Slashdot Mirror
Mozilla Plans Fix For Critical Firefox Vulnerability In Next Release
Trailrunner7 writes "A month after an advisory was published detailing a new vulnerability in Firefox, Mozilla said it has received exploit code for the flaw and is planning to patch the weakness on March 30 in the next release of Firefox. Mozilla officials said Thursday that the vulnerability, which was disclosed February 18 by Secunia, is a critical flaw that could result in remote code execution on a vulnerable machine. The vulnerability is in version 3.6 of Firefox."
There's a disturbing amount of "Microsoft" in this.
Ok, so, since the summary didn't make this clear and I didn't find any explanation in the article, maybe someone on Slashdot can shed some light on this. What took Mozilla so long? It's a critical vulnerability that allows remote code execution. Why did is it taking over a month to fix?
Please correct me if I got my facts wrong.
It's a critical vulnerability that allows remote code execution. Why did is it taking over a month to fix?
Answer: Further details available in Customer Area
Just because you run Firefox, you can't relax about malware attacks. Not on Windows anyway. Imagine how quickly an exploit of this type could be integrated into a malware kit, already running on countless compromised sites? No one can relax about buffer/stack smashing, dangling pointers, etc..., until there's a bulletproof safeguard against them built into the OS/processor architecture.
Emotions! In your brain!
Why are companies so unwilling to micro-patch their software? If Mozilla has a fix NOW, why are they waiting another ~2 weeks to push it out with the next minor upgrade? Just to avoid making users upgrade too often?
RTFA. The fix is already there in beta version of Firefox 3.6.2. They're QA-ing it.
OMFG, it's a critical vulnerability and it takes ONE month for them to fix. Those dogs of redmond... That's the advantage of OS. An open source project would have issued a fix in one day....oh wait...
Are you being intentionally ridiculous?
The fix is in the latest beta release already, that binary is slated to be the release candidate, and if testing goes well, it will be the release.
Nerd rage is the funniest rage.
As someone else already quoted:
Mozilla already has released a beta build of Firefox 3.6.2, which contains the fix for the unpatched vulnerability
You can already go and download that 3.6.2 beta if you want, I did.
The 'planning' is about the data of 3.6.2's release, not whether or not it will have this fix included.
Because if this was IE, the bug would already be patched in what is a beta release... oh no. IE takes months if not years to patch holes in production releases.
MS fanboy's, always miss those tiny details for some reason.
Why isn't this a little easier to find on their site???? Search for 3.6.2 and find nothing!
It may already be released. I've had an update pushed through to all my instances of Firefox this week. If not, just over a month is better than some company's records for getting a fix out.
With a small amount of work you can post from a different IP address every time.
Or it might be a dozen different losers cutting and pasting the same thing.
BTW, a reaction like yours will keep them motivated and posting, thanks ever so much.
Because it is a beta. They don't want to support the people who can't find it on their own.
Nerd rage is the funniest rage.
That's why logs are keep at the ISPs. Get the police involved and the time of the post, and they can identify the people or bots behind it.
With the language the same in every single post, why doesn't slashdot just filter this out to the garbage before it gets posted.
Maybe we should have a "-1 hate crime" mod, and the overlords can determine what to do with it. As it is, I only see myself or other mods pushing it down, thus wasting one of my mod points whereas I can be modding someone "+1 interesting" instead.
There appears to be a critical vulnerability in your logic and why did you not fix it before you posted? Were you not aware of it? Did you not research the problem and preview before submitting a solution? As a result, you created a second and worse vulnerability.
As others have pointed out, there is already a patch and I have looked at it myself.
Which distro would make it easier to update FFox and other apps?
I've used the rpm ones and rpm Uvh is somewhat easy; repositories are not that immediate though and dependence is not always simple to solve.
Ubuntu has well-maintained repositories and apt-search/apt-get makes ones life so easy -- except when you find you can't get the last FF. I installed the last one once, only to see it returned to the version present in the official repositories.
And there's always the problem of binary availability... not that compiling is that frightening -- but regarding binaries, it's either Fedora or Debian/Ubuntu.
To further complicate matters, I don't want Gnome...
