This account is wrong. Mozilla has not shipped Firefox 4 beta yet. We are in the process of making and testing the final set of changes, but we're not quite there yet.
If you let someone run code on your machine, that code can do anything to any installed application. If the application tries to protect itself, then bad guys will simply replace the application with their own code that doesn't try to protect itself. There is nothing anyone can do to protect you if you let a bad actor run code on your machine. This was the case of a presumably reputable software vendor performing disreputably. That's not something to optimize for.
So that fact that firefox allows addons to be installed without user intervention isn't Mozilla's problem?
It noticed the plugin was installed (addOn window was launched informing the user of a neww addon)...
Should it not instead of simply accepting whatever is installed as legit, perhaps try to verify it first?
Yes, that's fine for "good actors" but a bad actor that is installing software on your machine could simply replace Firefox with a version that doesn't verify or worse. Once you've let a bad actor onto your system, you're screwed. And, to date it's been assumed (wrongly) that good actors wouldn't screw over users like that. The upcoming version of Firefox will do more to protect users against reputable vendors like Microsoft.
That was my reaction as well. How can ANY firefox plugin be given the authority to not allow itself to be turned off? Sure, it's Microsoft being an asshole, but that also seems like broken behavior on Firefox's part.
Easy, install the plug-in or add-on to a system directory the current user doesn't have permission to change. This wasn't installed through Firefox's add-ons manager. This was installed by a third party executable that dumped the file into a location that the current user couldn't modify.
So firefox allows a rogue addon to install without any user intervention and the story is all about how evil MSFT is?
Sure, they did it. Bad Microsoft.
But isn't the bigger issue that now that this is known....*anyone* can pull this on firefox users?
No. I am not apologizing for Microsoft. This was "Sony Stupid" of them. We're used to that here, though. What we're not used to (and apparently sweeping under the rug) is the massive, unholy hell of a mess mozilla's extension system for firefox is....
Anyone that can run executable code on your system can do anything to your system. The "good guys" aren't supposed to do things to your system without asking you first. The "bad guys" can simply replace Firefox entirely with a version that has what ever features they want. If you let someone run code on your system, you lose. Firefox cannot stop that code from doing what ever it wants.
The point is that you're supposed to only install software from vendors you trust. You should be able to trust Microsoft and that your trust was abused and abused in a way that caused you to be vulnerable to remote exploits is the story here.
There are lots of programs that install plugins automagically...Skype, antiviruses, and Picasa are a few that I can think of off the top of my head. The only bad part of this whole thing is that MS screwed up the remove/uninstall feature by making it show up for all users.
No. Wrong. Installing plug-ins or extensions without asking is bad. Period. Full stop. End of story.
If you allow someone (in this case Microsoft through Windows Update) to install software on your machine, you're hosed if they want to hose you. A bad actor could simply replace Firefox with an "updated" version that had their desired functionality. Once you let someone run code on your machine you're hosed in the case of bad actors. In the case of good actors, they shouldn't be adding unrelated software or modifying other software on your system without your permission.
In economics, a monopoly exists when a specific individual or an enterprise has sufficient control over a particular product or service to determine significantly the terms on which other individuals shall have access to it.
Competition law doesn't require a specific share to have been met before it may be invoked. It's about the impact, not the actual market share.
Except I don't get a huge popup warning every time I go to Google.com or a splash page saying something like:
"WARNING: YOUR GOOGLE EXPERIENCE IS SUB-OPTIMAL AND YOU ARE AT RISK OF INTERNET VIRUSES AND PERMANENT COMPUTER DAMAGE. PLEASE INSTALL THIS WINDOWS SECURITY UPDATE: CHROME.EXE TODAY!"
No, but if you visit in IE, you do get a big Chrome banner ad on the Google home page.
See what Mozilla has to say:
http://blog.mozilla.com/security/2009/07/19/milw0rm-9158-stack-overflow-crash-not-exploitable-cve-2009-2479/
In the last few days, there have been several reports (including one via SANS) of a bug in Firefox related to handling of certain very long Unicode strings. While these strings can result in crashes of some versions of Firefox, the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug. Our analysis indicates that it is not, and we have seen no example of exploitability.
On Windows, Firefox 3.0.x is terminated due to an uncaught exception during an attempt to allocate a very large string buffer; this termination is safe and immediate, and does not permit the execution of attacker code. In Firefox 3.5.x on Windows, the allocations are more robustly checked and no crash will result.
On the Macintosh in Firefox 3.0.x and 3.5.x, a crash occurs inside the ATSUI system library (part of OS X), due to what appears to be a failure to check allocation results. This issue is likely to affect any application using the recommended text-handling libraries on OS X. We have reported this issue to Apple, but in the event that they do not provide a fix we will look to implement mitigations in Mozilla code. We recommend that other developers who use these libraries consider a similar practice, and we have added mitigations in the past for similar bugs in these libraries.
