Slashdot Mirror
Firefox 16 Pulled To Address Security Vulnerability
Shortly after the release of the newest major version of Firefox, an anonymous reader writes with word that "Mozilla has removed Firefox 16 from its installer page due to security vulnerabilities that, if exploited, could allow 'a malicious site to potentially determine which websites users have visited' ... one temporary work-around, until a fix is released, is to downgrade to 15.0.1"
Wow, I'm still using FF 3.6.12. I must have fallen into a time wrap bubble... What year is this?
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Well, guess that serves me right for being on the Firefox beta channel. I honestly don't even remember how long I've been using the FF16 beta. TFA didn't mention if beta users are affected, but I'm going to assume that we are.
I make hardware RNGs, which give 2.5849625 bits of entropy per use in theory (actual performance dependent on usage).
Why the hell did they pull it? Firefox 16.0 fixes 24 bugs, of which 21 are considered important. They're advising people to downgrade to THAT version because of ONE minor privacy issue. Seriously? Why don't they urge people to upgrade to 16.0 and start pushing out 16.0.1 as fast as they can?
I guess the decades-old saying still holds true, "never install a point-O release."
Why don't they issue an 'update' that downgrades me back to 15.0.1 then? They can even rename it 16.1 or whatever to keep the auto-update happy with a version number increment.
I got upgraded yesterday, do I have to manually downgrade myself - seems ridiculous.
Considering all the stuff "16" was supposed to have fixed, recommending a rollback over this sounds completely incompetent. And therefore expected.
Remember, these are the same geniuses that decided to start rolling the version number everytime someone fixes a typo a few months ago, and thus calling the current version (what is it really, 5.3 or so?) 16. And it isnt truly new either, take a look at this old bug for example: https://bugzilla.mozilla.org/show_bug.cgi?id=78414
Been sitting there well over 10 years now. Not one serious attempt to fix it. How many new features that no one wanted and random gui changes to confuse users have they managed to implement in that time period?
So yeah, no surprise here. Please, someone, make a browser that doesnt suck.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
... or wait till tomorrow for Firefox 17
I know about the new speedy release scheme, but how is it possible that version 16 is released when 15 is only at 15.0.1?
I assume you're joking, but if you aren't, then I feel compelled to inform you that firefox version numbers are now meaningless.
Thanks for publicising the vulnerability, ya bastards
Let's see, they make it super easy to upgrade, but much harder (in comparison) to downgrade. Can you guess what the majority of users will do?
Of course the fast upgrade cycle has a downside, it's only a matter of time before Mozilla would let its users down with this newfangled upgrade methodology they've subscribed to.
If you're going to have a quick and seamless way to upgrade, you better have a quick and seamless way of downgrading too!
I don't get why they bothered, By the time anyone gets around to bothering with an exploit on a mass scale Firefox 17 would have been released. Besides, who really wants to know I visit "extra lunch money" on a daily basis?
A 'singular oddity' is an event that cannot be explained and only happens when you are alone.
http://news.slashdot.org/story/12/10/10/2113239/in-under-10-hours-google-patches-chrome-to-plug-hole-found-at-its-pwnium-event
No kidding!
Apparently there are still enough people out there who either:
- Haven't consumed enough of the Apple/Safari Kool-Aid and
- Still value their 'privacy' enough to resist being sucked into the Google Void,
to justify the choice. If you wait a generation or so, though, those folks will die off and be replaced. Then you won't even have to hack facebook to steal 500 million phone numbers--just do a Google Search!
Yeah like 35% of the market and declining. But whatever bro its cool you can still be snarky! And if you are having trouble with the math that is 1 in 3 people.
http://www.w3schools.com/browsers/browsers_stats.asp
The number thing is *silly* to get upset over. I personally like having better browsers every few months/weeks instead of every few *years*. The memory thing was something to get upset over. They are almost starting to get it under control. But it may be too late at this point. Or we could go back to what they had before and we would still be waiting on v5 after the 17th delay because some other feature was not 'just right'. Some of the stuff in v4 was done for 2 years and just sitting there not getting used. Then suddenly it was getting used bugs being found but being written 2 years earlier... Yeah the old way was so much better!
