Mozilla Issues Fix For Firefox Zero-Day Bug

← Back to Stories (view on slashdot.org)

Mozilla Issues Fix For Firefox Zero-Day Bug

Posted by samzenpus on Friday August 7, 2015 @03:46AM from the the-fix-is-in dept.

An anonymous reader writes: Thursday night Mozilla released a Firefox security patch after finding a serious vulnerability that allows malicious attackers to upload files from a user's computer. The update was released about 24 hours after Mozilla learned of the flaw. In a blog post, Mozilla said, "a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine. This morning Mozilla released security updates that fix the vulnerability. All Firefox users are urged to update to Firefox 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1."

115 comments

Min score:

Reason:

Sort:

Open source? by Anonymous Coward · 2015-08-07 03:49 · Score: 0, Flamebait

I thought the consensus here was that open source software was secure? Why do the events of the past year make it appear as if they're as bad or worse?
1. Re:Open source? by mystikkman · 2015-08-07 03:56 · Score: 0, Flamebait
  
  I thought the consensus here was that open source software was secure? Why do the events of the past year make it appear as if they're as bad or worse?
  That is all hogwash FUD and confirmation bias.
  The truth is that there are a few orders of magnitude more effort put in to bash closed source software and hating on Microsoft on online tech boards compared to actual reading of source code to find bugs. Thats we have extremely serious bugs coming out of software like the Linux kernel that are 20 years old.
2. Re:Open source? by Anonymous Coward · 2015-08-07 03:59 · Score: 1, Insightful
  
  Nothing is perfect. Open or closed source. What you should focus on is the manner and speed of a company's efforts to rectify any issues.
3. Re:Open source? by Anonymous Coward · 2015-08-07 04:02 · Score: 0, Insightful
  
  They don't. They only confirm that you need vigilance and a willingness to fix things as quickly as possible. Open source just lowers the bar for others to both contribute to this, and to potentially take advantage of bugs. But these things only matter when a product is widespread enough to be worth exploiting.
4. Re:Open source? by MagickalMyst · 2015-08-07 04:06 · Score: 1
  
  "I thought the consensus here was that open source software was secure?"
  
  Fundamentally it is more secure, but it depends on how secure the user makes it.
  
  You can buy the best locks for your house and bullet proof windows, but if you don't lock the door, leave the windows open and leave the spare key in plain view on the patio it really doesn't matter how secure the components are. If they are not installed or configured properly then security will be lax or non-existent.
  
  --
  Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
5. Re:Open source? by mlts · 2015-08-07 04:06 · Score: 1
  
  Because everything, across the board, is being slammed hard, be it BIOS/EFI firmware, holes like F0 0F in the CPU, open source items, closed source items, IoT devices, you name it... the amount of attacks have risen in number and sophistication by an extreme.
6. Re:Open source? by jimtheowl · 2015-08-07 04:17 · Score: 1
  
  Not anymore.
  Those people have moved on to soylentnews.org
7. Re:Open source? by tnk1 · 2015-08-07 04:52 · Score: 2, Insightful
  
  Well, open source code is no more secure than closed source. That isn't a function of the source being open or closed. You can have poorly written open source software and excellent closed source stuff.
  The value of open source is the assumption that more eyes on an issue allows inevitable bugs to be found, and for potential users to inspect what they are running. Closed source would have to rely on the number of people authorized to view the code, and the customer will not be able to view the code, just the resulting functionality to evaluate its security.
  In reality, however, there is no guarantee that just because there is open source, that anyone will actually *look* at that code and even less assurance that someone who is qualified to read the code will have done so. So, a distinction needs to be made between open source software with a large and active community, and open sourced software that does not have an active community. You still get a *potential* advantage from having the source to look at, but it is only a potential advantage without the community. A closed source application could overcome those potential advantages by ensuring that they have excellent customer support, and are able to insure or indemnify customers against bad results.
  In any event, that is why you should never say open sourced software is simply "more secure". It isn't. And some of it is complete shit. What it does provide is the ability for a user/customer to be able to discover any issues for themselves, but *someone* has to go that extra step.
8. Re:Open source? by Anonymous Coward · 2015-08-07 05:20 · Score: 0
  
  >Almost nobody but the project's member look at the code and they are no better that those that code for a paycheck
  What an idiotic comment. Security researchers and blackhats do nothing but look at the source code.
9. Re:Open source? by JustAnotherOldGuy · 2015-08-07 05:38 · Score: 0
  
  I thought the consensus here was that open source software was secure? Why do the events of the past year make it appear as if they're as bad or worse?
  Bullshit, that's not what the consensus is. The consensus is that because open source software's code is viewable by anyone, it's more likely that flaws/bugs will be found.
  
