Slashdot Mirror
Serious Vulnerability In Firefox 2.0.0.12
Oh, Not Now writes "Mozilla Firefox 2.0.0.12, mere hours old, is vulnerable by default to a directory traversal trick, via the view-source mechanism. Although mitigated by the NoScript plug-in, this is quite a serious bug — the default installation is vulnerable from the get-go."
Good thing I just read this, I was in the middle of downloading that version :0
:)
What we can count on is that this bug will be fixed in a few days... maybe even hours, unlike all those Microsoft vulnerabilities that have taken months to fix
First post :
LOLZ. Somebody, quick explain how this the evil M$ is responsible for this!!
...buggy Firefox overlords. Or is that joke getting really, really, really old now?
Just before I opened this session, I had upgraded.
Oh, well, just one more unlocked door in the grass hut I call a computer.
Is it just my observation, or are there way too many stupid people in the world?
I'm sick of following my dreams. I'm just going to ask where they're goin' and hook up with 'em later.
Why isn't NoScript just a mandatory extension at this point? It seems like it would be pretty unobtrusive with default settings at a slightly reduced paranoia level.
Insert self-referential sig here.
Maybe microsoft should have looked into mozilla instead of yahoo...
well that tears it.... the apocalypse is nye!
Yes this is not good BUT! It will only take them hours or a day at most to patch it.. You IE-6 users waited for months if not Years and then the only reason M$ released patches and tried to act like they were really supporting their users was because they were starting to get Serious competiton again.. Don't believe me? just Google it.
I've been using Iceweasl because the flash problems in Konquer were driving me nuts. You don't realize how much flash is on the web until it stops working.
Hopefully the Firefox 3 beta is not affected by this, that's what I've been running since Beta 2 came out. Anyone know?
If i had one dollar for every brain you dont have, i would have $1.
's much better :-)
Less bugs, more enjoyment.
Heh :-)
If I had an Ass, I'd call it Fanny Bottom, then I could slap my Ass; Fanny Bottom, on the Arse.
Must be Microsofts/Googles/Apples/SCO's fault. Delete as applicable.
It makes me happy that this type of vulnerability is what we call serious these days. If you remember, just a couple of years ago microsoft was downplaying the WMF vulnerability. It was not considered "critical" because the target needed to manually visit a malicious website for the attacker to take over the target machine.
:-)
While this is a really neat find, and I am glad that it will be patched pretty soon, I don't think it is quite at the level of "sky falling" etc. From what I understand, an attacker that can execute javascript in your browser has the ability to read any file in the targets mozilla directory. This worst that I think an attacker could do would be to grab your stored password file. While this is definitely something to be concerned about, the headline had me pretty worried
Would that be why I caught a trojan right after installing that version and browsing sites of questionable trustworthiness?
You just got troll'd!
Does anyone still think that it's a good idea to permanently store your passwords in your browser?
I use "Internet Explorer version 7.0" from a company called "Microsoft Corporation". I would recommend trying it out.
It seems to render most web pages accurately and is moderately fast. Yes, I know, it IS slower and uses WAY more memory than the two other dominant browsers (Firefox and Opera), but the company does seem to have a lot of programmers working for it, has been in business for a while, and seems to have some staying power. The company's CEO, a man by the name of "Bill Gates" seems to have his wits about him and seems to have invented a good thing here. I urge people to try it out. The only thing is, that the browser only seems to be available for a small number of available Operating Systems.... namely "Microsoft Windows" and also a small number of "Macintosh OS Ten"... and doesn't seem to be available for the mainline Linux OS, but perhaps they are working on it.
TDz.
Where do you have to go that needs flash? I specifically use 64-bit Epiphany without flash so I don't have that load for the minor benefits. It's cheifly used for advertising, as far as I have observed, and video. For video, it's not that hard to fire up 32-bit firefox with flash when I do want to watch them. Why do you need flash so?
