Slashdot

An anonymous reader writes "Researchers have found several security holes in popular Firefox extensions that have an estimated total of 30 million downloads from AMO (the Addons Mozilla community site). Three 0-days were also released. Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension." The affected extensions are Sage version 1.4.3, InfoRSS 1.1.4.2, and Yoono 6.1.1 (and earlier versions). Clearly the problem is larger than just these three extensions.

CWmike writes "Mozilla will add a new lockdown feature to Firefox 3.6 that will prevent developers from sneaking add-ons into the program, the company said. Dubbed 'component directory lockdown,' the feature will bar access to Firefox's 'components' directory, where most of the browser's own code is stored. Mozilla has billed the move as a way to boost the stability of its browser. 'We're doing this for stability and user control [reasons],' said Johnathan Nightingale, manager of the Firefox front-end development team. 'Dropping raw components in this way was never an officially supported way of doing things, which means it lacks things like a way to specify compatibility. When a new version of Firefox comes out that these components aren't compatible with, the result can be a real pain for our shared users ... Now that those components will be packaged like regular add-ons, they will specify the versions they are compatible with, and Firefox can disable any that it knows are likely to cause problems.'"

CNETNate writes "Do Opera Mobile, Skyfire, or Mozilla's Fennec have the power to take down the BlackBerry browser, IE on Windows Mobile, or Safari on the iPhone? This lengthy test aimed to find out. Speed, Acid3 compliance, JavaScript rendering capabilities, and general subjective usability were all tested and reviewed. So were Opera Mini and the default Symbian browser, but these two were unable to complete some of the tests and benchmarks."

An anonymous reader writes "Cenzic released its report revealing the most prominent types of Web application vulnerabilities for the first half of 2009. The report identified over 3,100 total vulnerabilities, which is a 10 percent increase in Web application vulnerabilities compared to the second half of 2008. Among Web browsers, Mozilla Firefox had the largest percentage of Web vulnerabilities, followed by Apple Safari, whose browser showed a vast increase in exploits, due to vulnerabilities reported in the Safari iPhone browser." It seems a bit surprising to me that this study shows that only 15% of vulnerabilities are in IE.

halfEvilTech writes "Five years ago today, Mozilla released Firefox 1.0. Ars celebrates the occasion by taking a trip back in time to revisit our classic coverage of the original release." For fun, we dug up the oldest Slashdot Firefox story, which was a Firebird story proclaiming yet another name change from Feb '04. At least this name change stuck.

Trinity writes "Researchers from VUPEN have discovered critical vulnerabilities in Adobe Shockwave, a technology installed on over 450 million Internet-enabled desktops. The vulnerabilities could allow remote code execution by tricking a user into visiting a web page using Internet Explorer or even Mozilla Firefox. Version 11.5.1.601 as well as earlier ones are affected. The vendor recommends upgrading to version 11.5.1.602." Especially sobering when you consider Adobe's current push to be essentially required as an intermediary player for anyone who wants to see certain government data.

Jared sends word of Ars Technica coverage of Net Applications' monthly browser share numbers. What's significant this time is that Firefox has finally passed IE6 in worldwide share. "Internet Explorer remains ahead of the rest of the competition, but since month after month it continues to lose ground to all other browsers, Firefox has now finally surpassed IE6, which is easily the most hated version of Microsoft's browser. ... In October, all browsers except for IE and Opera showed positive growth. Between October and September, Internet Explorer dropped a significant 1.07 percentage points (from 65.71 percent to 64.64 percent) and Firefox moved up a sizeable 0.32 percentage points (from 23.75 percent to 24.07 percent). ... Although IE's decline seems to be unceasing, the real shame is that the old versions have more share than the newer ones (we can only hope that as Windows 7 gains popularity, this trend will reverse)." Ars presents a graph with their own site's browser share picture, and as you might expect it's very different from the general population's.

A new format specification has reached consensus among web and type designers and is being backed by Mozilla. Dubbed Web Open Font Format (WOFF), it is an effort to bring advanced typography to the Web in a much better way. Support for the new spec will be included as a part of Firefox 3.6 which just recently hit beta. "WOFF combines the work Leming and Blokland had done on embedding a variety of useful font metadata with the font resource compression that Kew had developed. The end result is a format that includes optimized compression that reduces the download time needed to load font resources while incorporating information about the font's origin and licensing. The format doesn't include any encryption or DRM, so it should be universally accepted by browser vendors — this should also qualify it for adoption by the W3C."

binarybum writes "Often forgotten, but the independent open source spirit lives strong in the once Mozilla project — now SeaMonkey. Version 2.0 is finally out and rivals Firefox with similar features but integrated email with a small footprint." The Register has a short piece on the 2.0 release, which mentions that SeaMonkey is now based on Firefox 3.5.4. Stephen Shankland lists some of the features in a handy bullet-point style, too. I'm using the new release right now; it's crashed once — but only once — in several hours of use.

mhammond writes "Mozilla Messaging has just unveiled a Mozilla Labs project, Raindrop, an experiment with Open Messaging on the Open Web. Raindrop uses couchdb as a storage engine and to serve the HTML/CSS/Javascript application itself, while the back-end is primarily written in Python. Although it is early days yet, the concept that you own your data may be what sets this apart from Google Wave."

bonch writes "Mozilla previously blocked the Firefox addons Microsoft included with .NET, citing security concerns. After talking with Microsoft, they have now unblocked the .NET Framework Assistant addon and are working on a way for enterprise users to unblock the Windows Presentation Foundation addon as well."

