anyone say "Opera"?
hahahahahahahahahahahaha /wipes tear
I'm sick of following my dreams. I'm just going to ask where they're goin' and hook up with 'em later.
Indeed,
From TFA: "We can trick Firefox itself in traversing directories back".
but then it says:
"we are able to read out all preferences set in Firefox, or just open or include about every file stored in the Mozilla program files directory"
Since TFA is not clear, I have tried it myself and I WAS NOT ABLE TO TRAVERSE a directory back with resource:///../
So the only files someone can read with this vuln are the files inside firefox directory which from what I can see are just default files and no cookies or passwords.
If anyone thinks any different please let me know.
When we're running Windows 7, Internet Explorer 8.0 in Protected Mode, and IIS 7.0 on Windows Server 2008, fools like you are still going to be apologizing for every bug in by bringing up bugs from Microsoft products 5+ years ago.
... you're dismissing the long and tiresome history of Microsoft's security record by stating that the next version of Windows, IE, etc. will be the most secure version ever?
So
Normally I don't use inflammatory terms like "apologist", but in this case, I think the characterisation is appropriate. If there's anything tiresome in the matter, it's not those who take the opportunity to point out the history, but those who repeatedly insist that doing so is somehow unfair, undeserved, or worse, somehow not relevant.
If scripts are so unsafe then why does Noscript run scripts too? On top of that Noscript puts itself on a whitelist by default, but it leaves off sites like youtube. That kind of behavior by a plug-in makes no sense unless it can't be trusted.
Why isn't NoScript just a mandatory extension at this point? It seems like it would be pretty unobtrusive with default settings at a slightly reduced paranoia level. -- "On Vulcan, the teddy bears are alive and have six-inch fangs." Regards dizi izle
OK, IE 7 on Vista has some extra damage mitigation features.
They wouldn't have helped for this particular problem. There was no security hole, nothing is malfunctioning, no part of the system is accessing data it shouldn't be. Aside from having already thought of and worked around this exact bug, there is NOTHING that could have been done in terms of process or technology to prevent this from occuring in the first place. Exactly this kind of bug can, and probably does exist somewhere in IE7.
However, there is no security issue here. You can only read files from inside Firefox's own installation directory, you can only read them by including them as JavaScript files, so a non-JavaScript file will break. You can not, despite the article's claims, read out any user settings, or leak any information. You can read out the DEFAULT settings, but they're already well known. No modifications can be made, there's no information disclosure, and there's certainly no possibility to cause the browser to do something it's not supposed to.
In other words, Microsoft wouldn't consider this a security issue, and wouldn't patch it. Not publicly, anyway.
I'm a Firefox user on both Windows and Linux, but I think you unfairly downplay Konquerer. Konquerer has benefited from its common source base with Safari, and actually does better in some ways (Acid 2 test?) than Firefox 2.x does.
Props to the Konquerer team, I say.
- jon
Ganymede, a GPL'ed metadirectory for UNIX
Crap. What did the new CSS do with the "Post anonymously" option??
I run my Firefoxes (yup, with "es" ;) in special user accounts, made especially for surfing. My main Firefox (the one I use the most) is run as a user that does nothing else than browsing. Sure, it's a little cumbersome when I d/l files that I need to move to my real account, but I'm running Firefox like that since years and I can't stop LMAO'ing when I read about another yet Firefox vulnerability. Then I've got another special user account, only for another Firefox, to do my GMail/PC Banking. These two Firefox instances are always on, each on a virtual desktop.
Some even go the 'virtual-machine-only-for-browsing' way and I may do that soon (probably using KVM). I know, I know, "virtual machines" perfs sucks (so you think).
So, yup, a nasty person using a Firefox vulnerability could read every single file in Firefox's directory (and subdir), that's what the exploit referred to in TFB (the f*cking blog?) talks about or it could read every single file belonging to the user running the browser: no big deal, that's exactly my point.