  Only an imbecile (like you) would make the false claim that open source software is inherently "secure". Stop spreading your FUD, you buttwipe.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
10. Re:Open source? by jedidiah · 2015-08-07 05:56 · Score: 0
  
  Free Software does tend to be based on more secure designs.
  On the other hand, pretty much everything is better than the market leader monopoly-ware product. This pretty much the way it's always been.
  So it's easy to see a skew in favor of open source. That's just because the leading proprietary product has always been such crap. If something like VMS or QNX were in the mix being good examples of proprietary software, the differences would not be so obvious.
  
  --
  A Pirate and a Puritan look the same on a balance sheet.
11. Re:Open source? by rsmith-mac · 2015-08-07 06:32 · Score: 2, Interesting
  
  Nothing is perfect.
  Agreed. And this goes especially for browsers, since they're hitting a moving target.
  That said, this exploit highlights the fact that Mozilla still hasn't gotten their act together on layered security. Firefox remains the only browser not to run in low integrity mode (i.e. protected mode) on Windows, so while certain plugins like Flash are sandboxed, the greater browser is not. This goes hand in hand with the fact that Firefox currently does not have the ability to run each tab/window in its own process, making it harder to sandbox malicious content, and is why a bad tab can still take down the whole browser. Heck, the UI and the content still run in the same process, making it all the easier for bad content to reach out and touch the rest of the browser and the system.
  This vulnerability is an unfortunate reminder that Firefox is badly behind the curve on browser security. For the most part Mozilla is putting out fires by patching exploits, but the work on fixing the underlying issues has been much slower. The fact that in 2015 they still can't match the process isolation abilities of 2009's IE8 is a little embarrassing, and very frustrating.
  Mozilla means well, and while no one is perfect they are sadly about the farthest browser vendor from it at the moment.
12. Re:Open source? by hyperar · 2015-08-07 06:39 · Score: 1
  
  Yes, that's why there are no few years old bugs, right?, Sadly, the reality is other, whether you like it or not.
13. Re:Open source? by Anonymous Coward · 2015-08-07 08:13 · Score: 0
  
  Are you alright, mate? Do you need a hug?
14. Re:Open source? by Anonymous Coward · 2015-08-07 08:18 · Score: 0
  
  Proposition: It's heaps easier to enforce process isolation when you've only the one OS to write for, and it's your own. Discuss.
15. Re:Open source? by Anonymous Coward · 2015-08-07 10:09 · Score: 0
  
  To be frank, Mozilla has had their hands full trying to bring a 1999 codebase into modernity for the last 4 years, and that includes process isolation and such. Others beat them to the game, but look at who we're talking about: the three biggest tech firms on Earth. And two of those only write their browser for their own two platforms. And they're even further behind Mozilla in other ways. And they also have a ton of horrid security implications. And Google had the benefit of standing on all of their shoulders to make their browser. And Mozilla is still hanging in there, not even being the worst of the bunch in terms of security. We'll have to wait and see whether their per-process model solves as little as it has solved in other browsers, which is likely the case.
16. Re:Open source? by JustAnotherOldGuy · 2015-08-07 10:20 · Score: 1
  
  Free Software does tend to be based on more secure designs.
  Yes, I'd say that's generally the case. I was responding more to his flat, blanket claim that "open source software was secure", which implies that open source software has no vulnerabilities, period. His comment was just a bit too trollish in my opinion.
  On the other hand, pretty much everything is better than the market leader monopoly-ware product. This pretty much the way it's always been.
  Some is, some isn't. Some OS applications are so much better than the commercial offerings that I often wonder how the commercial companies manage to stay in business. At the same time, there are a fair number of large OS projects that can only be described as blobs of poorly-written crap that simply don't work.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
17. Re:Open source? by rsmith-mac · 2015-08-07 13:34 · Score: 1
  
  Counter-point: Google Chrome managed multiple processes and isolation on multiple platforms, including Windows XP, something not even Microsoft did.
External PDF viewer? by maugle · 2015-08-07 03:55 · Score: 3, Interesting

Since this exploit uses an interaction between javascript and Firefox's built-in PDF viewer, it sounds like this doesn't affect people running NoScript. But what about people who don't use the built-in PDF viewer? e.g., if clicking on a PDF file opens the usual "download/open file" dialog, will the exploit still work?
1. Re:External PDF viewer? by U2xhc2hkb3QgU3Vja3M · 2015-08-07 04:02 · Score: 5, Insightful
  