As a result of our analysis, we do not believe that this represents an exploitable vulnerability in Firefox. Further, we believe that the IBM report is in error, and that the severity rating in the National Vulnerability Database report is incorrect. We have contacted them and hope to resolve the inaccuracies shortly.
This is a browser out of memory crash. There is no evidence that this is exploitable while all evidence points to it not being exploitable. Pretty much all browsers crash from this but that doesn't mean that it's a security issue.
Your post says "but also fixes the annoying slow-startup on Windows." which suggests that all Windows users were experiencing slow starts. That's not the case at all. It was only a small fraction of users affected by the now fixed issue.
And for the record, the security flaw was already fixed, even before it was lifted from our bug database and turned into a public exploit. It just takes a few days to get everything in order for a release to users.
Actually, summertime is the worst time for Firefox usage. Firefox is a much larger percentage of European usage than U.S. usage and so when Europe goes on summer vacation for a few months, Firefox's global share falls measurably.
2001 called and said you can't use that tired old argument anymore. The default install of Firefox since 2.x (I believe) does not spoof IE in the user agent string. Firefox being the largest market share aside from any version of IE, the weight given to any other browser would be a statistical blip at best. In fact, if I remember correctly Konqueror in KDE3 and 4 actually spoofs Gecko by default. And Opera stopped spoofing MSIE after 6.x, IIRC.
No version of Firefox ever spoofed as IE. Safari has a "like Gecko" in their user agent string, and Opera spoofs only for specific sites.
Chrome has been available for about 9 months and it's managed to carve out about 2% of Web browser usage. It got about 1/3rd of that in only days after release. It's not "taking many users away" from IE unless by many you mean about half as many as Firefox has in the same time period.
All mobile browsing combined probably doesn't break 1% of Web usage. The chances that any large-scale swing has anything to do with mobile browsing are very, very, very slim.
iPhone/iPod browsing makes up about half of one percent of Web usage. Desktop Safari makes up about 10% of Web usage. Firefox makes up about 25% of Web usage. I don't think the iPhone is having quite the impact you think the iPhone is having.
If you look at the longterm trends reported by Net Applcations, something that StatCounter doesn't offer, it's hard to conclude that anything dramatic has just happened.
These longer trends are steady and smooth and there's nothing that's happened in the last couple of months that would cause IE to fall off the cliff.
That being said, there is a lot of churn in the various browser versions. IE is really a collection of browsers with measurable share, IE 6, IE 7, and IE 8. Looking at these versions, it's clear that a lot is happening.
It's likely that IE 7 and IE 6 will fall to under 10% global share by the end of this year and that IE 8 will grow to approximately 40%. That would give IE 60% overall, Firefox about 25%, Safari about 10%, and "other" would hold the remaining 5%.
If you look at the longterm trends reported by Net Applcations, something that StatCounter doesn't offer, it's hard to conclude that anything dramatic has just happened.
These longer trends are steady and smooth and there's nothing that's happened in the last couple of months that would cause IE to fall off the cliff.
That being said, there is a lot of churn in the various browser versions. IE is really a collection of browsers with measurable share, IE 6, IE 7, and IE 8. Looking at these versions, it's clear that a lot is happening.
It's likely that IE 7 and IE 6 will fall to under 10% global share by the end of this year and that IE 8 will grow to approximately 40%. That would give IE 60% overall, Firefox about 25%, Safari about 10%, and "other" would hold the remaining 5%.
"The fact that it's open source or royalty free doesn't mean there are no patent trolls ready to file a lawsuit once Apple or Microsoft use it. "
The same could be said for h.264 or any other technology they license. Patent trolls are patent holders that we don't know about, even if we think we're licensing a technology from a currently known set of patent holders.
The Javascript speed is not much of a factor. The one truly annoying thing with Firefox is the gawdawful Adobe Flash plug-in that hangs up at random, causing the whole browser to come to a screeching halt.
So why not get Flashblock or remove the Flash plugin?
Builds created by Mozilla get used but very few people compared to builds made by Ubuntu and other Linux distros. Perhaps you should contact them and as them why they're not using the Intel compiler.
And I believe it's the case today. Firefox on Windows can be compiled with PGO but the tools are busted on Linux so it can't be compiled with PGO there. That probably accounts for most of the performance difference.
Fix the tools.
Slashdot Mirror
This account is wrong. Mozilla has not shipped Firefox 4 beta yet. We are in the process of making and testing the final set of changes, but we're not quite there yet.
- Asa Dotzler
Mozilla
If you let someone run code on your machine, that code can do anything to any installed application. If the application tries to protect itself, then bad guys will simply replace the application with their own code that doesn't try to protect itself. There is nothing anyone can do to protect you if you let a bad actor run code on your machine. This was the case of a presumably reputable software vendor performing disreputably. That's not something to optimize for.
