Mozilla Plans Fix For Critical Firefox Vulnerability In Next Release

Trailrunner7 writes "A month after an advisory was published detailing a new vulnerability in Firefox, Mozilla said it has received exploit code for the flaw and is planning to patch the weakness on March 30 in the next release of Firefox. Mozilla officials said Thursday that the vulnerability, which was disclosed February 18 by Secunia, is a critical flaw that could result in remote code execution on a vulnerable machine. The vulnerability is in version 3.6 of Firefox."

1.5 months for a response and release?!

[carlhaagen]

There's a disturbing amount of "Microsoft" in this.

Re:1.5 months for a response and release?!

[bunratty]

The flaw was disclosed to Mozilla only recently (perhaps just a few days ago), and there is already a patched build available.

Re:1.5 months for a response and release?!

[wizardforce]

Mozilla already has released a beta build of Firefox 3.6.2, which contains the fix for the unpatched vulnerability.

A fix already exists, it's just not in the official release.

Re:1.5 months for a response and release?!

[masmullin]

RTFS

March 30th.

Re:1.5 months for a response and release?!

[Gadget_Guy]

The flaw was disclosed to Mozilla only recently

Well, we don't actually know when the flaw was disclosed. We only know that it was acknowledged to be disclosed recently, but it could have been a while back. However, I don't have a problem with it taking time to do the find, fix and test. The fix for the bug may have ramifications in other parts of the code, and it takes time to check this.

I think people can be a bit unreasonable with their expectations of patch times.

Re:1.5 months for a response and release?!

1) about:config
2) app.update.channel = beta

And join the beta testers :)

Re:1.5 months for a response and release?!

[daveime]

Welcome to the FOSS bug patching system

Re:1.5 months for a response and release?!

[nschubach]

In actuality, it's more the egoist side of human nature. There is someone, somewhere that would likely fix it and recompile. Whether they can get past this idea that their code is their intellectual property and thus, "Someone will have to pay!" will determine if the world can move past such an ego and continue thinking about more important things than a silly exploit.

Re:1.5 months for a response and release?!

[BrokenHalo]

There is someone, somewhere that would likely fix it and recompile.

If you had taken the trouble to read the fine (and brief) article, you would be aware that the fix is already available in the release candidates.

Re:1.5 months for a response and release?!

[nschubach]

I know this. I really wasn't referring to this exact instance... the daveime was speaking in generalities and I like to believe I was as well.

Re:1.5 months for a response and release?!

[petermgreen]

This seems like a very risky strategy to me. If the vulnerability is already in the wild they should be pushing out the fix ASAP. If it's not in the wild they should be keeping details quiet until they can make a proper release.

Re:1.5 months for a response and release?!

[AmberBlackCat]

I would rather be a realist labeled a troll than be a shill who is labeled "Insightful". I'd like to also point out that if Microsoft followed the same policy Mozilla used with Flash, every time you launched Firefox, a window would pop up saying "this application has been disabled due to security concerns".

Re:1.5 months for a response and release?!

[badkarmadayaccount]

https://bugzilla.mozilla.org/show_bug.cgi?id=552350 Please see this bug if you are running FF 3.6. I have a sneaking suspicion that it's the culprit. I wouldn't mind anyone reproducing it, it's sitting unconfirmed as I reported it.

What kept them?

[RAMMS+EIN]

Ok, so, since the summary didn't make this clear and I didn't find any explanation in the article, maybe someone on Slashdot can shed some light on this. What took Mozilla so long? It's a critical vulnerability that allows remote code execution. Why did is it taking over a month to fix?

Re:What kept them?

[bunratty]

Because the vulnerability was not disclosed to Mozilla at first.

Re:What kept them?

[abhishekupadhya]

Also if this was IE, browser fanboys would take the flamebait oh-so-quickly. Every browser has its own issues. Deal with it.

Re:What kept them?

[NotQuiteReal]

Lynx is pretty secure

Re:What kept them?

[Securityemo]

Well, the code surface area exposed is pretty small, and the code is old and stable, but how do you know? Have you checked, ran a fuzzer against it? (Only half joking. The punchline being, you never do know until you go look.)

Re:What kept them?