Well, bug and bug. Short story for those that don't know: Macromedia released a new version (r115) that relied on some functionality currently only in Firefox, but not in typical versions of Konqueror or release versions of Opera. This broke all the distros, including all old supported distros because Macromedia doesn't let repositories host old versions. Last I checked the possible solution was a big backport. Development versions of Konqueror (for hardy heron in my case) and Opera 9.5 supports it, but this is quite simply forced obsolesence on Macromedia's part.
Live today, because you never know what tomorrow brings
Is Firefox 3 Beta 2 also vulnerable to this exploit?
The file they're reading from in TFA (all.js) contains a portion of the default Firefox preferences, not your current settings. There may be other ways to exploit this problem, and web pages definitely shouldn't be allowed to read any file from your computer, but the proof of concept isn't as bad as they say it is. The majority of your personal information is in your profile directory (under Application Data on Windows), not the program directory.
There are quite a few corporate sites which incorporate flash to "enhance" their site, and there are some sites which won't even let you in unless you pass the flash-only home page. If you don't have flash, they don't want your business. (At least, that seem to be the opinion of the web IT staff, I haven't contacted corporate to see if they agree with that assessment). As for examples, Bath & Body Works used to be that way (I emailed them, they are no longer flash-limited...I don't believe those two things are linked, though). Rainforest Cafe is another. BBW didn't get my business back then, and Rainforest missed out on a dinner guest recently - I couldn't find their location, and couldn't use my mobile browser to get to their page. Will they care that they probably lost less than $100, of course not. But it certainly would have been nice if they wouldn't have had a "no flash, no service" sign out front.
Is it just my observation, or are there way too many stupid people in the world?
Doesn't look like a vulerability to me. So it can read files in /usr/lib/firefox, but those are just the standard files from the firefox package. User configuration and stored passwords etc are not stored there... It still can't get to $HOME/.mozilla...
--- Hindsight is 20/20, but walking backwards is not the answer.
I'm confused, how is this a serious security problem? All it allows is reading files from the Firefox application directory, which isn't exactly sensitive data, since you can get the exact same files from just downloading Firefox from Mozilla's website. Your prefs, passwords, etc. are stored in your Firefox profile, which lives outside the Firefox application directory, so they *are not* accessible via this trick.
I literally just switched to Firefox yesterday from Opera, but even with this bad news, I'm going to stick with Firefox. Extensions are just too good a feature in a browser.
WINDOWS program vulnerability? Sure looks like it. Why isn't this made clear in the headline or summary then? How about the microsoft/mozilla stealth alliance make TWO names for the two different programs, or would that be giving away the crown jewel secret that's been hiding in plain sight even larger and more blatantly than the old SCO Microsoft stalking horse? How many times do we have to see a windows vulnerability ascribed to the entire mozilla package called "firefox" on an alarmist headline? Is it really so hard to rename the linux version to something else? Oh it is? "Too confusing" even though they really are two different programs? OK, then maybe could the article submitter or editor append the word windows or Microsoft to the headline to differentiate it? Call it by its real name, which is the Microsoft Windows Mozilla Firefox Browser version whatever, then go on to outline the new vulnerability.
You can install KMplayer to get around it. It takes a few more steps than normal, but it works (and from my subjective experience is much faster running than the normal nspluginviewer way). Here are instructions for doing it: http://mikearthur.co.uk/?p=171
gre is constant data. This report is FUD.
Firefox is open source; anyone who wants to view view-source:resource:///greprefs/all.js can just as easily load http://mxr.mozilla.org/mozilla1.8/source/modules/libpref/src/init/all.js?raw=1 it has the same content.
all.js is *not* user data, it's *public* app data. Your preferences are stored in prefs.js which are not exposed by greprefs.
Each and every one of those makes me think even more highly of them. While the page you link to tries to cast them in an evil light, most are States Rights issues. He just wants the Feds to stay out of it.