  Why does a Web browser have a built-in PDF viewer in the first place?
  A PDF file is an external document not meant to be viewed inside a browser. Or is Firefox also planning to add a Microsoft Word viewer, an Apple Keynote viewer, etc?
2. Re:External PDF viewer? by Anonymous Coward · 2015-08-07 04:04 · Score: 1
  
  Because Chrome has one.
3. Re:External PDF viewer? by Anonymous Coward · 2015-08-07 04:11 · Score: 1
  
  Why does Chrome have one? It's a web browser. The same questions apply.
4. Re:External PDF viewer? by 0123456 · 2015-08-07 04:13 · Score: 4, Funny
  
  Why does Chrome have one? It's a web browser. The same questions apply.
  Hipsters.
5. Re:External PDF viewer? by mlts · 2015-08-07 04:17 · Score: 1, Informative
  
  It is a tough choice. Build in your own PDF viewer, or use an existing one that pops up security holes now and then. In general, the built in ones have far fewer features, so there are fewer security holes.
  Chrome is better at this because it does more compartmentalization than Firefox. Firefox runs plugins in a separate process, but that is about the extent of the isolation they get, while Chrome runs everything in separate tasks, and you can even kill them in the browser.
  The only real long term solution is to have the OS cooperate with the browser, and completely isolate each individual browser tab (not just a lower security context, but filesystem and other space), so a rogue process is well isolated. That, and focus on not requiring third-party programs for Web content.
6. Re:External PDF viewer? by Anonymous Coward · 2015-08-07 04:20 · Score: 0
  
  Because the typical external PDF viewer is Adobe software, which means it's a bug infested piece of shit and one of the most frequently used attack vectors. A PDF viewer written in Javascript can at least be expected not to have entire classes of bugs (buffer overflows, use after free, etc.). So now there is a bug in the interaction between the browser and the internal PDF viewer. If you had been using that POS Adobe PDF viewer, you'd have updated many times by now, and accidentally installed some preselected browsers toolbars in the process.
7. Re:External PDF viewer? by steelfood · 2015-08-07 04:30 · Score: 1
  
  From hacker's news, it seems this exploit is in PDF.js. If you're not running PDF.js, there's no security hole.
  
  --
  "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
8. Re:External PDF viewer? by Lunix+Nutcase · 2015-08-07 04:31 · Score: 1
  
  Who do you trust more to create software with less security holes: Google or Adobe?
9. Re:External PDF viewer? by Lunix+Nutcase · 2015-08-07 04:37 · Score: 1
  
  Sorry, was responding to wrong person but you can just switch Google with Mozilla. Mozilla has their share of software issues, for sure, but nothing even remotely bad as Adobe's track record.
10. Re:External PDF viewer? by Lunix+Nutcase · 2015-08-07 04:39 · Score: 0
  
  Because people want to view PDFs in their browser and Google's reader is far more secure than anything from Adobe.
11. Re:External PDF viewer? by parkinglot777 · 2015-08-07 04:39 · Score: 1
  
  Why does Chrome have one? It's a web browser. The same questions apply.
  Then go back and ask Firefox?
12. Re:External PDF viewer? by Anonymous Coward · 2015-08-07 05:13 · Score: 0
  
  Serious question. If someone is stuck using older versions of Firefox for whatever reason, would deleting the pdf.js file help prevent this exploit/bug?
13. Re:External PDF viewer? by Anonymous Coward · 2015-08-07 05:34 · Score: 0
  
  But wasn't the whole appeal of PDF.js that it is by default as secure as the JS sandbox (besides being reasonably fast enough to make that approach usable) ??
  "If it runs in JS, you can only exploit it when you can do an exploit in JS in the first place. As that would be a security bug anyway, PDF.js doesn't increase the attack surface. Unlike a pdf reader plugin, which definitely would."
  So what's different in PDF.js now compared to the JS any random site or ad network can serve you?
14. Re:External PDF viewer? by Anonymous Coward · 2015-08-07 05:37 · Score: 0
  
  If you're not smart enough to not be a racist, how can you expect them to be smart enough to divide a complex system up into parts? It sounds like you're the one in the wrong here.
  The people complaining now have such a short memory. It wasn't that long ago that Netscape Communicator also included an email client and Usenet news reader. The former gay bashing leader was with them then, so you just know he influenced the decision to toss everything into one program. Those racists just can't think straight.
15. Re:External PDF viewer? by phantomfive · 2015-08-07 05:39 · Score: 3, Interesting
  
  Because it's convenient. Because users like that feature. Those are the reasons.
  
  is Firefox also planning to add a Microsoft Word viewer, an Apple Keynote viewer, etc?
  If enough web links go directly to that type of file, then they might. For the same reasons.
  