[TheLink]

> Lynx is pretty secure

Yeah, no botnet creator in his right mind is going to target lynx.

Re:What kept them?

[csmanoj]

Wow. If only someone added images, javascript and css support (and still kept it secure), I'll dump all these other browsers.

Re:What kept them?

[68kmac]

Lynx is pretty secure

Even Lynx has had security issues. While searching for an example, I found this, which is even better ;-)

Re:What kept them?

[thetoadwarrior]

If it's patched on March 30 then that's just over a month since it was revealed. That's not too bad and better than Microsoft's record as a whole.

No one claims Firefox is perfect (or any browser for that matter) but IE gets more grief because it most certainly has more problems than the rest. If it weren't for competition as well we'd probably still be stuck on IE6 too since MS was quite happy to stop updating IE when they thought they had the market cornered.

So no need to get defensive about an awful browser like IE.

Re:What kept them?

[Anonymous+Brave+Guy]

No one claims Firefox is perfect

Part of the problem with trying to have a sensible discussion on this topic is that so many people do pretty much claim $FOSS_APP is perfect: with enough eyes, all bugs are shallow, yada yada. If a large chunk of your culture and advocacy is based on that sort of foolishness, you're bound to get negative press when inevitably you can't always live up to your own hype.

Even the parent poster seems to be somewhat guilty of this, throwing in a couple of knee-jerk IE bashing responses. Have you actually looked at the security record of IE vs. Firefox in recent versions, particularly the number of vulnerabilities and the time required to get systems in the field patched against them? Firefox still runs all its tabs under the same process, so its fans are hardly in a position to be throwing stones at anyone else over security and reliability.

Re:What kept them?

[Korin43]

Oh my god! Not all of the tabs in the same process! That's the worst security problem I've ever heard of!

Re:What kept them?

[Anonymous+Brave+Guy]

It's a fundamental flaw in the architecture, which allows (at a minimum) any web page to trivially lock up the entire browser, causing the loss of whatever is being done in the other tabs.

Re:What kept them?

[buanzo]

you gotta love that netcraft article from APRIL :)

Further details available in Customer Area

[tepples]

It's a critical vulnerability that allows remote code execution. Why did is it taking over a month to fix?

Answer: Further details available in Customer Area

Re:Further details available in Customer Area

Regardless of your stance on full disclosure, disclosure in return for payment seems to be little more than extortion. I'm going to blame this one on secunia.

So this just shows, that you can't relax.

[Securityemo]

Just because you run Firefox, you can't relax about malware attacks. Not on Windows anyway. Imagine how quickly an exploit of this type could be integrated into a malware kit, already running on countless compromised sites? No one can relax about buffer/stack smashing, dangling pointers, etc..., until there's a bulletproof safeguard against them built into the OS/processor architecture.

Re:So this just shows, that you can't relax.

[causality]

Just because you run Firefox, you can't relax about malware attacks. Not on Windows anyway. Imagine how quickly an exploit of this type could be integrated into a malware kit, already running on countless compromised sites? No one can relax about buffer/stack smashing, dangling pointers, etc..., until there's a bulletproof safeguard against them built into the OS/processor architecture.

Agreed. Personally I use Gentoo Hardened with PaX and Grsecurity in the kernel plus a hardened toolchain and userspace measures against buffer overflows. That includes things like address randomization, non-executable pages, mprotect() restrictions, etc. Further measures are also available, like capability systems. It's good, though I would not call it "bulletproof", not even if I thought it was.

Really none of this is any substitute for patching known vulnerabilities. What it does provide is a second line of defense against vulnerabilities you don't yet know about or cannot yet patch. Because I am building Firefox (really all my programs) from source with these features enabled, I benefit from some protection against flaws like this.

I think some of these measures are becoming increasingly common on more mainstream Linux distributions. That's a very good thing as well, since I realize that many users don't want to compile source code. For example, one of my friends is set up with OpenSUSE and it has AppArmor and other protections available by default. I can't remember whether they were enabled by default, but it's still a step in the right direction. You can arrange your systems so merely discovering that you run a vulnerable version is not good enough for the attacker. At least with Linux this is readily achievable, though still not commonplace.