I am looking forward to 17/18. It has some cool stuff in it. Such as moving proxy into its own thread. The garbage collection goes in at 16. Plus a wide variety of css3 stuff. Oh and per tab memory reporting so you can figure out which website is to blame for snorking up 200 meg... That sort of thing.
EOM
Yeah because W3Schools is totally a realistic sampling of the general population. On the other hand Wikimedia's stats peg it as under 20%.
Why not use dates? Or even fancy marketing names? Using conventional release numbers (i.e. 16.0.1) implies some sort of logical structure to the release schedule, does it not? Well, if there is no logical structure to it, then certainly it doesn't make sense to use numbers.
Certainly there are pros and cons, and it’s indicated to organizations, but why not using Firefox 10 ESR(Extended Support Release) and escape pressure of the browser market? http://www.mozilla.org/en-US/firefox/organizations/all.html
you do know that's just a graph of the browser types that visit wikipedia?
I just upgraded to 16 yesterday too...
Add-on locked. I stayed on 3.6 though, chrome's interface is intolerable for me. So I just run it sandboxed now.
Why is it 'mad'? I don't understand why people have such issues with this. Its just a damn number. If it really irks you so much just add a decimal point to the start of it in your head and move on.
It's not just a damn number. By convention in typical software versioning, version X.Y.Z means:
- X: major version number
- Y: minor version number
- Z: bug fix version number
Taking a house analogy:
- The major version number is akin to the building itself; it's the overall architecture. You bump this when you basically tear part or all of the whole thing down and rebuild it on more solid foundations.
- The minor version number is akin to the interior floor plan, plumbing, cabling, etc.; it's the API. You bump this when you introduce new features, or change or deprecate existing ones.
- The bug fix version is akin to everyday maintenance and the interior design; it should have zero impact on whatever is interfaced with or relying upon your software. You bump this when you find something defective and make it work the way it should.
You could argue that consumers don't care, and that power users will be well aware of what's really in a new version, and thus that not conforming to the above convention is no big deal. That argument completely falls apart, however, when you consider the system admin or the advanced user who ends up asking himself whether he should upgrade a non-conforming piece of software on a computer or not. If the latter two need to waste time on a BS versioning scheme, they'll replace the offending piece of software as soon as they get the chance for peace of mind.
I'd much rather run Firefox 16239.0.1!
> http://www.w3schools.com/browsers/browsers_stats.asp
Bear in mind, those are stats from a site visited almost exclusively by web content developers, most of whom are fairly active on the computer, use it a lot, and are less averse to upgrades than average. It's not an entirely representative sample of the internet at large. Out-of-the-box defaults, such as what comes on a computer when you buy it at the store, would naturally be expected to be significantly underrepresented in such a sample. Newer browsers would tend to be somewhat overrepresented.
I estimate Firefox usage at something more like 20% and holding fairly steady with minor fluctuations month by month. (New versions of other things come out, and people switch over, then new versions of Firefox come out, and people switch back...) IE is around 45% and has been declining steadily since the turn of the century. Chrome, which has been increasing since its introduction, has recently or will soon surpass Firefox if its trend continues, but the most marked increase I've seen in recent quarters is in mobile devices, most of which either use or convincingly spoof Mobile Safari.
Google presumably has more precise stats, broken down by geographic region, although their numbers may be somewhat skewed toward Chrome, much as Microsoft's are skewed toward IE. Slashdot's stats would be skewed in a manner similar to that of W3Schools, with perhaps an additional skew toward browsers that run on *nix systems and/or from the command line. Know your audience.
Cut that out, or I will ship you to Norilsk in a box.
Worst haiku ever.
I was subscribed to the Firefox beta channel, since I develop add-ons for Firefox. When Firefox 16 came out on the release channel, the beta channel was still delivering Firefox 15.0. Apparently somebody skipped the beta test.
And as you know (and can already see on that page) the graphs vary widely between these "providers".
The graph at the top shows visitors to Wikipedia yes.
The graphs from statcounter count pageviews, the graphs from netmarketshare count by visitors (maybe even IP-address).