And what happened to distro-agnostic packaging?
good - wasting time commenting on this stuff keeps them motivated to post.
that said, after reading your comment, I had to see what the fuss was about.. I found it quite amusing really. Well, no less amusing that "installing boyfriend 2.0" or "upgrading girlfriend to wife", or any Irish, Polish, or random celebrity jokes that no-one seems to have a problem with. (I'm not American so I don't have the same 'horror' of the N word BTW, round here it's the C word that's the 'uh-oh' one).
It obviously falls into the "not meant to be taken seriously" category (except by the author perhaps, but then he didn't care - he just cared to push your buttons).
So - ignore it and although it won't go away, you can stop caring about it. *That* is what will rile the poster.
So you can get the untested version now which may or may not fix the vulnerability and potentially botch-up your system. This is better than waiting until March 30th in what way?
Hate crime? I'm sorry, but you are a fucking idiot. It is not illegal to be racist, nor is it illegal to state your hatred of any specific race, gender, age, sexual orientation, religion, etc.
Hiding the patch doesn't really make any sense. I suspect they just didn't want to do the work to make its location more obvious.
hate speech is not a hate crime, it is protected by the US constitution regardless of how distasteful it is.
fortunately for you, being an idiot is also completely legal
Snowden and Manning are heroes.
They'd rather support people who were exploited because they were running the vulnerable version?
I am TheRaven on Soylent News
Alternatively, users can download Release Candidate builds of Firefox 3.6.2 which contains the fix from here:
https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.6.2-candidates/build3/
s/©//g
You are truly pathetic. And I sure as hell hope that you're not living in a Western country. Your attitude has no place in a society that values freedom.
Since you probably don't know this, let me inform you that my mother was a Jewish Ethiopian woman, and my father was from India. My skin is very dark, I have some black and Indian features, I'm Jewish, and I'm a woman. That has caused me to face all sorts of intolerance and prejudice over the years. Unlike you, I have actually endured real racism on many occasions.
However, NOTHING is more important than free expression. Absolutely nothing. Even though I find that post very distasteful, I would never think of preventing anyone from posting it if they wanted to.
It is absolutely sickening to read your post suggesting that somebody else should be muzzled. Censorship is a much greater social offense than racism ever could be.
Express your opinion if you want, but in terms of offensiveness, your post is many times worse than the GP's. We can laugh away racism; we can't laugh away censorship when people like you have taken away our ability to laugh.
Congratulations, you just encourage it. Twice, and with multiple replies. The moderation system is designed to account for this stuff. It's designed so you just need a single person with a single mod point to mark it as troll or flamebait, cleaning up the comments for others.
The only thing you've said that makes sense is filtering multiple copies of things. Everything else is heavy-handed censorship type stuff. Police involved for being racist? That's excessive.
Just ignore it. It's going to be harder than ever, because you just fed the troll. Do not feed the trolls. But just ignore it. I get a kick out of it every time. "Oh that again, silly retard, no one reads that." But I was wrong - you read it. Ignore it.
Maybe its a good thing I am Canadian then. We do have laws that do something about this.
http://cnews.canoe.ca/CNEWS/Crime/2010/03/20/13300256-qmi.html
Do you have any evidence of this exploit being used in the wild?
(Of course, I was mostly being a jerk in my previous comment, but it really isn't that shocking that they are following their standard release procedure here)
Nerd rage is the funniest rage.
And why they should use crayons instead of pencils.
With the language the same in every single post, why doesn't slashdot just filter this out to the garbage before it gets posted.
Yes, because no-one would change a word or two in their post or do variations on the spelling. Yay, we get to have another lameness-filter style arms race, that'll improve the quality of the posts.
Maybe we should have a "-1 hate crime" mod, and the overlords can determine what to do with it. As it is, I only see myself or other mods pushing it down, thus wasting one of my mod points whereas I can be modding someone "+1 interesting" instead.
Maybe you should grow a skin and realize that you can't win this kind of pissing contest with griefers.
Seriously, just ignore it.
This very moment, some guy in his mom's basement has his pants down fwapping away to your outrage. You've provided motivation for gods know how many more cut'n'paste trolls, because you provided the kind of hysterical reaction they find so entertaining.