I'd be interested in knowing what options are available for similarly hardening Windows. What I'd really like to see is for the average system to become difficult enough to compromise that there is no longer fertile ground for automated attacks and the botnets that follow. I think that's achievable too, if we really wanted to do it.

Re:So this just shows, that you can't relax.

[Securityemo]

Personally, I just run Arch with the standard security (ASLR, not sure about NX), and use an OpenBSD VM when I need to touch "places" that have a risk for targeted attacks. I even run sudo without password prompting. For hardening Windows boxes, take a look at eEye's products? Frankly, however, I don't know about exploitation prevention frameworks/apps on Windows (other than signature-based IDS) either.

Re:So this just shows, that you can't relax.

[Securityemo]

Nope, we're not *entirely* there yet: http://skypher.com/index.php/2010/03/01/internet-exploiter-2-dep/

Re:So this just shows, that you can't relax.

[Anonymous+Brave+Guy]

Your point, that data can be more valuable than system integrity and is not protected by Linux-style user vs. root access control, is excellent. I just wanted to pick up on this comment:

For me, at least, my personal data is far more important than my OS! Corporate networks may disagree.

Anywhere I've ever worked, the corporate network would agree with you, and strongly. Replacing a compromised machine is just a format and reinstall of a drive image, something Corporate IT do all the time with new machines anyway. On the other hand, losing confidential information about business plans, trade secrets, or God forbid anything sensitive that has been provided in confidence by a client or business partner, can be crippling to the point of killing projects or destroying the business.

This is why threats from within (employees gone bad) are usually the most dangerous, but the same principle applies to any external attacks.

Re:So this just shows, that you can't relax.

[TheRaven64]

(And even if your old CPU doesn't support the NX bit, DEP will work for you as they have a software emulation for it in the OS.)

Not true. The DEP code on machines without NX bit support in the page tables will only protect you from a certain category of attack involving Microsoft's Structured Exception Handling system.

Contrast this with the OpenBSD implementation, which uses the x86 segment protection mechanism to enforce W^X when the NX bit is not present.

Re:So this just shows, that you can't relax.

[Rick17JJ]

I run Firefox sandboxed from within SandboxIE on my Windows XP computer. SandboxIE builds a virtual sandbox around the default browser on a computer. In addition, my computer is set up to where I am normally logged in with a user name. I only log in as administrator, when needed. I also use the NoScript and Adblock Plus extensions for Firefox. I only enable the running of scripts for certain Websites that I trust. Perhaps, those measures might help, but I am not a computer expert and do not know for sure.

I use Kubuntu Linux on my other computer, which is my main home computer. That is the computer which I am using at the moment. I also use Firefox on it, but there is not a Linux version of SandboxIE. Perhaps, I should use the Konqueror browser instead, until the final release of the patched version of Firefox becomes available. The Konqueror browser is already installed on this computer.

In the Linux version of Firefox, I also use the NoScript and Adblock Plus extensions. Of course, when using the Linux computer, I am normally logged in under under my user name, with the limited privileges which go with it. Like most Linux users, I do not run as root all the time. When I temporarily need more privileges I use sudo.

I am not a computer expert. I am just someone who uses both Linux and also Windows XP on my two computers at home.

http://esecurityplanet.com/features/article.php/3842331/Sandboxie-Blocking-Web-Based-Malware-From-Your-PC.htm

Re:So this just shows, that you can't relax.

[Stray7Xi]

The ubuntu version of sandboxie is apparmor. You can install apparmor-profiles that include profiles for a lot of apps.

https://help.ubuntu.com/community/AppArmor?action=fullsearch&context=180&value=linkto%3A%22AppArmor%22

Since Ubuntu 9.10 (Karmic), AppArmor ships with a profile for Firefox which is disabled by default.

You can enable it using the following command:

sudo aa-enforce /etc/apparmor.d/usr.bin.firefox-3.5

Re:So this just shows, that you can't relax.

[fluffy99]

I'd be interested in knowing what options are available for similarly hardening Windows. What I'd really like to see is for the average system to become difficult enough to compromise that there is no longer fertile ground for automated attacks and the botnets that follow. I think that's achievable too, if we really wanted to do it.