Which means statcounter is skewed for heavy Internet users (users which do many page views will skew the results in their 'favor'). Heavy users of the web will probably use a newer browser.
But the netmarketshare numbers are also delibertly by them changed to fit the number of Internet users per country (so the large share of for example IE-users in China skew the results a lot in that direction).
Good luck finding good numbers.
New things are always on the horizon
Have you looked at Firefox Extended Support Release? I don't have any add-ons that haven't moved to support FF ESR 10.x.
How's that working out for you?
I'll stay on the ESR release and update when *I* decide to do so. Thanks.
Smart move. There are +40 security vulnerabilties in FF 3.6. Infact, I would use another browser at this point if you do anything important like pay bills or do banking omn your computer. Hackers target it and website operators will treat it like IE 8 and give it downgraded content and leave the HTML 5 stuff for modern browsers.
FF 3.6 is turning into the next IE 6 fast.
http://saveie6.com/
For what it's worth, according to Netmarketshare, http://www.netmarketshare.com/browser-market-share.aspx?qprid=1&qpcustomb=0, Chrome on the desktop has not been gaining ground since early 2012. It's hovering at around 19%. IE is holding steady as well at around 53-54%, with Firefox staying at about 20%. Judging by the trend lines, I'd say that for the desktop markets these shares are entrenched. I don't expect to see much change unless FF, IE, or Chrome does a major screw up to drive people off their platforms.
Netmarketshare's report on mobile devices is very different. http://www.netmarketshare.com/browser-market-share.aspx?qprid=1&qpcustomb=1 Opera mini, Blackberry, and Symbian have been falling with Safari Mobile and Android browsers picking up the slack. Interestingly enough, it doesn't look like the iPad2 back in April really affected the mobile browser shares at all.
Too bad my office is downgrading back to IE.
It is too little too late and releases like this should scare any organization who uses a non IE browser. Asa really did ruin a beautiful thing as many were just warming up to FF 3.6. But this release cycle? Hell no, and hte intranet developers are now de-certifying it for their apps. Only IE is supported now. Maybe in 2019 with IE 8 is EOL we will move to HTML 5.
What a shame.
http://saveie6.com/
Can we all SHUT THE FUCK UP with the idiotic complaining about the version number scheme. It's stupid and you sound like an asshole! It's a FUCKING NUMBER. WHO THE FUCK CARES? Does every Fucking article about a software release have to have this moronic bitching! Dumb-asses!
FF 15.0.1 is taking up 1.4GB of memory on my machine right now.
16.0.1 was already released. Release notes here.
It's been fixed - 16.0.1 has been released.
It of the same problems as any post-3.6 does. The only problem it removes is constant add-on compatibility headaches. The rest is still a turd.
If you want to spend significant effort owning my browser, go ahead. I dump contents of sandbox it sits in on a regular basis.
Not to mention I have sane banking and billing. Even if you get me keylogged, you're not getting into my account. Nevermind that I haven't had a security breach ever since I got form.A virus back in floppy days. Security is not only about holes, but about safe practices as well. And I play things like WoW and GW2, where people with all those nice shiny browsers get "hacked" left and right. And yet, me and my old "vulnerable" 3.6 just keep on truckin'.
> For what it's worth, according to Netmarketshare [stats]
Those are fairly believable figures. They don't exactly match mine, but the deviations are not extreme and are possible to explain in a variety of more or less plausible ways. Their stats are probably based on a larger sample than mine.
> Netmarketshare's report on mobile devices is very different.
My mobile device UA stats are changing rather significantly from quarter to quarter, as entire product lines drop out of use and others debut on a fairly regular basis. The only really sweeping generalizations I can make are as follows:
1. Mobile usage overall is growing rather rapidly. I started paying closer attention when it topped 5% of total usage on a site I maintain, just a few months ago. I am pretty sure it will top 10% by the end of the current calendar year. If you'd told me two years ago that that would happen, I would have been rather skeptical.
2. Most mobile devices (that are used to access websites) appear to run either iOS or Android. There are numerous others, but they're minor players. The big boys are iOS and Android.