  --
  "First they came for the slanderers and i said nothing."
16. Re:External PDF viewer? by Lennie · 2015-08-07 06:33 · Score: 3, Interesting
  
  Because users where not updating their external PDF viewers, so they included a viewer which does get frequent updates because the browser gets frequent updates. Thus making it a more secure solution.
  If you are using Adobe Acrobat it includes Javascript and Flash support and lots of other stuff you can't even image. Supposedly the code base of Adobe Acrobat is bigger than browsers like Firefox.
  
  --
  New things are always on the horizon
17. Re:External PDF viewer? by ArchieBunker · 2015-08-07 06:38 · Score: 1
  
  And Chrome's version works a million times better/faster.
  
  --
  Only the State obtains its revenue by coercion. - Murray Rothbard
18. Re:External PDF viewer? by simplypeachy · 2015-08-07 06:40 · Score: 2
  
  Or set your browser to download (or at least prompt) the PDF instead of automatically executing the PDF with any software. That way, a PDF you choose to look at can still work fine, but a drive-by exploit attempt will have another speedbump to get past.
19. Re: External PDF viewer? by Anonymous Coward · 2015-08-07 06:56 · Score: 0
  
  I chose to never install any software from Adobe on my computers. Thus Adobe's track record is irrelevant to me.
  But I could not make that same choice when it comes to PDF.js. I installed Firefox, and it forced this buggy PDF viewing software on me. I have to go out of my way to disable it.
  It doesn't matter how bad Adobe's software might be. That does not excuse Mozilla in this case.
20. Re:External PDF viewer? by freeze128 · 2015-08-07 07:02 · Score: 4, Interesting
  
  Firefox, Chrome, and even the new Microsoft Edge have built-in PDF viewers. Perhaps it's because EVERYONE thinks that they can build a better PDF reader than Adobe.
21. Re:External PDF viewer? by westlake · 2015-08-07 07:04 · Score: 1
  
  That, and focus on not requiring third-party programs for Web content.
  But will web content ever remain static long enough for browser standards to keep pace? Mozilla tied itself up in knots over H.264 long after it had eclipsed all other contenders for HD video support.
22. Re:External PDF viewer? by Spamalope · 2015-08-07 07:34 · Score: 4, Funny
  
  You'd have to work very hard to build one with a greater variety and number of security problems.
23. Re: External PDF viewer? by tepples · 2015-08-07 07:59 · Score: 1
  
  Which PDF reader publisher do you trust more than Mozilla and Adobe?
24. Re:External PDF viewer? by tepples · 2015-08-07 08:03 · Score: 3, Informative
  
  Why does a Web browser have a built-in PDF viewer in the first place?
  Because just as text/html is a commonly used media type on the web, so is application/pdf. Having a PDF viewer written in JavaScript contributes to the Downloads folder not being quite as littered. And because not only is JavaScript inherently less subject to accidental "undefined behavior" than the C++ in which I assume Adobe implemented its Reader, but also has Mozilla shown itself to be more responsive than Adobe to security issues. That's also why Mozilla has been working on Shumway, its SWF player.
  
  Or is Firefox also planning to add a Microsoft Word viewer, an Apple Keynote viewer, etc?
  Anyone who wants to write a JavaScript viewer for those formats is free to do so.
25. Re:External PDF viewer? by ShaunC · 2015-08-07 08:08 · Score: 5, Informative
  
  You can go to about:config and set the value for pdfjs.disabled to true, or create that setting (boolean type) if it doesn't exist. That'll cause Firefox to pop up a download dialog when you click a PDF link, and you can use something like Sumatra to open the file.
  
  --
  Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
26. Re:External PDF viewer? by Darinbob · 2015-08-07 08:31 · Score: 1
  
  Hipsters with keys to the family car.
27. Re:External PDF viewer? by Darinbob · 2015-08-07 08:34 · Score: 2
  
  Why can't Adobe write a PDF view that just does the job simply and without the feature overload that leads to the most bug ridden software since the Microsoft Butterfly 98 Home Edition?
28. Re:External PDF viewer? by Anonymous Coward · 2015-08-07 08:44 · Score: 0
  
  A PDF file is an external document not meant to be viewed inside a browser. Or is Firefox also planning to add a Microsoft Word viewer, an Apple Keynote viewer, etc?
  Stop giving them ideas! They'll probably try to port Word to Javascript now.
29. Re:External PDF viewer? by Anonymous Coward · 2015-08-07 12:19 · Score: 0
  
  An organic fixie PDF viewer with buddy holly glasses.
30. Re:External PDF viewer? by Anonymous Coward · 2015-08-07 15:37 · Score: 0
  