You could start with using the features already provided in Windows http://technet.microsoft.com/en-us/library/cc507874.aspx and http://www.microsoft.com/downloads/details.aspx?familyid=A3D1BBED-7F35-4E72-BFB5-B84A526C1565&displaylang=en.

The nice part is that almost all of the security settings are trivially deployed via Active Directory and GPOs. Deploying Linux security settings in a corporate environment generally involves rolling your own scripts and distribution methods.

I'm not saying Windows doesn't have room for improvement in the realm of security. On the contrary, there are tons of hardening features and settings in Windows but most are turned off by default for compatibility reasons (or really annoying like the Vista default implementation of UAC).

Someone enlighten me

[mrsteveman1]

Why are companies so unwilling to micro-patch their software? If Mozilla has a fix NOW, why are they waiting another ~2 weeks to push it out with the next minor upgrade? Just to avoid making users upgrade too often?

Re:Someone enlighten me

[marcansoft]

QA. New releases need to go through QA anyway to make sure they haven't botched anything up.

Usually the release process for a large piece of software requires a certain degree of human interaction (anywhere from light to extreme), and there's always the possibility that something will mess up, even if the bugfix itself is perfectly trivial or safe.

Re:Someone enlighten me

[oldhack]

Uhh... cuz it takes time to write and test patches and not add more (security) bugs?

Re:Someone enlighten me

[thetoadwarrior]

When a flaw is found they have to find how to fix it, write the code to fix it and the test it (so they're not left with a flaw due to the fix) and that isn't just a case of opening Firefox on one computer. They have numerous versions to test for.

I'm not sur eif the fix was pushed out already because this week I've have updates cropping up for all my instances of Firefox at home and work. So either they're early or I'll get another one on the 30th. Either way, they're clearly doing their best.

Re:Someone enlighten me

[eulernet]

I guess that it's because it costs a ton of bandwidth (and thus money) to make a patch available.
Mozilla's patch system is pretty ugly, since it needs to download 3 megabytes for a few bytes changed.

And NO, it doesn't have anything to do with validating the patch, since it's very easy to check that the behaviour doesn't change, especially when the impact is very small.
Microsoft uses the "we need some time to check the patch" because they have to maintain a lot of differents versions of their OS.

Re:Someone enlighten me

[TheRealSlimShady]

But surely a 3MB patch is still less than the entire browser download - so therefore less bandwidth?

Re:Someone enlighten me

[The+MAZZTer]

Because the fix could break other things, or even not actually fix anything or fix the security vulnerability completely, or even cause a different security vulnerability (possibly worse).

Testing is important, especially when you want to attract users, not drive them away. Unstable software will do that.

Re:Someone enlighten me

[bunratty]

If the vulnerability were publicly (fully) disclosed, perhaps Mozilla would rush a fix out the door. As far as I know, there has been limited disclosure of the vulnerability to only a few parties, and I haven't heard that the vulnerability is being exploited.

Re:Someone enlighten me

[Hurricane78]

In Linux world, it’s normal that the packages you get via your package manager have custom patches in them. So we get the fixes ASAP anyway. (Of course Windows, being the Playmobil OS that is is, lacks a general package manager.)

But I also wonder why they don’t just shove the minor updates in patch form trough their update functionality. Just like addons can get updated every time you start Firefox. It would be what? A a couple of bytes?

Re:Someone enlighten me

[mrsteveman1]

Yes, i know.

I'm asking why companies insist on patching 20-30 things all at the same time, surely it is easier to test for regressions when you're only including a single patch? Why can't you patch, test, release, and move on to the next problem?

Isn't this what MS does with their micro-patch KB fixes?

Re:Someone enlighten me

[fluffy99]

If the vulnerability were publicly (fully) disclosed, perhaps Mozilla would rush a fix out the door. As far as I know, there has been limited disclosure of the vulnerability to only a few parties, and I haven't heard that the vulnerability is being exploited.

You mean like having an automated exploit tool published 1-1/2 months ago? https://forum.immunityinc.com/board/thread/1161/vulndisco-9-0/

Re:Someone enlighten me

[breser]

I interviewed with Mozilla a few years back when they were looking for a Release Engineer. I think you underestimate the amount of work that goes into producing a release. Firefox is released in 70+ languages for 3 platforms. On top of this they release upgrade versions and not just full binaries, which of course is different for each platform. So you're looking at around 420+ different versions. There are also branded versions as well, which adds even more versions.