Neither do you with Firefox, if you count both known and unknown vunerabilities. Sure, I know yesterday there was X bugs and today X-1 bugs (unless they've added some new ones) but since I have no idea what X is, it hardly matters. Even if we knew, it's be hard to say if it's because they've got few bugs or aren't looking for them or tagging them as such. In the end you look at their track record and see how many public and serious expoits there are, if it's a swiss cheese that keeps getting hacked it's crap, if not it's good because hackers don't hold back for PR reasons. So far I'd say Opera has a very good track record...
Live today, because you never know what tomorrow brings
Well then, let's see!
Hmm, look pretty similar to me. Maybe that because it makes no sense if normal users cannot read and execute applications and their associated data? Program Files on Windows being readable by everyone has nothing to do with what is a Firefox vulnerability.
On the other hand I guess you're right. No "Program Files" directory on the Linux machine, it must be safe!
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
No, his point is that when the new version of Windows or IE comes out, you don't go back and re-evaluate whether it is, actually, the most secure version ever. IE7 is really good.
Comment of the year
I think you mean "Steve Ballmer," as no one named Gates is CEO of Microsoft. Nice try though, and better luck next time!
This is a hacked account, for which the owner can not be held responsible.
Nobody is going to live in a world where javascript isn't enabled in the browser except weirdo slashdot users. Get over it. We live in a world where JS exists. Just get used to it. AND design/patch browsers that aren't vulnerable to attacks using JS.
/rant
Macromedia released a new version (r115)
Actually, Adobe released a new version. Macromedia hasn't existed for a few years now...
Comment removed based on user account deletion
... I'd like to say that that is a fantastic idea, and I'll ensure that we acquire Mozilla ASAP.
/.ers.
Enjoy being beaten up by your fellow
Yeah, but the problem is that IE7 is even more horrible than IE6, both on a usability standpoint and a web development standpoint. The former, because it's implemented sweeping changes in the UI that are frankly confusing to users used to the old IE5/6-style interface, and a lot of compatibility was broken between IE7 and IE6 (Quickbooks for one... Ugh). The latter because, let's be realistic here, while better than IE6's (and ironically, this is IE6's greatest strength), IE7's standards compliance blows. It renders pages almost completely differently than Mozilla, Safari, Konqueror and Opera, and can you perform specific fixes easily in IE7 by doing things like "xx:yy ! important; xx:yy;"? No, IE7 incorporates the ! important flag. Can you do a nonstandard "xx:yy; _xx:yy;" hack? No, it, as it should, ignores that. No, you have to get it with a script (usually server side, requiring more resources on the server, and if not, then Javascript, but what about all the NoScript nuts in this discussion who would no doubt turn JS off outright?), detect the browser version, and output dynamically based on whether it's IE7 or something else, which is a pain in the ass, especially when IE fights with the other browsers over where things should be placed and what size they should be, even if exact pixel values are used. There's no excuse for this, I'm sorry.
The only other problem with talking about IE7? Nobody I know cares about IE7. We still ship systems out from my workplace with IE6 on them, and leave it up to the user to install IE7, simply because it causes issues with web apps and even some programs, not to mention the headache when some Win98 user on his first XP machine all of a sudden can't find the "File" menu of his shiny new browser. IE6 is still very much in play on the internet, and IE7 is only really gaining ground at this point because it's now a critical update, not even requiring a valid XP license any more, not to mention it's the only way to go in Vista, which is pre-loaded on most new machines nowadays anyway.
If anything, Microsoft products aren't getting better at all, though I think the outlook is good for IE8 and Windows 7 (mind you, I was optimistic about Vista and its promised new features, virtually all of which except Aero and the Sidebar were canned). I personally feel, as someone who deals in this software on a daily basis, that Windows Vista, Office 2007, and IE7 are extremely weak forays into new UI designs that frankly aren't efficient nor pretty, and the same could be said of their performance. I could go on and on about Vista, and yes, it has its high points ("Find a Solution" is awesome functionality), but IE7, for me, is a total flop. Office 2007 is the same; I can't understand why, aside from "just because", they would change the interface so dramatically that anyone with familiarity with Office 2003 wouldn't be able to sit down and just do some work like normal. Even the key commands and shortcuts are different, and let's not get into the DOCX format. So instead of innovating (adding new features, expanding on old ones, etc), they basically crippled one of their main software suites. I personally believe all of this to be because of pressures from Apple and their departure from the "standard" UI design style, but none of this is really relevant.