Seriously, this title should be changed now (get rid of "Serious"), and a "!serious" tag added. The author of the article is an asshole who just waited for this release to fear monger and gain some attention. This bug exists in previous versions, this is not a new issue. The fact is, 2.0.0.12 fixes issues from previous issues, and does NOT introduce this "new" bug.
You should still upgrade. You are already vulnerable to this "attack" without it, but you can at least gain some new fixes for other issues.
You know, we're trying to promote open source software. To scream that firefox has a "serious vulnerability" when it in fact doesn't is IT treason.
Doesn't matter what browser you run, if you let anyone execute whatever code they want on your own machine via your browser it's the equivalent of running that trojan.exe you just downloaded from Messenger.
Is there a NoScript for IE 7 and Opera?
How come when there's a security hole in an MS product it gets the 'haha' tag, but if it's an OSS project it doesn't?
lol, serious stuff 300: file:///C:/Program%20Files/Mozilla%20Firefox/ 200: filename content-length last-modified file-type 201: .autoreg 0 Mon,%2005%20Nov%202007%2016:16:28%20GMT FILE
201: AccessibleMarshal.dll 13952 Fri,%2008%20Feb%202008%2019:42:30%20GMT FILE
201: LICENSE 30869 Thu,%2026%20Jul%202007%2002:39:20%20GMT FILE
201: README.txt 177 Thu,%2026%20Jul%202007%2002:39:20%20GMT FILE
201: browserconfig.properties 232 Thu,%2026%20Jul%202007%2002:39:26%20GMT FILE
201: chrome 0 Fri,%2008%20Feb%202008%2019:42:39%20GMT DIRECTORY
201: components 0 Fri,%2008%20Feb%202008%2019:42:39%20GMT DIRECTORY
201: defaults 0 Fri,%2028%20Sep%202007%2022:59:30%20GMT DIRECTORY
201: dictionaries 0 Fri,%2028%20Sep%202007%2022:59:30%20GMT DIRECTORY
201: extensions 0 Fri,%2021%20Dec%202007%2011:21:24%20GMT DIRECTORY
201: firefox.exe 7655024 Fri,%2008%20Feb%202008%2019:42:35%20GMT FILE
201: freebl3.chk 476 Fri,%2008%20Feb%202008%2019:42:35%20GMT FILE
201: freebl3.dll 200829 Fri,%2008%20Feb%202008%2019:42:35%20GMT FILE
201: greprefs 0 Fri,%2008%20Feb%202008%2019:42:40%20GMT DIRECTORY
201: install.log 28197 Fri,%2021%20Dec%202007%2011:20:32%20GMT FILE
201: js3250.dll 456808 Fri,%2008%20Feb%202008%2019:42:35%20GMT FILE
201: nspr4.dll 161392 Fri,%2008%20Feb%202008%2019:42:35%20GMT FILE
201: nss3.dll 378472 Fri,%2008%20Feb%202008%2019:42:36%20GMT FILE
201: nssckbi.dll 271984 Fri,%2008%20Feb%202008%2019:42:37%20GMT FILE
201: old-homepage-default.properties 112 Thu,%2026%20Jul%202007%2002:39:26%20GMT FILE
201: plc4.dll 34424 Fri,%2008%20Feb%202008%2019:42:37%20GMT FILE
201: plds4.dll 30320 Fri,%2008%20Feb%202008%2019:42:37%20GMT FILE
201: plugins 0 Fri,%2008%20Feb%202008%2019:42:42%20GMT DIRECTORY
201: res 0 Fri,%2028%20Sep%202007%2022:59:27%20GMT DIRECTORY
201: searchplugins 0 Fri,%2028%20Sep%202007%2022:59:30%20GMT DIRECTORY
201: smime3.dll 112232 Fri,%2008%20Feb%202008%2019:42:37%20GMT FILE
201: softokn3.chk 476 Fri,%2008%20Feb%202008%2019:42:37%20GMT FILE
201: softokn3.dll 254060 Fri,%2008%20Feb%202008%2019:42:37%20GMT FILE
201: ssl3.dll 132712 Fri,%2008%20Feb%202008%2019:42:37%20GMT FILE
201: uninstall 0 Fri,%2008%20Feb%202008%2019:42:48%20GMT DIRECTORY
201: updater.exe 132232 Fri,%2008%20Feb%202008%2019:42:38%20GMT FILE
201: updater.ini 709 Fri,%2019%20Oct%202007%2013:36:24%20GMT FILE
201: xpcom.dll 13416 Fri,%2008%20Feb%202008%2019:42:39%20GMT FILE
201: xpcom_compat.dll 73848 Fri,%2008%20Feb%202008%2019:42:38%20GMT FILE
201: xpcom_core.dll 422000 Fri,%2008%20Feb%202008%2019:42:39%20GMT FILE
201: xpicleanup.exe 73336 Fri,%2008%20Feb%202008%2019:42:39%20GMT FILE
201: xpistub.dll 12400 Fri,%2008%20Feb%202008%2019:42:39%20GMT FILE
or not
Unfortunately, too many sites use it for navigation and crap like that. The wire image viewers for most major newspapers use it. Embedded media in various blogs, etc.