This was a few years ago and they were looking to bring in another Release Engineer, do more automation with the goal of reducing their release turn around time. So I don't think it's as easy as "Why don't they just do more releases."

Re:Someone enlighten me

[mrsteveman1]

Right, but isn't the end result of the way they do things right now, an increase in the time between disclosure and patching of critical security vulnerabilities?

Re:Someone enlighten me

[breser]

First of all I think you need a timeline to help you understand how this vulnerability was handled:

Feb 1st, 2010: VulnDisco is updated with a zero day exploit for Firefox 3.6. No details on how the exploit works are provided. The exploit is only available in binary form when you buy a copy of VulnDisco. Some people buy VulnDisco and have difficulty in making the exploit work. https://forum.immunityinc.com/board/thread/1161/vulndisco-9-0/

March 16th, 2010: First 3.6.2 nightly builds that contain a fix are made available: https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.6.2-candidates/build3/

March 18th, 2010: Mozilla announces that the original discoverer of the problem provided them sufficient details to find and fix the vulnerability. They also link to the nightlies linked to above on the March 16th entry. http://blog.mozilla.com/security/2010/03/18/update-on-secunia-advisory-sa38608/

March 30th, 2010: Scheduled release date.

Assuming that they got the details on the 16th and actually came up with the fix the same day (which is probable), that's a 2 week turnaround. Given that there have been no further nightlies posted for 3.6.2 since the March 16th it seems pretty clear they're in the release stages of getting 3.6.2 out of the door.

I'm not really sure how you expect them to get it out sooner. The largest delay here is them getting the information they needed to fix it. Which accounted for a month and a half worth of time.

Should they work at reducing the lag between having the fix done and putting out releases. Yes and based on my interview there serveral years ago they were committed to doing just that. But there's still an awful lot of work that has to go into actually doing those releases. They don't just magically appear.

Re:Someone enlighten me

[tlhIngan]

Yes, i know.

I'm asking why companies insist on patching 20-30 things all at the same time, surely it is easier to test for regressions when you're only including a single patch? Why can't you patch, test, release, and move on to the next problem?

Isn't this what MS does with their micro-patch KB fixes?

Because you'd be running the test case 20-30 times? And people really, really, really hate updating their software hourly?

That means for each patch they have to go through a whole release test of the software, which even though there's lots of volunteers, still takes a long time and a lot of effort to do. Do it 20-30 patches at a time, and you only really have to do the testing once. If you find a regression, a binary search of the patches applied will get you the problematic patch.

There's a lot more to releasing a product than "it compiles, ship it!"

Re:Someone enlighten me

[AmiMoJo]

Surely the QA should not take that long though. There are plenty of people willing to test the code.

Microsoft uses the excuse that they need to test every language on every OS version in every configuration but what is worse - breaking the Hungarian version on Windows XP SP2 or leaving everyone with an unpatched critical vulnerability for weeks?

Re:Someone enlighten me

[BZ]

> Just to avoid making users upgrade too often?

Yes. The typical monthly Firefox minor update ships on the order of 30-100 fixes depending on the month (security problems, stability problems, compat problems, etc). Micro-patching would involve 1-3 upgrades a day.

If the upgrade could happen silently and without any user notification (which is what Chrome is working and and what Mozilla would like to get to), that may be acceptable. But even just telling the user three times a day "hey, I just updated" is a deal-breaker.

Re:Someone enlighten me

[BZ]

> There are plenty of people willing to test the code.

Are there? The number of people testing your typical Firefox minor release is about an order of magnitude lower than the number of people testing bleeding-edge Firefox trunk last I checked. And it's at least two orders of magnitude lower than the number of people testing a major release beta.

If you talk to the Mozilla QA and release folks, one of their big problems is in fact the lack of minor release testers...

Re:Planning? It's not enough!

[maxume]

Are you being intentionally ridiculous?

The fix is in the latest beta release already, that binary is slated to be the release candidate, and if testing goes well, it will be the release.

Re:Planning? It's not enough!