I think that if they're going to make these sorts of changes, they may as well drop everything they've already built, create a completely different platform and code base for their products, and start from scratch, like Apple has done. It seems to have revitalized their OS, given the rabid fanboyism that surrounds it, so maybe Microsoft could stand to gain from it, too? It's not as though they have anything to lose - People will continue to buy their software regardless, if Windows ME and Vista are any indication.
Screw the rules, I have green hair!
Thank god I use Internet Explorer.
I'm just waiting for 9.50 to finally come out of beta...
Emerald Astrology
highest marketshare browser buys 2nd highest marketshare browser. Yeah the feds are gonna like that.
No vulnerabilities, no security issues. Just plain and simple. I'm going back to using Mosaic! http://browsers.evolt.org/?mosaic-ncsa/
Why?
Good, inexpensive web hosting
Because 1and1.com hosting does not have a very good reputation and you have just associated yourself with them through an endorsement. Do a Google search for 1and1.com sucks. Most 5,330 results are not happy with 1and1.com and I also think they suck. I have gone with a different hosting service because I had problems with them. That is why. My new hosting service is great, but I will not prostitute myself for them in forums.
It does not allow directory browse, it allows directory browse in
C:\Program Files\Mozilla Firefox\...
There is almost no data in there other than default settings.
Your private settings and cookies are in the user directory
C:\Documents And Settings\...
A wise person once said to me: "When Coke and Pepsi fight, who loses? Royal Crown."
When #1 and #2 fight, invariably #3 loses.
--JoeProgram Intellivision!
As if the Feds actually know what a browser is. I can just hear Ted Stevens now: "So, is it like a little window where you can look in the tube? Can I see the internet I sent to Bob Dole yesterday in the window?"
Oh indeed; and once it uses Webkit natively (instead of backporting Webkit changes into KHTML) it'll be even better faster. The problem with Konqueror is the user interface; it lacks a lot of features I take for granted, like combining multiple downloads into one window and session saving/restoring functionality, but also it has way too many options, and there's just no integration between it and my desktop (no surprise, it's KDE and I'm not).
I seriously think that Webkit will change all of this and make me a happier person. Already I can run Gtk+-Webkit browsers, although the ones I've played with so far are far from stable.
Look out!
So you don't like them. Fine. Don't use them. I'm quite happy with them and if I can get an occasional commission by pointing somebody their way, why shouldn't I?
Good, inexpensive web hosting
The threat of exploitation (with consequences) is what MOTIVATES developers to fix it. Security by obscurity is not just common due to ignorance its also cheap and easy. Lack of threat, causes exploits to go unfixed until it is convenient (months, major releases, never...)
Open source by its nature will make exploits more public; Telling an open source development team tends to be a public process or at least open enough that a hacker could join up if the forum, bug db, or maillog searches don't provide enough information.
Democracy Now! - uncensored, anti-establishment news
why people have page with black background and white text. it makes my eyes bleed!! and even worst, TFA has also a section with white background and black text.
i never read page like that.
Reply to cancel erroneous moderation
Never, EVER use W3Schools as a definitive source for browser stats. It even says right on that very page that their results are from their own logs and not representative of the internet at large.
You invalidate your entire argument when you quote W3Schools as a source.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
> If you're going to talk shit, at least talk shit about current software.
:]
Would this be a good time to bring up all those recent ActiveX flaws, then?
Anyhow, it's been ages since I've seen any Firefox flaw that couldn't be mitigated by NoScript, which I use constantly with the minimum permissions I can manage.
Because of the reason the grandparent post pointed out: it lowers your credibility. Both in that someone might try them due to your recommendation and get burned, or that they've been burned in the past and think "hey, this guy actually likes them? anything else he likes is probably just as bad"
As someone who got burned by them (had to threaten legal action to get them to stop demanding money and actually cancel my 'free' account), I know I wouldn't trust someone vouching for them. It's not like how some people got crappy xbox360's that died in a few hours and some people got perfectly fine ones, with 1and1 its more some people get fucked over intentionally and hard, and others just haven't gotten there yet.
Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
You got me there, I wasn't very confident in my fingerpointing, and it turns out I was dead wrong. Thanks for the correction, I responded far too hastily to an ACs inflammatory remarks, and just ended up being just as inflammatory and devoid of content as the GP. Apologies to Billy G.
Well, if you had a bad experience, I'm sorry. I've had nothing but good luck with them as have several of my friends.
Good, inexpensive web hosting
Microsoft products are getting better. Deal with it. Quit living in the past.
Do you mean like Vista unable to copy files (unless you have thousands of years to spare?), Vista's inability to restore it's own backups (something I've also experienced 1st hand), FSX all but killing 3rd party development by providing a buggy ever changing moving target as a release platform?
The reality is IE6 was so bad and so many people complained that MS had to respond in some way. IE7 incorporating tabs and a few new security features 3 years after other browsers added them is nothing to be bragging about.
Do you print your slashdot posts and take them to MS interviews or do you just show your MS boss your posts once a week?
By the way, I'm on Firefox apologist. I believe Firefox lost the plot long ago - forced upgrades combined with incompatible extensions, security vulnerabilities, an inability to diagnose virii and spyware that target Firefox. The only conclusion that anyone can come to is that the software industry is a mess. Buggy releases and insecure applications are the norm. In exchange for features we'll never use, glitzy interfaces that are inefficient and make no sense, and DRM we're told makes a computer "trusted" when in reality it's designed to police everything we do, legal or not, we get ever increasingly complex software that can't get core functionality right.
Trying to pick which browser is best under these circumstances is like 3 rednecks sitting around beer in hand trying to pick which pig is best in a horse race. Hell HTML and scripting is so badly screwed up that to complete the analogy the race track is made of quicksand and rotten cheese.
These posts express my own personal views, not those of my employer
>Microsoft products are getting better. Deal with it. Quit living in the past.
Vista.
You could use Opera or Konqueror instead...
You are absolutely correct. Adblock works by checking externally referenced content against a black list. This works because most ads these days are built with copy and paste html that a web developer just sticks into the page somewhere, either in an iframe or with javascript includes. Advertisers do this because it makes it very easy for any webmaster to stick an ad on their page, and it makes it easy for them to monitor how many ads have been displayed and where.
However, this method of blocking ads is easy to circumvent with server side scripting. All you have to do is write a script that fetches the content and images from the advertiser's servers and serves it as if it were coming from your site. It only takes 3 lines of php. Once this is done, the entire premise behind adblock will cease to work.
This technique is uncommon because it makes it slightly more difficult for webmasters to stick an ad on their page and it makes it more difficult for advertisers to track their ads. Distrowatch is the only site that I am aware of that uses a technique like this to display its ads: they are obviously aware of the fact that many of their users also use adblock. The only reason that ads like this have not become common is that adblock itself is uncommon. To be quite honest, it surprises me that slashdot doesn't do this. But don't worry, if adblock gains a wide user base, it will be circumvented overnight.
weirdest thing I ever saw: scientology advertising on slashdot.
I fixed that by adding the DWORD value "IconsVisible" set to 0x00000001(1) to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\InstallInfo
Firefox seems to place that value at the "FIREFOX.EXE" key, but if you compare it to Internet Explorer's entries, it appears it properly belongs in the "InstallInfo" key.
Anyway, that puts it on my menu, and I suspect it will put it on yours.
I really should send that tip off to bugzilla so they can fix it in the next release.
--
Toro
I thought Mozilla and other projects kept the real public resources (like the bug db) under some limited access, where relevant (exploitable) bugs tend to be locked-down until the fix is released. I don't say it's simple to join an inner circle through some social engineering, but it will and should be harder than just signing up in a form.
According to my service's traffic, about 40% of IE users still use IE6. And the most recent NetApplications survey agrees (43% of IE usage).
I speculate that IE6 usage is so high because many corporate web services require IE6 - Microsoft's upgrade to IE7 caught many foolish IT departments owners by complete surprise, despite IE7's very long and public gestation period.
