Slashdot Mirror
Germany Warns Against Using Firefox
jayme0227 writes "Due to the recent exploit in Firefox, Germany has warned against its use. This comes a couple months after Germany advised against using IE. Perhaps we should start taking odds as to which browser will be next." Note: the warning (from the Federal Office for Information Security) is provisional, and should be rendered moot by the release later this month of 3.6.2.
Yup
3.6.2 is out.
Firefox 3.6.2 was released earlier tonight: http://www.mozilla.com/en-US/firefox/3.6.2/releasenotes/
You have violated Robot's Rules of Order and will be asked to leave the future immediately.
The vulnerability *only* affects the current 3.6 branch. Patch is complete and will be pushed on the 30th of March.
Here is the Mozilla blog entry on the topic:
http://blog.mozilla.com/security/2010/03/18/update-on-secunia-advisory-sa38608
Here is the original bug report:
http://secunia.com/advisories/38608
Ps: can we please get security related articles with some content instead of *OMG, we are all going to die!!* ??
Yeah... that's actually encouraging, it means they are actually providing meaningful distinctive advise/suggestions, and not merely copy and pasting vendor vulnerability lists and activating pretty 'alert level' colors...
not like the US government, who yanked up what used to be the wonderful somewhat independent [but gov sponsored] organization called 'CERT', absorbed them into the department of homeland security, and turned them into US-CERT a mere vacant shadow of their former selves, just another clearinghose that lists every bloody little Windows vulnerability the earth has ever known, nothing too interesting, nothing too distinctive or useful anymore.
That is, ever since, CERT's usefulness has plummeted by orders of magnitude, nowadays they typically just parrot all the major commercial vendors' security advisories, even ridiculously minor ones --- I suppose this is great if you are a Windows user, it should convince you to switch, but for the rest of us it sucks.....
CERT has made what, 1 activity incident report based on actual events or compromises, intrusion patterns, intrusion details, or reports on new types of threats since 2001?
Governments don't know what to do about security, I guess... their efforts at 'reporting' just degenerate into vulnerability listing, and other mundane non-intelligence-requiring activity.
Either that or they think it's too dangerous to tell the public what direction attacks/bad guys seem to be heading.
mod parent TROLL...
Have you looked at the BSI page and linked mozilla blog page?
The mozilla blog entry was dated March 18th (giving March 30th as the release date for 3.6.2). The BSI advisory was dated March 19th (4 days before the story broke on slashdot; and 4 days before the actual release of 3.6.2).
So, you're saying, it was retaliation by BSI against Firefox, for publishing a release date the firefox crew themselves published the day before?
On March 19th - with the projected release date 11 days away, it seems it was perfectly in order for BSI to recommend use of an alternative for those 11 days:
"empfiehlt das Bürger-CERT die Nutzung alternativer Browser, bis die Mozilla Firefox Version 3.6.2
veröffentlicht ist."
This has nothing to do with fear-mongering - but simply that during a potential danger period, people might want to watch out. Their article clearly stated it only affected 3.6, and their article stated that their advisory is temporary 'until 3.6.2 is released'.
How is that retaliation?
Opera 10.51 Changelog
"Security
Fixed
Fixed an issue where the HTTP Content-Length header could be used to execute arbitrary code; see our advisory (http://www.opera.com/support/search/view/948/).
Fixed an issue where XSLT could be used to retrieve random contents of unrelated documents, as discovered by crazypops; see our advisory (http://www.opera.com/support/search/view/949/)."
OH SNAP SON! So much for those skilled contractors and their superior skills.
Don't take life so seriously. No one makes it out alive.
The guy who found the bug didn't give details to Mozilla promptly, he sold it in his security product to clients for a few weeks, then told Mozilla. Can't blame Mozilla for not fixing a bug they had 0 details on. Once they were given details they fixed it in a few days, not bad for fixing the bug, making a build, QA'ing and releasing it.
A WOFF font is a Web Open Font Format font.
http://hacks.mozilla.org/2009/10/woff/
It's basically an extension of the @font-face rule with it's own compression and meta tagging. Please don't tell my designers about it.
> That's true, as long as you turn off Google as the default search, disable cookies
And don't forget about LSO cookies (Flash directory), that do NOT get deleted by FF's cookie deletion on exit. Extra add-on is needed (BetterPrivacy) to do so.
Oh...and MozDevs...please restore the 'Clear History on Exit' window on browser exit. Thanx!
Seriously? I'm all for the opinion that Firefox is becoming the Winamp of browsers, with that best of the rest feel rather than the best feel. But Opera really doesn't have a snappy UI or a snappy feel. Opera is a great browser but has always felt clunky and dopeish. Not to mention that with the same tabs open in both Opera and Firefox, Opera is the one that feels the most sluggish. I fully agree that Firefox is making some disastrous decisions, taking a month to fix a reported bug is beyond acceptable, but lets not make it out like it's the new IE. By all means let's slap them on the wrists and hope they don't do it again. Lets hope that in Firefox 4, you'll be given an installer screen that will let you choose which features you want, I for example, won't be opting for TaskFox installed. But in no way is it the demon browser from hell sent to rape our mothers.
https://www.bsi.bund.de/ContentBSI/Presse/Pressearchiv/Kurzmit2008/090908chrome_htm.html
And they also recommended against Opera 10.50:
http://www.buerger-cert.de/newsletter_suche.aspx?param=HGf116Hsnmjdg%2B95Lx4xLVfgHeBWpfgcdyqiMrbjzdH9yQ4jIcV6TY4STnzgjITQ%2BhD3uF8Dgn3F1%2BDy1Synkw%253d%253d#anchor1
So, nothing to see here.
The BSI is not the government. It is a federal agency. BSI = Bundesamt für Sicherheit in der Informationstechnik (engl. Federal Agency for safety and security in Information Technology). They are more something like CERT. Even though the US government thinks the BSI is some sort of NSA, because the NSA also does security in information technology (e.g. seLinux). However, the BSI does not spy on people. This is done by another agency. And the BSI is so much the government as it is the police or judges.
..and if you have actually used it on Windows, you know that its really bad.
Unresponsive, with a non-conforming UI, and the installer carries a payload of other apple software.
"His name was James Damore."