[Athanasius]

As someone else already quoted:

Mozilla already has released a beta build of Firefox 3.6.2, which contains the fix for the unpatched vulnerability

You can already go and download that 3.6.2 beta if you want, I did.

The 'planning' is about the data of 3.6.2's release, not whether or not it will have this fix included.

Re:OMFG

[wizardforce]

Mozilla is aware of the claim of a zero-day in Firefox as posted here: http://secunia.com/advisories/38608/. We cannot confirm the report as we have received no details regarding the reported vulnerability, such as a proof-of-concept or steps to reproduce. We’ve attempted to contact the researcher who discovered the issue but have not received a response.

Secunia: omfg Firefox has a vulnerability!!!
Mozilla: ok so what are the specifics?
Secunia: ...
Mozilla: Hello?
Secunia: ...
Mozilla: Anyone?
Secunia a few days ago: Right then... here are the details...
Mozilla: *patched beta*

Re:Planning? It's not enough!

[DutchUncle]

Why isn't this a little easier to find on their site???? Search for 3.6.2 and find nothing!

Re:Planning? It's not enough!

[maxume]

Because it is a beta. They don't want to support the people who can't find it on their own.

Re:Planning? It's not enough!

[moteyalpha]

There appears to be a critical vulnerability in your logic and why did you not fix it before you posted? Were you not aware of it? Did you not research the problem and preview before submitting a solution? As a result, you created a second and worse vulnerability.
As others have pointed out, there is already a patch and I have looked at it myself.

Re:OMFG

[Securityemo]

Of course. You have to build up the correct suspension first, if you're not going the "surprise proof-of-concept 05.00 in the morning" route. It's just how these things are done.
People just have no respect for good professional showmanship.

It's not fixed until it's QA'd

[ClosedSource]

So you can get the untested version now which may or may not fix the vulnerability and potentially botch-up your system. This is better than waiting until March 30th in what way?

Re:It's not fixed until it's QA'd

[CyberDragon777]

Supporting Firefox by beta testing it?

Re:Planning? It's not enough!

[ClosedSource]

Hiding the patch doesn't really make any sense. I suspect they just didn't want to do the work to make its location more obvious.

Re:Planning? It's not enough!

[TheRaven64]

They'd rather support people who were exploited because they were running the vulnerable version?

fixed...

[uolamer]

Alternatively, users can download Release Candidate builds of Firefox 3.6.2 which contains the fix from here:

https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.6.2-candidates/build3/

Re:fixed...

[camperslo]

The 3.6.2 beta has worked fine for me, but those uncomfortable with that and not willing to wait can avoid the bug by using a 3.5x version. The vulnerability is only in 3.6 series releases.

Re:fixed...

[jonadab]

> The vulnerability is only in 3.6 series releases.

I should be fine, then. I downgraded to Firefox 2 after I got tired of losing data (specifically, open tabs) to two different bugs that were introduced in 3.0 and are still present in 3.6.

Maybe Firefox 4 will be better...

Re:OMFG

[recoiledsnake]

Maybe it was more like this:

Secunia: omfg Firefox has a vulnerability!!!
Mozilla: ok so what are the specifics?
Secunia: ... (puts it on black hat exploit auctions)
Mozilla: Hello?
Secunia: ... (sells it to the highest bidders)
Mozilla: Anyone?
Secunia a few days ago: Right then... here are the details... (Milked it enough)
Mozilla: *patched beta*

Re:OMFG

[Anonymous+Brave+Guy]

I love the way you implicitly assume that exactly the same problems don't apply to Microsoft/IE, or any other browser development team.

Did you realise that you are the guy the grandparent post was mocking?

Re:Planning? It's not enough!

[maxume]

Do you have any evidence of this exploit being used in the wild?

(Of course, I was mostly being a jerk in my previous comment, but it really isn't that shocking that they are following their standard release procedure here)

Re:Why Mozilla should be implemented in Java or...

[shovas]

There are serious pros and cons one has to weigh choosing an implementation language for a project on the scale and the types of requirements that firefox has. I'm pretty sure your only serious contender in the list was Java and it has significant baggage all of its own. I'll take C/C++, I just wish programmers had a passion for better code in all of its aspects including the ever present yet most fundamental buffer overflow bugs.