Furthermore, IE6 is still supported by Microsoft. It is not "obsolete".
While you're right this shouldn't be about IE, you're wrong that IE6 is living in the past.
My company has enterprise customers still using IE6 across the entire organization. For us the past is now, dealing with terrible CSS hacks, Javascript incompatibilities, and old win2k computers that can't handle larger data sets in a browser with any speed.
Welcome to the future it, it is sooo 2002.
the only reason they are getting better is because they can't get any worse :)
What a fool believes, he sees, no wise man has the power to reason away.
Firefox runs on more than just Windows so who cares what Task Manager says. I'm more interested in what "top" would have to say.
Run Firefox/thunderbird as a different user.
/usr/local/firefox/firefox
Not perfect, but gives you the ability to protect your home directory.
- xhost +localhost
- kdesu -u webuser -c
boycott slashdot February 10th - 17th check out: altSlashdot.org
All right, so this is the deal, I wake up, check on slashdot and I find only utter BS.
A news story about a "serious" vulnerability in firefox 2.0.0.12 , well, the vulnerability doesn't affect only 2.0.0.12, it is not serious AT ALL, some moron tagged it haha. And this idiot on the parent post got +4 insightful.
What the hell is happening to slashdot? Is it becoming a frigging tabloid? I am growing tired of BS like this. I am relieved I didn't see any opera troll post getting mod points else I would explode, come on slashdot! You can do better than that.
It is surprising that one is not able to disable JS on a per site basis by default. However, I have written firefox for years about a feature called security profiles which would allow the user to specify on a per site basis not only whether JS should run, but whether applets should run and a large number of options and settings. Sites could then be placed into one of these profiles. The idea has been ignored by Firefox even though it would give more control to the user, and used the tacky excuse to use user profiles, but which would be terribly inconvient, involving launching a seperate browser for each set of security settings and keep track of which is which. Between this and Firefoxs outrageous memory leaks, I am not impressed.
Depends.
Firefox extensions (Like the oh-so-important NoScript and AdBlock Plus, or the must-have for every
On the other hand, web-browser plugins (like Adobe Macromedia Flash, Sun Java, etc.) are binary code in dynamically linked libraries (DLL or SO depending on what's standart on your OS). That's why there are really serious portability problems with closed source companies providing plugins compiled only for a handful of operating system (often without 64bits support).
There are two strategies :
- most of the time open-source projects use very light libraries which obtain the parameters from firefox and launch a player in a separate process that get its output embedded inside the page display (mplayer's plugin just luanch a sepparate mplayer session, gnash' plugin runs gtk-gnash to open the flash movie, webgcjplugin compiles and runs the java applet using gcj, moz-plugger is an universal embedder, etc...)
- whereas most of the proprietary project try to cram everything inside a huge DLL that runs inside firefox' own process (macromedia flash, acrobat reader {BTW who does still use that piece of junk}, etc.)
The Javascript extensions play some role because the javascript engine of current Firefox isn't very fast (Hopefully the integration of Tamarin VM in some future version will help). If a user has way too many of them, the firefox experience can become slow. But most of the time quite, the extensions are event-driven : they usually add entries in the main menu and the javascripts are only executed when the user clicks the entry.
The other problems comes with memory leaks.
- Javascript extensions, because they are only ran on demand and because of the garbage collector, aren't subject to many leaks. But anyway really badly written code can actually degrade firefox performance and eat up memory.
- Dynamically linked web browser plugins are a completely different animal : because they run inside the browser process (at least, not the open-source one which only launch an external process) if they leak memory, the whole firefox process will get its memory usage up and will only free the memory when the whole program is exited. Also, firefox isn't heavily multi-threaded and if some plugins freezes the whole program gets unresponsive (I've had some awful experience with acrobat and older versions of flash). Similarly crashes inside a dynamically linked library will bring down the whole process that called the function, and any exploit discovered inside flash can be used against firefox itself.
I strongly suspect that most of the memory leaks reported by users are actually due to browser-plugins, because I haven't experienced any leaks even if a use several extensions, whereas I don't run closed proprietary browser plugins at all (mplayer and gnash only !) because of the awful experience with acrobat and flash.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Do a Google search for 1and1.com sucks. Most 5,330 results are not happy with 1and1.com and I also think they suck.