  I wish people read AC posts, because I'd love to have an answer to that question.
31. Re:External PDF viewer? by Anonymous Coward · 2015-08-07 16:31 · Score: 0
  
  Firefox can open other documents from the temp directory and before the PDF viewer was added to Firefox, this applied to PDFs as well.
  From a usability standpoint, Firefox's built-in PDF viewer is horrible step back, mainly because it's extremely slow, but also because feature-wise, it's years behind dedicated PDF viewers, and the display quality and readability is often rather bad.
  And from a security perspective, it's a gigantic blunder because it just adds a whole lot of extra attack surface. So now instead of just having to worry about bugs in Firefox's HTML rendering engine and, say, Evince (or whatever other PDF viewer you use to open saved PDFs) you now also have to worry about bugs in Firefox's PDF rendering code. But it's even worse than that, because the fact that it's part of Firefox means that it can be used for attacks that are much harder to pull of from an external viewer, because now you've got a direct pipe from the PDF viewer to the rest of the browser, and also potentially leading to attacks that target the interaction between the components.
  And it's extra bad that Mozilla does this, first of all because Firefox's complete lack of process isolation and sandboxing in 2015* tells you all you really need to know about their dedication to security, and secondly because the time spent on developing and maintaining this PDF viewer should be spent on the aforementioned process isolation and sandboxing.
  * For comparison: Chrome had this in 2008.
32. Re:External PDF viewer? by gl4ss · 2015-08-07 18:21 · Score: 1
  
  my guess: pdf.js runs on different permission set since it's not downloaded over the web.
  
  --
  world was created 5 seconds before this post as it is.
33. Re:External PDF viewer? by bedouin · 2015-08-08 00:02 · Score: 1
  
  The first browser that allowed PDFs to be displayed inline without a plugin was Safari since its beta stages. That's because OS X has had the ability to display PDFs built in to it since its Nextstep days. So, it all stems from a desire to duplicate a feature in Safari that was actually a native feature of OS X . . .
34. Re:External PDF viewer? by tepples · 2015-08-09 10:33 · Score: 1
  
  So now instead of just having to worry about bugs in Firefox's HTML rendering engine and, say, Evince (or whatever other PDF viewer you use to open saved PDFs) you now also have to worry about bugs in Firefox's PDF rendering code.
  Because Firefox's PDF rendering code is in JavaScript, a memory-safe language, entire classes of bugs that might affect a standalone PDF reader like Evince or Adobe or Foxit or Sumatra are not possible. For example, JavaScript arrays are always bounds checked, meaning there's no such thing as a buffer overflow.
35. Re:External PDF viewer? by adhdengineer · 2015-08-10 00:54 · Score: 1
  
  because for some ungodly reason documents that people put online are sometimes in PDF format and it's nice to be able to open them with just a click on the link rather than the download/open another app method.
People still use Firefox? by Anonymous Coward · 2015-08-07 03:56 · Score: 0, Insightful

Use Firefox? lolwut? Why would anyone still use that bloated, insecure crap?
1. Re:People still use Firefox? by U2xhc2hkb3QgU3Vja3M · 2015-08-07 04:07 · Score: 4, Informative
  On Windows, your choices are:
  
  Firefox, the bloated browser with memory leaks who forgot the whole point of its creation
  Chrome, the fast browser with built-in spyware from the Do-no-evil-but-let's-datamine-the-shit-out-of-our-users-anyway company
  Edge, the browser made by the company with possibly the worst security history on the planet
  Opera, the company that dropped its own engine and is now just basically a Chrome clone
  edit: Slashdot lets us use HTML in our posts but makes bullets invisible... way to go, guys.
2. Re:People still use Firefox? by Anonymous Coward · 2015-08-07 04:13 · Score: 0
  
  Pale Moon stopped making Windows builds?
3. Re:People still use Firefox? by Anonymous Coward · 2015-08-07 04:22 · Score: 0
  
  Unless pale moon either stripped out the pdf previewer or has their own, it's going to have the same bug firefox had.
4. Re:People still use Firefox? by Lunix+Nutcase · 2015-08-07 04:23 · Score: 1
  
  This list isn't even exhaustive and it's far more than the 4 choices you claim are all that exist.
5. Re:People still use Firefox? by Lunix+Nutcase · 2015-08-07 04:25 · Score: 3, Insightful
  
  It's disabled by default.
  