Good job, internet tough guy.
There are serious pros and cons one has to weigh choosing an implementation language for a project on the scale and the types of requirements that firefox has. I'm pretty sure your only serious contender in the list was Java and it has significant baggage all of its own. I'll take C/C++, I just wish programmers had a passion for better code in all of its aspects including the ever present yet most fundamental buffer overflow bugs.
Selah.ca. Pause, and calmly think on that.
Uhh, no. That story says that the guy was busted for vandalizing buildings, not because he said something hateful. He would have been busted even if he had been tagging "I love Jews" graffiti and the Star of David.
So, yeah, learn to read.
Seeing as how something's already botched up, QA seems like a moot point...
I thought rats got in my computer and ate my sdram module, then I discovered it was just FF 3.6. Seriously, anyone one else having a huge memory gobbling problem with this?
"But, does it run on Linux?"
Hey, if the damned exploit won't run on Linux, then it's not a real exploit, is it? This kind of thing kinda pisses me off. There are all KINDS of neat software out there, that just won't run on Linux. It's definitley not fair. I think it might even be illegal. In today's modern world, no one is supposed to be excluded from anything. Not even nerds!!
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
How was they going to support them, anyway? Send flowers as a "sorry" gift?
(I'm not American so I don't have the same 'horror' of the N word BTW, round here it's the C word that's the 'uh-oh' one).
Cracker? Communist?
Here I sit, all broken hearted.
Came to poop, but only farted.
What laws are being broken? Also, President Obama will be going away in 2012.
In other news, several security bigwigs have recommended using IE or Opera until 3.6.2 is released... wait, no... as the faulty product is not from MS, we don't care... keep using FireFox.
Luckily I'm still using IE6.
Though it wasn't presented to me in EU's browser choice, I was able to prevent any other browser to infect my system with their buggy code.
It doesn't count until it's publicly released, Otherwise the majority of the browsers are still not patched...
Good thing I'm using IE6.
DANGNABIT COMMIES!
I can't believe my first comment got modded down twice as flamebait; slashdot has really descended technically, apparently, to judge so poorly what is a serious technical comment by someone who has been programming for about thirty years (and who even taught C at the university level and has used C++ extensively in the past, including at IBM Research).
So sad to put a little performance (and questionably) these days ahead of security as well as ease of programming, extendability, and maintainability.
While I agree with the wish that more programmers cared about better code, I also wish most programmers had a passion for better tools. :-)
A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.
I majored in java (and I really do love java) but I now work in perl. So, certainly, it sounds like you'd be in a better spot to judge what would be the best implementation language. Also just noticed your low uid!
You really think firefox should've been developed in java? I would've thought it would be problematic for that type of project that needed portability, minimal footprint (no jvm), and perhaps lack of an environment that might promote over-engineering?
Like I said, you have the experience, you really think it should've been developed in java even with all of its considerations?
Selah.ca. Pause, and calmly think on that.
Curious.
Fuck I just upgraded too, like a week or so ago. =\
Why is common sense called that if it's not common?
Yeah, these copypasta trolls are tedious and annoying, but this guy is no worse than the tron fanzine guy, the library shit-eater, and the GNAA's broken Markov chain that posts the goatse links. He's just another retard.
Apart from what the SP says, that doesn't mean that hate speech laws are a good thing. Haven't you heard the saying "sticks and stones may break my bones, but words shall never hurt me"? That sort of post isn't libellous, slanderous, or defamatory, because it wouldn't actually harm anyone's opinion of either a specific black person or black people in general (anyone who would take it seriously would already believe that crap), and there is no measurable harm done by it.
Even hate crime laws are pretty silly IMO. I had this discussion with a local GLBTQ-rights activist a couple of years ago[1], in the context of a series of gay-bashings that had taken place not long before and the proper response to it. Her understanding of the problem was essentially as a public relations problem, people hate GLTBQ people so let's encourage them to like us, and if they won't we'll punish them for saying so. I saw the problem as a law and order question, people were committing assault and getting away with it, so let's have some more police in the known trouble spots (which were perfectly well known to the general community), because an arbitrary assault[2] for one reason isn't going to hurt any more or less than an arbitrary assault for a different reason. If beating someone up for fun deserves punishment X, it shouldn't matter why you thought it was fun.