It uses a lot of memory at times for me personally, but well within reason. 200mb max (4-6+ hour session) with 2gigs RAM. Not wholly unreasonable. I seem to recall, tho certainly can't say definitively, never seeing it top 80mb on another box I have with 512mb.
I've been using Noscript for a while now, and personally it hasn't really effected my peak memory usage for better or worse. I also have constant access to CPU/Memory usage percentages through my G-15 keyboard's display, so I tend keep an eye on that more than most people.
I'm sick of following my dreams. I'm just going to ask where they're goin' and hook up with 'em later.
Thanks to the OP. Just (less than 5 minutes) before I read the article, I'd upgraded to the latest version of Firefox. NoScript is now installed.
linquendum tondere
Something else weird that happened to me when I upgraded:
I've got Firefox as my default browser on XP, and after the upgrade to 2.0.0.12, all of a sudden IE showed up as my browser at the top of my Start menu. When I went into the control panel to "set program access and defaults", Firefox doesn't even show up as an option. WTF?
It's still installed, as it's in the programs folder, and it runs fine....also doesn't as me if I need to set it as default, so it still is, but Windows has completely lost the fact that it's a browser.
Anybody else have this happen?
"City hall" in German is "Rathaus" Kinda explains a few things......
Are you seriously asking this question?
/., security vulnerabilities in MS products are always much more severe and worthy of ridicule than those in open source products?
Are you at all surprised that, here on
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
As an web developer I thought this meant MY web server directory - maybe it does? Sounds more like the directories on the client. I guess in any case its windows based - but perhaps autoupdate should be turned off on all OSes.
I thought it was a good idea
No vulnerabilities have been shown.
The "PoC" lists only the user's DEFAULTs. Every Firefox installation has the same fucking defaults, and they are no secret.
There is no directory traversal vulnerability either; you can only load the DEFAULT INSTALLED FILES, which are the same for all fucking users, and are obviously no secret.
This isn't a problem just with Firefox, but with all full browsers today (the various midget text-mode ones excluded).
Any non-trivial program contains bugs and vulnerabilities proportional to its size, and the relationship between size and inherent problem-count is probably a lot worse than linear. This is true for all programs and all systems, but it is especially true for monolithic ones, and to a very large extent the main body of modern browsers is quite monolithic. Even the plugins load into the same address space in most cases, although there are exceptions to this in the browser world.
The present situation is not good, and everyone is familiar with the consequences of it: the web browser is by far the most crash-prone of all applications present in our operating systems today.
Is there a solution to this on the horizon? Not at present, because developers in all the most popular programming languages almost always implement monolithic systems (because the languages encourage it and the courses teach it), and are highly adverse to extreme modularization. Again, there are exceptions, but they are rare.
We are living in a bit of a Dark Age in this area currently, and I don't forsee any change within the next five years at least.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
If you take a look at what this is doing, there's much less to it than meets the eye.