  Integrated PDF reader. The code for this is still included for emergencies (i.e. when you need to read a PDF but don't have access to a reader) but disabled by default - you are always recommended to use a separate, up-to-date document reader for PDF files (as an external program, not as a browser plugin) for your own security, and to have documents displayed in their fully intended format instead of a stripped-down display in an in-browser reader.
  https://www.palemoon.org/techn...
6. Re:People still use Firefox? by Anonymous Coward · 2015-08-07 04:26 · Score: 1
  
  cool, .php3
  I'm really going to trust that list
7. Re:People still use Firefox? by Lunix+Nutcase · 2015-08-07 04:28 · Score: 1
  
  Cool story, brah.
8. Re:People still use Firefox? by savuporo · 2015-08-07 04:32 · Score: 1
  
  Links, lynx, w3m still work on cygwin.
  
  --
  http://validator.w3.org/check?uri=http%3A%2F%2Fwww.slashdot.org Errors found while checking this document as HTML5!
9. Re:People still use Firefox? by Anonymous Coward · 2015-08-07 04:34 · Score: 0
  
  lol there's a bunch of better browsers than that. In fact, I'm not even going to name the one you SHOULD be using, because clearly you know everything already. I'm not disagreeing with your points, they are 100% valid. But you are shortening a huge list of browsers down to a few popular ones.
  Here's a hint, it starts with an M (not Mozilla)
10. Re:People still use Firefox? by Luthair · 2015-08-07 04:40 · Score: 3, Informative
  
  Firefox actually uses less memory than the others
11. Re:People still use Firefox? by Anonymous Coward · 2015-08-07 05:07 · Score: 0
  
  u mad bro? u mad?
12. Re:People still use Firefox? by Anonymous Coward · 2015-08-07 05:22 · Score: 0
  
  Chrome uses up more memory than Firefox on Windows for me. Has for a long time. Firefox even has extensions installed while Chrome does not
13. Re:People still use Firefox? by Anonymous Coward · 2015-08-07 05:38 · Score: 0
  
  About what? Firefox's ever increasing irrelevance and shrinking user base? Nope, I'm ecstatic.
14. Re:People still use Firefox? by phantomfive · 2015-08-07 05:41 · Score: 1
  
  Firefox, the bloated browser with memory leaks
  Note: the memory leaks are mostly fixed by now.
  
  --
  "First they came for the slanderers and i said nothing."
15. Re:People still use Firefox? by Anonymous Coward · 2015-08-07 06:02 · Score: 0
  
  No, Mozilla just keeps trying to blame everything else for them. They are still there.
16. Re:People still use Firefox? by Anonymous Coward · 2015-08-07 06:14 · Score: 0
  
  Does lynx not work on Windows???
17. Re:People still use Firefox? by Anonymous Coward · 2015-08-07 06:37 · Score: 0
  
  Firefox actually uses less memory than the others
  Now this is a straight up lie. One tab open and it is using 250mb. Don't even try to say that is the lowest since it isn't.
18. Re:People still use Firefox? by imac.usr · 2015-08-07 07:01 · Score: 1
  
  You left out Safari, built by the same team that brought you iTunes for Windows so you know it's quality!
  
  --
  I use Macs for work, Linux for education, and Windows for cardplaying.
19. Re:People still use Firefox? by Anonymous Coward · 2015-08-07 07:11 · Score: 0
  
  Not a lie at all. Try opening a bunch of tabs, not just one. Try using the browser for a while, not just staring at a freshly-opened one. Unless you're one of the users running into those mysterious "memory leaks" that nobody can replicate once they file an actual bug, you'll find it's at the very least competitive with other browsers, and often by far the leanest in terms of memory usage. Of course, you'll always find sites/services that run better in other browsers -- if you use Google's services, for instance, you're likely to find their browser works best with those services.
20. Re:People still use Firefox? by Anonymous Coward · 2015-08-07 07:36 · Score: 0
  
  HTML is a markup language for semantic meaning. Bullet points are not guaranteed, as that falls under styling.
21. Re:People still use Firefox? by Anonymous Coward · 2015-08-07 08:23 · Score: 0
  
  Except that Mozilla created the Memshrink Project which very definitely did not blame "everything else".
22. Re:People still use Firefox? by U2xhc2hkb3QgU3Vja3M · 2015-08-07 08:38 · Score: 1
  
  Actually Safari and iTunes on OS X work fine, thank you very much.
23. Re:People still use Firefox? by Anonymous Coward · 2015-08-07 08:55 · Score: 0
  
  That list is totally ancient, dude. And KGFY.
24. Re:People still use Firefox? by Anonymous Coward · 2015-08-07 12:21 · Score: 0
  
  Pale Moon a.k.a. Firefox.
25. Re:People still use Firefox? by rev0lt · 2015-08-07 12:53 · Score: 2
  
  Unless you're one of the users running into those mysterious "memory leaks" that nobody can replicate once they file an actual bug
  I stopped using Firefox a couple of years ago because of this. They're not mysterious, they were real. Try opening a reasonable amount of tabs (50-100), and leave the browser open for a day or two, and you'll probably be able to reproduce it.
26. Re:People still use Firefox? by KGIII · 2015-08-07 17:54 · Score: 1
  
  Are you sure that 50 to 100 is actually a reasonable number of tabs to open? I have some blisteringly fast computers with absolutely retarded amounts of RAM and I still would find that many tabs unreasonable.
  