I don't car either way, but Google has 11,000 hits for 1and1.com rocks. Just to show that your metric is pretty useless.
"When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
fair enough, how about a different survey.
http://upsdell.com/BrowserNews/stat.htm
it also warns against taking the numbers as verbatim but it is using 5 sources. this is a problem with browser market share. how can you tell a good survey? how can you correct for browsers reporting as something else?
the numbers from this site aren't much different than the other survey. what do you work at? how often do you see ie6? hell i've seen ie4 and ie5 in the past month on old servers. within the last 18 months i've seen win3.1 on a laptop. those are exceptions but ie6 is still very very common.
Actually I'm glad I can't see it. Just more bandwidth eating crap that I don't want to see to clog up my day and my tubes.
And use Opera instead? Opera hasn't had a serious vulnerability in over 7 years.
I would agree if a company has a poor security record. On the other hand, Mozilla fixes security bugs faster than the other major browser makers. They also fix bugs that were not publicly known with nearly every release. What makes you think they need the motivation of having the exploit publicly exposed immediately after the release? It looks like 0x000000 is just looking for attention, not altruistically helping to increase security. If he wanted to do that, he should have discussed the problem (even publicly) before the release, or filed a private security bug report after the release. If he reported the problem weeks ago, and a new release came out without the fix, then it might make sense to blab about the problem.
What a fool believes, he sees, no wise man has the power to reason away.
Actually, it's not available for OS X. This is actually a good thing. When I'd complain about Firefox/Safari compatibility to certain webmasters - not the guy from "Bob's House of Flash Cartoons" but ones I actually cared about, like my online banking - the canned response would be for me to "upgrade to Internet Explorer". Now that MS has officially EOLed IE for Mac, they actually have to deal with the problem. Thanks, MS!
Dewey, what part of this looks like authorities should be involved?
Right as i opened this story, firefox asked me if I would like to complete this update's installation by restarting firefox. I'm not restarting until they fix it.
Come on guys. Anyone with any sense will realize that the file its actually reading is pre-included with all Firefox installs, it does not contain any user data only the predefined defaults which are totally worthless because you can even read them from the online Mozilla repository.
I tail to see how useless default settings apply as a security risk when there is no confidential user material being read. So inaccurate.
FYI, Opera works great under Linux. And as I saw in a previous post, it has a "noscript" built-in
Also, web developers would have to make their sites work properly with javascript turned off. Some sites do this already, but not enough, including some which supposedly take accessibility seriously. JS should *enhance* usability of a site, not be absolutely required for it to work at all.
Slashdot needs an implementation of Godwin's Law that shuts down a thread the first time Microsoft is mentioned and the topic is something that involves neither Microsoft nor any of its products.
Thankfully, that would have put this thread out of our misery almost immediately, with no one any less informed as a result.
I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
I like w3m well enough, but I'm still a fan of lynx for many things... lynx doesn't make much effort to do graphical layout, all of the content is just linearized, and presented one piece at a time. This means that typically there will be several screens of cruft you need to page down through to get to the main body of text, but it also means that the "designer" can't dictate how you're going to use your screen real estate.
(Also, it doesn't leak like a sieve and crash all the time: I can open up a lynx window showing a long document, and it will still be there a month later after four Firefox 1.x crashes or thirty Firefox 2.x crashes. But then, w3m is pretty much the same as far as that goes.)
Tis true, if you're looking for emacs integration, the w3m world is much better -- I've been living without for awhile, myself (I had some random set-up hassle I didn't feel like figuring out.)
If that was true then John Edwards would be ahead of Hillary and Obama.
Erm... How is that? When Hillary Clinton and Barack Obama fought (#1 and #2), John Edwards lost (#3).
It's very hard to find out when you reply if you're Anonymous; in general I don't know that they're there.