The way the page works is that it is able to load the file all.js in the greprefs directory inside your firefox installation. However, it is not *reading* this file and making it available to the javascript interpreter, it is *executing* the file. The file is a big list of browser preferences, each set with a call to a function with the signature pref(name, value). There is no code in there other than calls to pref. What the page does is define its own pref(name, value) which gets called, and the names and values are therefore available to the javascript interpreter.
So:
I would additionally point out that the view-source: part of the URI appears to be unnecessary, since at least for me (Ubuntu FF 2.0.0.12) the "exploit" worked just fine without it.
hahahahahahahahahahahaha /wipes tear
I'm sick of following my dreams. I'm just going to ask where they're goin' and hook up with 'em later.
Indeed,
From TFA: "We can trick Firefox itself in traversing directories back".
but then it says:
"we are able to read out all preferences set in Firefox, or just open or include about every file stored in the Mozilla program files directory"
Since TFA is not clear, I have tried it myself and I WAS NOT ABLE TO TRAVERSE a directory back with resource:///../
So the only files someone can read with this vuln are the files inside firefox directory which from what I can see are just default files and no cookies or passwords.
If anyone thinks any different please let me know.
If scripts are so unsafe then why does Noscript run scripts too? On top of that Noscript puts itself on a whitelist by default, but it leaves off sites like youtube. That kind of behavior by a plug-in makes no sense unless it can't be trusted.
oh well. it sucked anyway. fucking open source fails where it claims it's strongest. liars and faggots.
Why isn't NoScript just a mandatory extension at this point? It seems like it would be pretty unobtrusive with default settings at a slightly reduced paranoia level. -- "On Vulcan, the teddy bears are alive and have six-inch fangs." Regards dizi izle
Crap. What did the new CSS do with the "Post anonymously" option??
I run my Firefoxes (yup, with "es" ;) in special user accounts, made especially for surfing. My main Firefox (the one I use the most) is run as a user that does nothing else than browsing. Sure, it's a little cumbersome when I d/l files that I need to move to my real account, but I'm running Firefox like that since years and I can't stop LMAO'ing when I read about another yet Firefox vulnerability. Then I've got another special user account, only for another Firefox, to do my GMail/PC Banking. These two Firefox instances are always on, each on a virtual desktop.
Some even go the 'virtual-machine-only-for-browsing' way and I may do that soon (probably using KVM). I know, I know, "virtual machines" perfs sucks (so you think).
So, yup, a nasty person using a Firefox vulnerability could read every single file in Firefox's directory (and subdir), that's what the exploit referred to in TFB (the f*cking blog?) talks about or it could read every single file belonging to the user running the browser: no big deal, that's exactly my point.
I think you mean "Steve Ballmer," as no one named Gates is CEO of Microsoft. Nice try though, and better luck next time!
This is a hacked account, for which the owner can not be held responsible.
Nobody is going to live in a world where javascript isn't enabled in the browser except weirdo slashdot users. Get over it. We live in a world where JS exists. Just get used to it. AND design/patch browsers that aren't vulnerable to attacks using JS.
/rant
Macromedia released a new version (r115)
Actually, Adobe released a new version. Macromedia hasn't existed for a few years now...
Comment removed based on user account deletion
... I'd like to say that that is a fantastic idea, and I'll ensure that we acquire Mozilla ASAP.
/.ers.
Enjoy being beaten up by your fellow
Thank god I use Internet Explorer.
highest marketshare browser buys 2nd highest marketshare browser. Yeah the feds are gonna like that.
No vulnerabilities, no security issues. Just plain and simple. I'm going back to using Mosaic! http://browsers.evolt.org/?mosaic-ncsa/
It does not allow directory browse, it allows directory browse in
C:\Program Files\Mozilla Firefox\...
There is almost no data in there other than default settings.
Your private settings and cookies are in the user directory
C:\Documents And Settings\...