  --
  "So long and thanks for all the fish."
27. Re:People still use Firefox? by rev0lt · 2015-08-10 05:52 · Score: 1
  
  I actually have currently probably > 200 tabs open in my 4 or 5 Chrome windows on a 2-year old i7 with 8GB of RAM without any major issues. The fact that I only had problems with Firefox is also a good clue it's not the number of tabs (had also used Opera with the same kind of load without major issues)
28. Re:People still use Firefox? by KGIII · 2015-08-10 06:07 · Score: 1
  
  Personally, I can not fathom having that many tabs open. I can think of no case where that would help me. Also, I am an Opera user almost exclusively. I have been since it was pay-ware. I did use and donated (I seem to recall they put my name in a newspaper but I forget which one) Firefox but they have gone downhill. Now, when I install Linux, I use Firefox like I would use IE. I use it just long enough to download another browser. I could just grab one out of the repo but I really prefer my Opera and I have yet to find one with the current Opera builds in them.
  
  --
  "So long and thanks for all the fish."
Debian Stretch Vunerable by Anonymous Coward · 2015-08-07 04:17 · Score: 0

Debian Stretch vunerable
security-tracker.debian.org/tracker/CVE-2015-4495
1. Re:Debian Stretch Vunerable by Anonymous Coward · 2015-08-07 04:19 · Score: 0
  
  >>Debian
  >>vulnerable
  That's like telling us that water is wet.
2. Re:Debian Stretch Vunerable by bigfinger76 · 2015-08-07 04:25 · Score: 1
  
  Care to expand on that?
3. Re:Debian Stretch Vunerable by Anonymous Coward · 2015-08-07 04:29 · Score: 0
  
  Nope, don't care to at all. Have a nice day.
4. Re:Debian Stretch Vunerable by bigfinger76 · 2015-08-07 08:46 · Score: 1
  
  I didn't think so.
I told you PDF in browser is a bad idea by Anonymous Coward · 2015-08-07 04:31 · Score: 1

I told you I told you I told you. Seriously go back to when it was announced on slashdot and i very specifically said this will be nothing but an additional attack vector.
As soon as i updated to the version which had it i immediately set it to never activate knowing this would happen eventually and have never used it since.
1. Re:I told you PDF in browser is a bad idea by Anonymous Coward · 2015-08-07 04:33 · Score: 0
  
  Liar. I'm the one who said that.
Firefox about shows 31.8.0 as latest by Anonymous Coward · 2015-08-07 04:33 · Score: 0

Latest version in the esr channel seems to be 31.8.0? My firefox installation shows version 31.8.0 in the About window, says that I am on the esr update channel and that there are no further updates. If the latest release is Firefox ESR 38.1.1, how did I miss all the releases in between?
1. Re:Firefox about shows 31.8.0 as latest by bigredbob · 2015-08-07 06:56 · Score: 1
  
  I have the same question - I wonder if the post should have read 31.8.1, and being ESR, the QA is just taking longer
Thank You Mozilla!! by zenlessyank · 2015-08-07 04:35 · Score: 1, Offtopic

Without Firefox, I don't think I could actually ENJOY the internet anymore. No other browser allows you to tame the net like Firefox and the world of plugins that have been written.
Commendably swift action by Mozilla by Anonymous Coward · 2015-08-07 04:45 · Score: 0

As mentioned on Hacker News, by the person who discovered this security vulnerability, Mozilla issued a fix in about 16 hours!
1. Re:Commendably swift action by Mozilla by chasm22 · 2015-08-07 06:53 · Score: 1
  
  Is this the real person that divulged it? I ask because I can't quite figure out why we have this blog post https://blog.mozilla.org/secur... .
  It backs up the version you report.
  However, if you go to this page https://www.mozilla.org/en-US/... you will find that they are giving credit to an entirely different person. A security researcher named Cody Crews.
  It's interesting because everyone is giving Mozilla a big slap on the back for acting so fast, yet the fact of the matter is if MSFA 2015-78 is to be believed, we actually don't have the timeline between when it was first reported until it was patched. In this scenario, all we have is the timeline between the time it was found in the wild until it was patched. That would leave me asking this; Did Mozilla put off the patch until they discovered it was in the wild already?
Open source vs. exploits by Alwin+Henseler · 2015-08-07 04:54 · Score: 1