So that fact that firefox allows addons to be installed without user intervention isn't Mozilla's problem?
It noticed the plugin was installed (addOn window was launched informing the user of a neww addon)...
Should it not instead of simply accepting whatever is installed as legit, perhaps try to verify it first?
Yes, that's fine for "good actors" but a bad actor that is installing software on your machine could simply replace Firefox with a version that doesn't verify or worse. Once you've let a bad actor onto your system, you're screwed. And, to date it's been assumed (wrongly) that good actors wouldn't screw over users like that. The upcoming version of Firefox will do more to protect users against reputable vendors like Microsoft.
That was my reaction as well. How can ANY firefox plugin be given the authority to not allow itself to be turned off? Sure, it's Microsoft being an asshole, but that also seems like broken behavior on Firefox's part.
Easy, install the plug-in or add-on to a system directory the current user doesn't have permission to change. This wasn't installed through Firefox's add-ons manager. This was installed by a third party executable that dumped the file into a location that the current user couldn't modify.
So firefox allows a rogue addon to install without any user intervention and the story is all about how evil MSFT is?
Sure, they did it. Bad Microsoft.
But isn't the bigger issue that now that this is known....*anyone* can pull this on firefox users?
No. I am not apologizing for Microsoft. This was "Sony Stupid" of them. We're used to that here, though. What we're not used to (and apparently sweeping under the rug) is the massive, unholy hell of a mess mozilla's extension system for firefox is....
Anyone that can run executable code on your system can do anything to your system. The "good guys" aren't supposed to do things to your system without asking you first. The "bad guys" can simply replace Firefox entirely with a version that has what ever features they want. If you let someone run code on your system, you lose. Firefox cannot stop that code from doing what ever it wants. The point is that you're supposed to only install software from vendors you trust. You should be able to trust Microsoft and that your trust was abused and abused in a way that caused you to be vulnerable to remote exploits is the story here.
There are lots of programs that install plugins automagically...Skype, antiviruses, and Picasa are a few that I can think of off the top of my head. The only bad part of this whole thing is that MS screwed up the remove/uninstall feature by making it show up for all users.
No. Wrong. Installing plug-ins or extensions without asking is bad. Period. Full stop. End of story.
If you allow someone (in this case Microsoft through Windows Update) to install software on your machine, you're hosed if they want to hose you. A bad actor could simply replace Firefox with an "updated" version that had their desired functionality. Once you let someone run code on your machine you're hosed in the case of bad actors. In the case of good actors, they shouldn't be adding unrelated software or modifying other software on your system without your permission.
Microsoft actually chairs some of the standards committees and has been involved with them for much longer than Google.
In economics, a monopoly exists when a specific individual or an enterprise has sufficient control over a particular product or service to determine significantly the terms on which other individuals shall have access to it.
Competition law doesn't require a specific share to have been met before it may be invoked. It's about the impact, not the actual market share.
Except I don't get a huge popup warning every time I go to Google.com or a splash page saying something like:
"WARNING: YOUR GOOGLE EXPERIENCE IS SUB-OPTIMAL AND YOU ARE AT RISK OF INTERNET VIRUSES AND PERMANENT COMPUTER DAMAGE. PLEASE INSTALL THIS WINDOWS SECURITY UPDATE: CHROME.EXE TODAY!"
No, but if you visit in IE, you do get a big Chrome banner ad on the Google home page.
See what Mozilla has to say: http://blog.mozilla.com/security/2009/07/19/milw0rm-9158-stack-overflow-crash-not-exploitable-cve-2009-2479/ In the last few days, there have been several reports (including one via SANS) of a bug in Firefox related to handling of certain very long Unicode strings. While these strings can result in crashes of some versions of Firefox, the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug. Our analysis indicates that it is not, and we have seen no example of exploitability. On Windows, Firefox 3.0.x is terminated due to an uncaught exception during an attempt to allocate a very large string buffer; this termination is safe and immediate, and does not permit the execution of attacker code. In Firefox 3.5.x on Windows, the allocations are more robustly checked and no crash will result. On the Macintosh in Firefox 3.0.x and 3.5.x, a crash occurs inside the ATSUI system library (part of OS X), due to what appears to be a failure to check allocation results. This issue is likely to affect any application using the recommended text-handling libraries on OS X. We have reported this issue to Apple, but in the event that they do not provide a fix we will look to implement mitigations in Mozilla code. We recommend that other developers who use these libraries consider a similar practice, and we have added mitigations in the past for similar bugs in these libraries. As a result of our analysis, we do not believe that this represents an exploitable vulnerability in Firefox. Further, we believe that the IBM report is in error, and that the severity rating in the National Vulnerability Database report is incorrect. We have contacted them and hope to resolve the inaccuracies shortly.