3. Most mobile browsing appears to be WebKit-based. Mobile Safari seems to be either the most popular mobile browser or the most popular mobile UA string to spoof, maybe both. (Sometimes you can tell it's being spoofed. Amazon Silk, for example, spoofs Mobile Safari but also puts its own identifying tag in, so it's easy to split out. Of course, Silk is WebKit-based, so from a content development perspective the difference is not extremely important. I do like to make my stats as accurate as I can, though.)
4. Furthermore, most mobile browsing now appears to be based on versions of WebKit recent enough that they can handle CSS media queries. Such mobile browsers are much easier for a web developer to support than the ones just a couple of years ago. From this I conclude that most cellphone users have discarded their previous-generation phones or relegated them pretty much exclusively to voice call usage.
5. Currently, phones appear to outnumber tablets roughly two to one (just counting the ones that people are actually using to browse websites). However, this ratio has not been stable for very long. (It changed when the iPad was released and changed again when the major ebook reader vendors started putting web browsers on their readers and turning them into tablets. It could easily change again if some other market event shakes things up again. The tablet market is not mature and therefore not very predictable.)
In practice, as a web developer, the conclusion I draw from this is that it is highly desirable for most websites to use media queries to reduce the number of columns as the screen width decreases so that it becomes possible to view the site in a single column if the user happens to be on a small screen, such as on a phone.
The design I am currently working on for our site where I work can now handle horizontal resolutions as low as 170px without introducing any horizontal scrollbars. At large widths, such as on a high-resolution wide-screen desktop display, the layout has three columns with a nice amount of whitespace between them and some subtle decorations in a few places to make the space look less bare (e.g., the header at the top gets an extra textured gradient fading in on the left edge and a photo of our nicely photogenic building on the right, if there's room to do that without crowding things). Media queries rock. The default look, for browsers that don't support media queries, is designed to not screw anything up too badly down to 800px.
Cut that out, or I will ship you to Norilsk in a box.
So what does that make the folk that use Opera?
Personal preference wise (security issues ignored) I would rather poke my eye out with a carrot than use FF 3.6 again.
On my el cheapo laptop FF 3.6/4 was so sluggish, so slow, and bloated I temporary ran IE 9 instead!
Try it again Lucko? It just got patched and I have to say it is vastly improved over 3.6. Add-ons have a new api like Chrome that do not break, ram is 1/3 what it was on low ram systems, it is fast again, and my old laptop runs it fine now.
Yes the UI has changed. There is waterfox and there is a way to turn on the menus back on too. Sandboxie is annoying and I remember using that which was the last straw before going to IE 9 which was sand-boxed and in 2011 was ok standards wise.
http://saveie6.com/
I agree on slowness, it's a bit laggy on my cheap personal laptop as I use it with a lot of tabs open. But it's a small price to pay to not have to suffer from chrome's interface with all its usability-butchering small screen optimizations on my dual 24" monitor setup as well as never having to worry about key add-ons, such as mission critical (for me) finnish spellchecking break on update with no recourse but rollback.
Essentially, unless someone mods entire 3.6 UI back, including a functional status bar and buttons, about the only upgrade I can see myself making is to another browser with same add-ons and interface that isn't optimized for small screens. And seeing how I'm add-on locked into firefox for foreseeable future, that's not likely either. Sandboxie really isn't all that terrible if you have a fast enough machine, and my desktop is a two year old gaming PC. It could probably run hundreds of tabs before it would start to slow down.
In a way, modding FF UI back to 3.6 be something I should suggest to folks working on classic shell. They made IE look reasonably usable again after all, maybe they'll do the same for firefox? Wishful thinking but a man can dream.
wait a minute -- my copy of FF 16 aggressively updated itself this morning and restarted as V16.0.1. Is the problem solved?
Firefox has apparently patched this vulnerability in version 16.0.1. In the interest of not causing Firefox users to needlessly panic and downgrade without good reason, maybe the poster should update the store to include a note about how this vulnerability has been patched.
At least they are fixing the problem and will probably do so more promptly than most. I have had better luck with Firefox than with any other browser. However, the option to keep the old version has disappeared. Mine did not automatically upgrade to 16, so I still am using the last good version. Was 16 a beta version?