To bring this back to your post, if I vandalise your building, it doesn't matter whether I did it because you are Jewish, because of sexual jealousy, becuase you are short/tall/ugly/good-looking, or just for "teh evulz", and yet hate crime laws say, in effect, that it is more legitimate to victimise someone because they are not from some special category.
[1] I actually support GLBTQ rights and whatnot, I just completely disagree about strategy with the local movement.
[2] By this I mean an assault which is not the result of an argument or motivated by anything practical (such as a mugging or a mob shakedown)
No Linux/x86_64 version is available there...
If you're a zombie and you know it, bite your friend!
This post is one serious candidate for removal.
And the least offending part is the word nigger; people should not be enraged by the use of such a word.
The real problem is using common words for racial slur.
Funny thing, one can read the entire post replace the word nigger with "car" or "cellphone". It works the same, because all the text is made-up anyway...
A lot of these issues are relative to your priorities and also technical change. What does "minimal footprint" mean these days on eight core Mac Pro with tens of Gigabytes of memory, and where most of the memory is used by cached pages of a web browser, not the application itself? There is a value to Firefox being in C++ from the standpoint of it being embedded somehow in other C++ applications (including embedded software) -- although, on the flip side, it makes it difficult to embed it in Java applications (and there are embedded JVMs with small footprints, and you can even compile Java code to run without a JVM). Years ago, when Java was not free-as-in-freedom, it would have been a problematical issue to use Java (and that would have been a tough choice, to plan for the future, making guesses); there were Java browsers, but they were never developed fully (Sun has a widget with limited functionality as part of the Java SDK, and they also had the "HotJava" browser, though that was slow at the time (1994) due probably mostly to JVM issues and also memory limits on older machines).
http://en.wikipedia.org/wiki/HotJava
Many years ago, Lisp with some domain specific languages on it might have been a better choice back then (compiled Lisp can sometimes even be faster than C is some dynamic applications, and many web pages are very dynamic), or a Smalltalk like VisualWorks (though that was commercial, but there was a moment when it was sold for a song, and there was also a moment when Squeak might have become a popular free system). Still, even years ago there were free-as-in-freedom JVMs from other sources that could have been improved as part of the Mozilla effort.
But that is all rewriting history. Mozilla is in C++, and that's what the people who maintain it are most comfortable with.
The issue is that going forward, does security trump some issue of run-time performance or comfort of the maintainers? I'd say yes, security is more important at this point, especially since something like the JVM can also run multiple languages (like Scala or Jython) which allows a diversity of coding styles for add in modules, and the JVM (as with Android) can be tailored to provide firewalls between different web pages (sort of like Google is doing with Chrome having a different process for ever web page). Is Mozilla going to switch to using the JVM at this point? Unlikely. But this does suggest that Firefox's days are numbered... Maybe in years, but still one can see the train at the end of the tunnel. :-) Ultimately, someone could translate the core algorithms of FireFox to something like Java (perhaps even with a one click tool someday :-), and then for the average desktop user, it would be foolish to use the C++ version because of the security issues. Yes, there would be terrible social issues about forking and so on. Still, Java code can have security issues, as can the JVM, so nothing is going to replace testing and vigilance.
Here is the first Google result right now for a Java Web Browser:
http://lobobrowser.org/java-browser.jsp
"Lobo [download] is an open source web browser that is written completely in Java. Lobo is being actively developed with the aim to fully support HTML 4, Javascript and CSS2. Lobo also supports direct JavaFX rendering. The general goal of the Lobo browser effort is to produce a browser that is fast, complete, easy to extend, feature-rich and secure."
So people are doing it... It's only a matter of time...
As they write there:
"""
Why a Pure Java Browser?
There are a number of advantages to be derived from a browser that is written in Java as opposed to a language compiled into native code, namely:
* Security.- In principle, a Java program is less suceptible to certain types of vulnerabilities such as a buffer overflow attack. Java's security model ca
A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.