As if the Feds actually know what a browser is. I can just hear Ted Stevens now: "So, is it like a little window where you can look in the tube? Can I see the internet I sent to Bob Dole yesterday in the window?"
The threat of exploitation (with consequences) is what MOTIVATES developers to fix it. Security by obscurity is not just common due to ignorance its also cheap and easy. Lack of threat, causes exploits to go unfixed until it is convenient (months, major releases, never...)
Open source by its nature will make exploits more public; Telling an open source development team tends to be a public process or at least open enough that a hacker could join up if the forum, bug db, or maillog searches don't provide enough information.
Democracy Now! - uncensored, anti-establishment news
why people have page with black background and white text. it makes my eyes bleed!! and even worst, TFA has also a section with white background and black text.
i never read page like that.
Reply to cancel erroneous moderation
You are absolutely correct. Adblock works by checking externally referenced content against a black list. This works because most ads these days are built with copy and paste html that a web developer just sticks into the page somewhere, either in an iframe or with javascript includes. Advertisers do this because it makes it very easy for any webmaster to stick an ad on their page, and it makes it easy for them to monitor how many ads have been displayed and where.
However, this method of blocking ads is easy to circumvent with server side scripting. All you have to do is write a script that fetches the content and images from the advertiser's servers and serves it as if it were coming from your site. It only takes 3 lines of php. Once this is done, the entire premise behind adblock will cease to work.
This technique is uncommon because it makes it slightly more difficult for webmasters to stick an ad on their page and it makes it more difficult for advertisers to track their ads. Distrowatch is the only site that I am aware of that uses a technique like this to display its ads: they are obviously aware of the fact that many of their users also use adblock. The only reason that ads like this have not become common is that adblock itself is uncommon. To be quite honest, it surprises me that slashdot doesn't do this. But don't worry, if adblock gains a wide user base, it will be circumvented overnight.
weirdest thing I ever saw: scientology advertising on slashdot.
I fixed that by adding the DWORD value "IconsVisible" set to 0x00000001(1) to the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\InstallInfo
Firefox seems to place that value at the "FIREFOX.EXE" key, but if you compare it to Internet Explorer's entries, it appears it properly belongs in the "InstallInfo" key.
Anyway, that puts it on my menu, and I suspect it will put it on yours.
I really should send that tip off to bugzilla so they can fix it in the next release.
--
Toro
I thought Mozilla and other projects kept the real public resources (like the bug db) under some limited access, where relevant (exploitable) bugs tend to be locked-down until the fix is released. I don't say it's simple to join an inner circle through some social engineering, but it will and should be harder than just signing up in a form.
Firefox runs on more than just Windows so who cares what Task Manager says. I'm more interested in what "top" would have to say.
Run Firefox/thunderbird as a different user.
/usr/local/firefox/firefox
Not perfect, but gives you the ability to protect your home directory.
- xhost +localhost
- kdesu -u webuser -c
boycott slashdot February 10th - 17th check out: altSlashdot.org
It is surprising that one is not able to disable JS on a per site basis by default. However, I have written firefox for years about a feature called security profiles which would allow the user to specify on a per site basis not only whether JS should run, but whether applets should run and a large number of options and settings. Sites could then be placed into one of these profiles. The idea has been ignored by Firefox even though it would give more control to the user, and used the tacky excuse to use user profiles, but which would be terribly inconvient, involving launching a seperate browser for each set of security settings and keep track of which is which. Between this and Firefoxs outrageous memory leaks, I am not impressed.
Depends.
Firefox extensions (Like the oh-so-important NoScript and AdBlock Plus, or the must-have for every
On the other hand, web-browser plugins (like Adobe Macromedia Flash, Sun Java, etc.) are binary code in dynamically linked libraries (DLL or SO depending on what's standart on your OS). That's why there are really serious portability problems with closed source companies providing plugins compiled only for a handful of operating system (often without 64bits support).