The REAL question is,

[Runaway1956]

"But, does it run on Linux?"

Hey, if the damned exploit won't run on Linux, then it's not a real exploit, is it? This kind of thing kinda pisses me off. There are all KINDS of neat software out there, that just won't run on Linux. It's definitley not fair. I think it might even be illegal. In today's modern world, no one is supposed to be excluded from anything. Not even nerds!!

Re:Updating... how to?

[Bambi+Dee]

When I go to mozilla.com, a big green button offers me a .tar.bz2 with a distro-agnostic Firefox binary. Isn't that what you mean?

Re:Your official guide to the Jigaboo presidency

[Zen+Hash]

(I'm not American so I don't have the same 'horror' of the N word BTW, round here it's the C word that's the 'uh-oh' one).

Cracker? Communist?

Re:Planning? It's not enough!

[powerspike]

The fix is in the latest beta release already, that binary is slated to be the release candidate, and if testing goes well, it will be the release.

It doesn't count until it's publicly released, Otherwise the majority of the browsers are still not patched...

Re:OMFG

[petermgreen]

Mozilla has earned the benefit of the doubt.

Microsoft has a proven track record of ill will, negligence and general contempt for its customers. Therefor it is generally met with suspicion and distrust and has to proof there case every time because of it.

Karma is a bitch.

I dunno I don't think they are as bad as MS but i'm not sure I trust either the firefox codebase or the mozilla guys.

The memory "leak" saga and the fact that afaict they don't treat all crash bugs as high priority becausue they are potential vulnerabilities (until you figure out what causes a crash you don't know if it's exploitable) don't exactly inspire confidence. Neither does delaying an exploit to the next regular release rather than adding the fix to the latest current release and making release ASAP specifically for the security update.

Re:Why Mozilla should be implemented in Java or...

[Paul+Fernhout]

I can't believe my first comment got modded down twice as flamebait; slashdot has really descended technically, apparently, to judge so poorly what is a serious technical comment by someone who has been programming for about thirty years (and who even taught C at the university level and has used C++ extensively in the past, including at IBM Research).

So sad to put a little performance (and questionably) these days ahead of security as well as ease of programming, extendability, and maintainability.

While I agree with the wish that more programmers cared about better code, I also wish most programmers had a passion for better tools. :-)

Re:Why Mozilla should be implemented in Java or...

[shovas]

I majored in java (and I really do love java) but I now work in perl. So, certainly, it sounds like you'd be in a better spot to judge what would be the best implementation language. Also just noticed your low uid!

You really think firefox should've been developed in java? I would've thought it would be problematic for that type of project that needed portability, minimal footprint (no jvm), and perhaps lack of an environment that might promote over-engineering?

Like I said, you have the experience, you really think it should've been developed in java even with all of its considerations?

Damn youtube made me upgrade.

[ImYourVirus]

Fuck I just upgraded too, like a week or so ago. =\

Re:Your official guide to the Jigaboo presidency

[Philip_the_physicist]

Yeah, these copypasta trolls are tedious and annoying, but this guy is no worse than the tron fanzine guy, the library shit-eater, and the GNAA's broken Markov chain that posts the goatse links. He's just another retard.

Re:Your official guide to the Jigaboo presidency

[Philip_the_physicist]

Apart from what the SP says, that doesn't mean that hate speech laws are a good thing. Haven't you heard the saying "sticks and stones may break my bones, but words shall never hurt me"? That sort of post isn't libellous, slanderous, or defamatory, because it wouldn't actually harm anyone's opinion of either a specific black person or black people in general (anyone who would take it seriously would already believe that crap), and there is no measurable harm done by it.

Even hate crime laws are pretty silly IMO. I had this discussion with a local GLBTQ-rights activist a couple of years ago[1], in the context of a series of gay-bashings that had taken place not long before and the proper response to it. Her understanding of the problem was essentially as a public relations problem, people hate GLTBQ people so let's encourage them to like us, and if they won't we'll punish them for saying so. I saw the problem as a law and order question, people were committing assault and getting away with it, so let's have some more police in the known trouble spots (which were perfectly well known to the general community), because an arbitrary assault[2] for one reason isn't going to hurt any more or less than an arbitrary assault for a different reason. If beating someone up for fun deserves punishment X, it shouldn't matter why you thought it was fun.