Any case, I run Opera reluctantly at the moment because it's the only browser I can get to work (due to a temporary problem). Its attempts to integrate into the desktop are so bad that I won't even credit it with a criticism; pretty much everything to do with look, feel or behavior needs changing aside from the very basic fundamentals (like putting "Cut" in the "Edit" menu — they do get some things right). It even is abnormal and strange under Windows — if they can't be bothered caring about their major platform, there is simply no chance of them pretending about minor ones.
Look out!
The point you should also look at is that Opera, as a company, has had a stellar record in fixing holes once they have been discovered. I don't think I have seen a better response time for any software product.
.. paranoid crackpot leftover from the days of Amiga.
Wow, I get knocked down to 0 by a "-1 Overrated" for pointing out an obvious factual error in a smart-assed post. Brilliant use of mod points!
This is a hacked account, for which the owner can not be held responsible.
...only, while I was typing it in Firefox, suddenly the focus of the textbox changed when I pressed the apostrophe key, then I hit delete and it sent me back 4 pages. Also does anyone know what "virtual memory" is? I seemed to have run out of it.
Do you remember before the browser wars, when Netscape was the big, bloated dominant player and Internet Explorer was the fast and light competitor which needed to prove itself
No. I remember keeping an old Netscape 4.7 for a long time, because IE sucked big time. When they finally got around to make a moderately usable IE 6.0, Firefox was getting close to stable.
When was this fast and light Internet Explorer you're talking about?
Yes, X64 processors (AMD64, Intel EM64T, VIA's newest superscalar low-power) *CAN* run IA32-bits instructions.
*BUT* you can run both inside the same process without using a translation layer.
A 32bits application cannot directly call 64bits functions in a dynamically linked library (for example, it won't be able to understand the returned pointers)
A 64bits application cannot directly call 32bits functions in a dynamically linked library (for example it could request pointers that are outside the library's range.)
That's why on most Linux installation in addition to the basic libraries (all the packages ending in "lib" like SDL-lib) when installing in a mixed environment you also install special compatibility layers (all the package ending in "-32bits") which basically are the necessary bindings and translation layers needed to call the native 64bits libraries from within 32bits applications. On Windows 64 there's a similar thing called WoW64 (Windows on Windows64).
Also the reverse exist too : translation libraries made to run 32bits browser plugins inside a 64bits Firefox - nspluginwrapper.
Anyway most opensource browser plugins use only a thin layer that basically only serves as a launcher which will start an external player in a separate process and redirects the ouput inside the rendered page. You could mix whatever architectures you want (as long as they are supported by the CPU and Linux) they run in separate process each with its own memory model.
Flash works on your 64bits Linux installation because, most probably your distribution automatically downgrade Firefox to 32bits if you select to install Flash, Realplayer, Java, etc. It works flawlessly (I mean on Macromedia Flash's scale of flawlessness, i.e.: has the same frequency of freezes and crashes as a regular 32bits installation), only because the whole firefox stack is running in 32bits (which is possible thanks to the 32bit compatibility layer) and there's no problems with mixed architectures between the browser plugins and the browser itself.
But have a look on you browser about box, I'm pretty sure your browser is running in 32bits mode and not 64bits native.
Unless recent distributions have started shipping nspluginwrapper as a standart (openSUSE 10.3 has not yet).
Or unless, all of sudden, Adobe decided to release a 64bit version of their software - which they didn't a couple of months ago when I last checked and which I seriously doubt they'll ever do.
I personally prefer running Firefox in native 64bits mode. Anyway MPlayer's browser plugins is much better then any proprietary video player. And gnash is sufficient to me for the rare couple of times I need flash (some website use flash instead of <h#> tags to display titles). For video, I prefer using UnPlug and SaveTube and open the video in an external player, rather than using flash video players.
Of course I don't have the typical flash usage that the average user may have and that's why most
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Being NICE is making the problems known; its nice icing on the cake to have them bend to your opinions on etiquette.
If a VOLUNTEER gets a kick out of finding bugs when you don't like it, that floats their boat and that is what matters. The GOAL is better code.
This is the sort of off-topic office politics that weakens projects, etc.
Take it like a student - they have to do work and be criticized when the thing is completed.
Democracy Now! - uncensored, anti-establishment news