There are two strategies :
- most of the time open-source projects use very light libraries which obtain the parameters from firefox and launch a player in a separate process that get its output embedded inside the page display (mplayer's plugin just luanch a sepparate mplayer session, gnash' plugin runs gtk-gnash to open the flash movie, webgcjplugin compiles and runs the java applet using gcj, moz-plugger is an universal embedder, etc...)
- whereas most of the proprietary project try to cram everything inside a huge DLL that runs inside firefox' own process (macromedia flash, acrobat reader {BTW who does still use that piece of junk}, etc.)
The Javascript extensions play some role because the javascript engine of current Firefox isn't very fast (Hopefully the integration of Tamarin VM in some future version will help). If a user has way too many of them, the firefox experience can become slow. But most of the time quite, the extensions are event-driven : they usually add entries in the main menu and the javascripts are only executed when the user clicks the entry.
The other problems comes with memory leaks.
- Javascript extensions, because they are only ran on demand and because of the garbage collector, aren't subject to many leaks. But anyway really badly written code can actually degrade firefox performance and eat up memory.
- Dynamically linked web browser plugins are a completely different animal : because they run inside the browser process (at least, not the open-source one which only launch an external process) if they leak memory, the whole firefox process will get its memory usage up and will only free the memory when the whole program is exited. Also, firefox isn't heavily multi-threaded and if some plugins freezes the whole program gets unresponsive (I've had some awful experience with acrobat and older versions of flash). Similarly crashes inside a dynamically linked library will bring down the whole process that called the function, and any exploit discovered inside flash can be used against firefox itself.
I strongly suspect that most of the memory leaks reported by users are actually due to browser-plugins, because I haven't experienced any leaks even if a use several extensions, whereas I don't run closed proprietary browser plugins at all (mplayer and gnash only !) because of the awful experience with acrobat and flash.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Actually I'm glad I can't see it. Just more bandwidth eating crap that I don't want to see to clog up my day and my tubes.
And use Opera instead? Opera hasn't had a serious vulnerability in over 7 years.
I would agree if a company has a poor security record. On the other hand, Mozilla fixes security bugs faster than the other major browser makers. They also fix bugs that were not publicly known with nearly every release. What makes you think they need the motivation of having the exploit publicly exposed immediately after the release? It looks like 0x000000 is just looking for attention, not altruistically helping to increase security. If he wanted to do that, he should have discussed the problem (even publicly) before the release, or filed a private security bug report after the release. If he reported the problem weeks ago, and a new release came out without the fix, then it might make sense to blab about the problem.
What a fool believes, he sees, no wise man has the power to reason away.
Actually, it's not available for OS X. This is actually a good thing. When I'd complain about Firefox/Safari compatibility to certain webmasters - not the guy from "Bob's House of Flash Cartoons" but ones I actually cared about, like my online banking - the canned response would be for me to "upgrade to Internet Explorer". Now that MS has officially EOLed IE for Mac, they actually have to deal with the problem. Thanks, MS!
Dewey, what part of this looks like authorities should be involved?
Right as i opened this story, firefox asked me if I would like to complete this update's installation by restarting firefox. I'm not restarting until they fix it.
Come on guys. Anyone with any sense will realize that the file its actually reading is pre-included with all Firefox installs, it does not contain any user data only the predefined defaults which are totally worthless because you can even read them from the online Mozilla repository.
I tail to see how useless default settings apply as a security risk when there is no confidential user material being read. So inaccurate.
FYI, Opera works great under Linux. And as I saw in a previous post, it has a "noscript" built-in
Also, web developers would have to make their sites work properly with javascript turned off. Some sites do this already, but not enough, including some which supposedly take accessibility seriously. JS should *enhance* usability of a site, not be absolutely required for it to work at all.
Slashdot needs an implementation of Godwin's Law that shuts down a thread the first time Microsoft is mentioned and the topic is something that involves neither Microsoft nor any of its products.
Thankfully, that would have put this thread out of our misery almost immediately, with no one any less informed as a result.