To bring this back to your post, if I vandalise your building, it doesn't matter whether I did it because you are Jewish, because of sexual jealousy, becuase you are short/tall/ugly/good-looking, or just for "teh evulz", and yet hate crime laws say, in effect, that it is more legitimate to victimise someone because they are not from some special category.

[1] I actually support GLBTQ rights and whatnot, I just completely disagree about strategy with the local movement.
[2] By this I mean an assault which is not the result of an argument or motivated by anything practical (such as a mugging or a mob shakedown)

Re:Planning? It's not enough!

[innocent_white_lamb]

No Linux/x86_64 version is available there...

Re:Why Mozilla should be implemented in Java or...

[Paul+Fernhout]

A lot of these issues are relative to your priorities and also technical change. What does "minimal footprint" mean these days on eight core Mac Pro with tens of Gigabytes of memory, and where most of the memory is used by cached pages of a web browser, not the application itself? There is a value to Firefox being in C++ from the standpoint of it being embedded somehow in other C++ applications (including embedded software) -- although, on the flip side, it makes it difficult to embed it in Java applications (and there are embedded JVMs with small footprints, and you can even compile Java code to run without a JVM). Years ago, when Java was not free-as-in-freedom, it would have been a problematical issue to use Java (and that would have been a tough choice, to plan for the future, making guesses); there were Java browsers, but they were never developed fully (Sun has a widget with limited functionality as part of the Java SDK, and they also had the "HotJava" browser, though that was slow at the time (1994) due probably mostly to JVM issues and also memory limits on older machines).
http://en.wikipedia.org/wiki/HotJava

Many years ago, Lisp with some domain specific languages on it might have been a better choice back then (compiled Lisp can sometimes even be faster than C is some dynamic applications, and many web pages are very dynamic), or a Smalltalk like VisualWorks (though that was commercial, but there was a moment when it was sold for a song, and there was also a moment when Squeak might have become a popular free system). Still, even years ago there were free-as-in-freedom JVMs from other sources that could have been improved as part of the Mozilla effort.

But that is all rewriting history. Mozilla is in C++, and that's what the people who maintain it are most comfortable with.

The issue is that going forward, does security trump some issue of run-time performance or comfort of the maintainers? I'd say yes, security is more important at this point, especially since something like the JVM can also run multiple languages (like Scala or Jython) which allows a diversity of coding styles for add in modules, and the JVM (as with Android) can be tailored to provide firewalls between different web pages (sort of like Google is doing with Chrome having a different process for ever web page). Is Mozilla going to switch to using the JVM at this point? Unlikely. But this does suggest that Firefox's days are numbered... Maybe in years, but still one can see the train at the end of the tunnel. :-) Ultimately, someone could translate the core algorithms of FireFox to something like Java (perhaps even with a one click tool someday :-), and then for the average desktop user, it would be foolish to use the C++ version because of the security issues. Yes, there would be terrible social issues about forking and so on. Still, Java code can have security issues, as can the JVM, so nothing is going to replace testing and vigilance.

Here is the first Google result right now for a Java Web Browser:
http://lobobrowser.org/java-browser.jsp
"Lobo [download] is an open source web browser that is written completely in Java. Lobo is being actively developed with the aim to fully support HTML 4, Javascript and CSS2. Lobo also supports direct JavaFX rendering. The general goal of the Lobo browser effort is to produce a browser that is fast, complete, easy to extend, feature-rich and secure."

So people are doing it... It's only a matter of time...

As they write there:
"""
Why a Pure Java Browser?
There are a number of advantages to be derived from a browser that is written in Java as opposed to a language compiled into native code, namely:
* Security.- In principle, a Java program is less suceptible to certain types of vulnerabilities such as a buffer overflow attack. Java's security model ca

Re:Updating... how to?

[badkarmadayaccount]

Include support for foreign resources in ELFs in the kernel, along with VFS directives for presenting the resources, and soft link all the compile time options (probably needs LLVM) in to one binary, just store the diffs, that don't have to be recalculated every time.