No one. This is not a buffer overflow. http://blog.mozilla.com/security/2009/07/19/milw0rm-9158-stack-overflow-crash-not-exploitable-cve-2009-2479/
This is a browser out of memory crash. There is no evidence that this is exploitable while all evidence points to it not being exploitable. Pretty much all browsers crash from this but that doesn't mean that it's a security issue.
Your post says "but also fixes the annoying slow-startup on Windows." which suggests that all Windows users were experiencing slow starts. That's not the case at all. It was only a small fraction of users affected by the now fixed issue. And for the record, the security flaw was already fixed, even before it was lifted from our bug database and turned into a public exploit. It just takes a few days to get everything in order for a release to users.
Actually, summertime is the worst time for Firefox usage. Firefox is a much larger percentage of European usage than U.S. usage and so when Europe goes on summer vacation for a few months, Firefox's global share falls measurably.
2001 called and said you can't use that tired old argument anymore. The default install of Firefox since 2.x (I believe) does not spoof IE in the user agent string. Firefox being the largest market share aside from any version of IE, the weight given to any other browser would be a statistical blip at best. In fact, if I remember correctly Konqueror in KDE3 and 4 actually spoofs Gecko by default. And Opera stopped spoofing MSIE after 6.x, IIRC.
No version of Firefox ever spoofed as IE. Safari has a "like Gecko" in their user agent string, and Opera spoofs only for specific sites.
Chrome has been available for about 9 months and it's managed to carve out about 2% of Web browser usage. It got about 1/3rd of that in only days after release. It's not "taking many users away" from IE unless by many you mean about half as many as Firefox has in the same time period.
All mobile browsing combined probably doesn't break 1% of Web usage. The chances that any large-scale swing has anything to do with mobile browsing are very, very, very slim.
iPhone/iPod browsing makes up about half of one percent of Web usage. Desktop Safari makes up about 10% of Web usage. Firefox makes up about 25% of Web usage. I don't think the iPhone is having quite the impact you think the iPhone is having.
If you look at the longterm trends reported by Net Applcations, something that StatCounter doesn't offer, it's hard to conclude that anything dramatic has just happened.
http://weblogs.mozillazine.org/asa/archives/2009/06/historical_view.html
These longer trends are steady and smooth and there's nothing that's happened in the last couple of months that would cause IE to fall off the cliff.
That being said, there is a lot of churn in the various browser versions. IE is really a collection of browsers with measurable share, IE 6, IE 7, and IE 8. Looking at these versions, it's clear that a lot is happening.
http://weblogs.mozillazine.org/asa/archives/2009/07/a_browser_prediction.html
It's likely that IE 7 and IE 6 will fall to under 10% global share by the end of this year and that IE 8 will grow to approximately 40%. That would give IE 60% overall, Firefox about 25%, Safari about 10%, and "other" would hold the remaining 5%.
If you look at the longterm trends reported by Net Applcations, something that StatCounter doesn't offer, it's hard to conclude that anything dramatic has just happened.
http://weblogs.mozillazine.org/asa/archives/2009/06/historical_view.html
These longer trends are steady and smooth and there's nothing that's happened in the last couple of months that would cause IE to fall off the cliff.
That being said, there is a lot of churn in the various browser versions. IE is really a collection of browsers with measurable share, IE 6, IE 7, and IE 8. Looking at these versions, it's clear that a lot is happening.
http://weblogs.mozillazine.org/asa/archives/2009/07/a_browser_prediction.html
It's likely that IE 7 and IE 6 will fall to under 10% global share by the end of this year and that IE 8 will grow to approximately 40%. That would give IE 60% overall, Firefox about 25%, Safari about 10%, and "other" would hold the remaining 5%.
"The fact that it's open source or royalty free doesn't mean there are no patent trolls ready to file a lawsuit once Apple or Microsoft use it. " The same could be said for h.264 or any other technology they license. Patent trolls are patent holders that we don't know about, even if we think we're licensing a technology from a currently known set of patent holders.
The Javascript speed is not much of a factor. The one truly annoying thing with Firefox is the gawdawful Adobe Flash plug-in that hangs up at random, causing the whole browser to come to a screeching halt.
So why not get Flashblock or remove the Flash plugin?
Why can't they just use Intel's compiler?
Who is "they"?
Builds created by Mozilla get used but very few people compared to builds made by Ubuntu and other Linux distros. Perhaps you should contact them and as them why they're not using the Intel compiler.
And I believe it's the case today. Firefox on Windows can be compiled with PGO but the tools are busted on Linux so it can't be compiled with PGO there. That probably accounts for most of the performance difference. Fix the tools.