I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
I like w3m well enough, but I'm still a fan of lynx for many things... lynx doesn't make much effort to do graphical layout, all of the content is just linearized, and presented one piece at a time. This means that typically there will be several screens of cruft you need to page down through to get to the main body of text, but it also means that the "designer" can't dictate how you're going to use your screen real estate.
(Also, it doesn't leak like a sieve and crash all the time: I can open up a lynx window showing a long document, and it will still be there a month later after four Firefox 1.x crashes or thirty Firefox 2.x crashes. But then, w3m is pretty much the same as far as that goes.)
Tis true, if you're looking for emacs integration, the w3m world is much better -- I've been living without for awhile, myself (I had some random set-up hassle I didn't feel like figuring out.)
Wow, I get knocked down to 0 by a "-1 Overrated" for pointing out an obvious factual error in a smart-assed post. Brilliant use of mod points!
This is a hacked account, for which the owner can not be held responsible.
...only, while I was typing it in Firefox, suddenly the focus of the textbox changed when I pressed the apostrophe key, then I hit delete and it sent me back 4 pages. Also does anyone know what "virtual memory" is? I seemed to have run out of it.
Yes, X64 processors (AMD64, Intel EM64T, VIA's newest superscalar low-power) *CAN* run IA32-bits instructions.
*BUT* you can run both inside the same process without using a translation layer.
A 32bits application cannot directly call 64bits functions in a dynamically linked library (for example, it won't be able to understand the returned pointers)
A 64bits application cannot directly call 32bits functions in a dynamically linked library (for example it could request pointers that are outside the library's range.)
That's why on most Linux installation in addition to the basic libraries (all the packages ending in "lib" like SDL-lib) when installing in a mixed environment you also install special compatibility layers (all the package ending in "-32bits") which basically are the necessary bindings and translation layers needed to call the native 64bits libraries from within 32bits applications. On Windows 64 there's a similar thing called WoW64 (Windows on Windows64).
Also the reverse exist too : translation libraries made to run 32bits browser plugins inside a 64bits Firefox - nspluginwrapper.
Anyway most opensource browser plugins use only a thin layer that basically only serves as a launcher which will start an external player in a separate process and redirects the ouput inside the rendered page. You could mix whatever architectures you want (as long as they are supported by the CPU and Linux) they run in separate process each with its own memory model.
Flash works on your 64bits Linux installation because, most probably your distribution automatically downgrade Firefox to 32bits if you select to install Flash, Realplayer, Java, etc. It works flawlessly (I mean on Macromedia Flash's scale of flawlessness, i.e.: has the same frequency of freezes and crashes as a regular 32bits installation), only because the whole firefox stack is running in 32bits (which is possible thanks to the 32bit compatibility layer) and there's no problems with mixed architectures between the browser plugins and the browser itself.
But have a look on you browser about box, I'm pretty sure your browser is running in 32bits mode and not 64bits native.
Unless recent distributions have started shipping nspluginwrapper as a standart (openSUSE 10.3 has not yet).
Or unless, all of sudden, Adobe decided to release a 64bit version of their software - which they didn't a couple of months ago when I last checked and which I seriously doubt they'll ever do.
I personally prefer running Firefox in native 64bits mode. Anyway MPlayer's browser plugins is much better then any proprietary video player. And gnash is sufficient to me for the rare couple of times I need flash (some website use flash instead of <h#> tags to display titles). For video, I prefer using UnPlug and SaveTube and open the video in an external player, rather than using flash video players.
Of course I don't have the typical flash usage that the average user may have and that's why most
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Being NICE is making the problems known; its nice icing on the cake to have them bend to your opinions on etiquette.
If a VOLUNTEER gets a kick out of finding bugs when you don't like it, that floats their boat and that is what matters. The GOAL is better code.
This is the sort of off-topic office politics that weakens projects, etc.
Take it like a student - they have to do work and be criticized when the thing is completed.
Democracy Now! - uncensored, anti-establishment news