Open source just lowers the bar for others to both contribute to this, and to potentially take advantage of bugs.
You don't need source code to take advantage of bugs. Or even discover them. Almost always you do need source code to fix bugs, though.
So that would be a good argument (one of many!) for why someone would prefer to use open source software. But how much that helps with bug-fixing, depends very much on each project's regular maintainers ("upstream").
Question by Anonymous Coward · 2015-08-07 05:05 · Score: 0

So if it's disabled by default, does the bug still occur?
1. Re:Question by Lunix+Nutcase · 2015-08-07 05:32 · Score: 1
  
  As long as the PDF reader is disabled, no.
What about ESR 31.8? by Anonymous Coward · 2015-08-07 05:15 · Score: 0

Nice to see firefox giving a big "fuck you" to people still on ESR 31.8 (which is still a supported release according to the ESR roadmap)
They fixed the wrong bug ! by Anonymous Coward · 2015-08-07 05:59 · Score: 0, Interesting

They should have fixed the bug that caused the PDF viewer to be in there in the first place. And the bug that caused it to be on by default.
Patch and don't forget this... by chasm22 · 2015-08-07 07:00 · Score: 3, Interesting

"The exploit leaves no trace it has been run on the local machine. If you use Firefox on Windows or Linux it would be prudent to change any passwords and keys found in the above-mentioned files if you use the associated programs. "
It's taken from the blog about the exploit and doesn't seem to be drawing much attention.
Generic FUD by Schiller555 · 2015-08-07 08:20 · Score: 1

...from the propaganda specialists hired by some big corporation.
Yeah Jeffrey Ir Rational by Schiller555 · 2015-08-07 08:21 · Score: 1

It would be much better folks ran Adobe Reader. NOOOT !
Really ? by Schiller555 · 2015-08-07 08:32 · Score: 1

Now, what would people then use to view PDFs ? One of these commercialware PDF viewers, bug-ridden and with an infinite supply of zero days ? Or would they use libpoppler, chock-full of nasty C constructs like "void*" instead of proper generic programming ? Besides libpoppler and the commercialware dreck there are very few PDF renderers. Maybe you take the time to research the situation and maybe you will figure Mozilla is actually one of the more secure alternatives when it comes to renderers.
Having said that, generally cyberspace could be made much, much more secure. JavaScript and C, being often used in a shitty-typed way are both major security risks. PHP is even worse, for similar reasons.

The age of Algol, Burroughs, ELBRUS, ICL was probably more secure than the craptastic, marketing-driven IT world we have since Unix and C.

And no, not a mainframe guy, I grew up with C and HP Unix, but my intelligence allowed me to question my upbringing, so to speak.

Can we have "computer system archeology" in order to learn for a better future ???
Because $ by Anonymous Coward · 2015-08-07 08:46 · Score: 0

Because Adobe is a for-profit entity, and they gotta make money somehow...
V39.0, no updates available by GNious · 2015-08-07 09:54 · Score: 1

Just checked, my Firefox says it is versoin 39.0 - no third number (39.0.3), and the application itself says it is "up to date".
Would think that they'd include the full version-number in the About box (the place they say to go to check for updates), just so users can be 100% certain they are using the right one :/
1. Re:V39.0, no updates available by twosat · 2015-08-07 10:53 · Score: 1
  
  Just did the same, with the same result.
2. Re:V39.0, no updates available by Anonymous Coward · 2015-08-07 11:32 · Score: 0
  
  Windows Firefox updated fine to 39.0.3, most of my boxes updated automatically with my intervention.
  Ubuntu repos had 39.0.3 quickly.
  The about box shows the full version number, you can also check at about: for the version number, under the Firefox logo.
3. Re:V39.0, no updates available by twosat · 2015-08-07 23:13 · Score: 1
  
  Further to my post, a message balloon popped up about an hour ago saying that the update was available. I tried the same thing with the same result as before. Then, I thought that maybe it was something to do with me running as a Limited User, so I right-clicked the Firefox icon and chose the "Run as administrator" option. I logged in, Firefox promptly started up and I successfully updated from there.
Your're not up-to-date; the "application" lied by SpammersAreScum · 2015-08-07 12:01 · Score: 1

There does appear to be a problem with the manual update set up. I ended up proceeding as if I were doing a fresh install: go to https://www.mozilla.org/en-US/... to download the installer and run it. When you do, and restart Firefox, About will in fact say 39.0,3.