ZosX writes "Around 11:45 PM Friday night, I was prompted by Firefox that it had disabled the addons that Microsoft has been including with .NET — specifically, the .NET Framework Assistant and the Windows Presentation Foundation. The popup announcing this said that the 'following addons have been known to cause stability or security issues with Firefox.' Thanks, Mozilla team, for hitting the kill switch and hopefully this will get Microsoft to release a patch sooner." Here's the Mozilla security blog entry announcing the block, which Mozilla implemented via its blocklisting mechanism.

An anonymous reader writes "A lengthy interview on Groklaw discusses the EU's case against Microsoft. The case is supported by Opera, Google, Mozilla, ECIS, and the Free Software Foundation Europe. The EU has demanded that users be offered a 'ballot screen' to make it easier for users to select other browsers. Microsoft has responded by implementing the ballot screen as a web page inside IE. While this may nominally satisfy EU's demand, it is unlikely to satisfy users who prefer other browsers. In order to select another browser, users must be running IE. Also, users will be shown security warnings when choosing from the ballot. Microsoft's ability to charge patent fees in Europe is also discussed: why are they allowed to charge patent fees where software patents are not recognized?"

CWmike writes "Mozilla executives today took shots at Google for pitching its Chrome Frame plug-in as a solution to Internet Explorer's poor performance, with one arguing that Google's move will result in 'browser soup.' The Mozilla reaction puts the company that builds Firefox on the same side of the debate as rival Microsoft, which has also blasted Google over the plug-in. Mitchell Baker, the former CEO of Mozilla and currently the chairman of the Mozilla Foundation, said in a blog post, 'The overall effects of Chrome Frame are undesirable. I predict positive results will not be enduring and — and to the extent it is adopted — Chrome Frame will end in growing fragmentation and loss of control for most of us, including Web developers.' Baker says Chrome Frame's browser-in-a-browser will confuse users and render some of their familiar tools useless. 'Once your browser has fragmented into multiple rendering engines, it's very hard to manage information across Web sites. Some information will be manageable from the browser you use and some information from Chrome Frame. This defeats one of the most important ways in which a browser can help people manage their [Web] experience.'"

SD-Arcadia writes to tell us that Theora 1.1 has officially been released. It features improved encoding, providing better video quality for a given file size, a faster decoder, bitrate controls to help with streaming, and two-pass encoding. "The new rate control module hits its target much more accurately and obeys strict buffer constraints, including dropping frames if necessary. The latter is needed to enable live streaming without disconnecting users or pausing to buffer during sudden motion. Obeying these constraints can yield substantially worse quality than the 1.0 encoder, whose rate control did not obey any such constraints, and often landed only in the vague neighborhood of the desired rate target. The new --soft-target option can relax a few of these constraints, but the new two-pass rate control mode gives quality approaching full 'constant quality' mode with a predictable output size. This should be the preferred encoding method when not doing live streaming. Two-pass may also be used with finite buffer constraints, for non-live streaming." A detailed writeup on the new release has been posted at Mozilla.

Barence writes "Mozilla has announced that its plans to bring Office 2007's Ribbon interface to Firefox, as it looks to tidy up its 'dated' browser. 'Starting with Vista, and continuing with Windows 7, the menu bar is going away,' notes Mozilla in its plans for revamping the Firefox user interface. '[It will] be replaced with things like the Windows Explorer contextual strip, or the Office Ribbon, [which is] now in Paint and WordPad, too.' The change will also bring Windows' Aero Glass effects to the browser." Update: 09/24 05:01 GMT by T : It's not quite so simple, says Alexander Limi, who works on the Firefox user experience. "We are not putting the Ribbon UI on Firefox. The article PCpro quotes talks about Windows applications in general, not Firefox." So while the currently proposed direction for Firefox 3.7 involves some substantial visual updates for Windows users (including a menu bar hidden by default, and integration of Aero-styled visual elements), it's not actually a ribbon interface. Limi notes, too, that Linux and Mac versions are unaffected by the change.

darthcamaro writes "While the internet may know no borders, the US government does. There are a number of rules that affect software vendors, including encryption export regulations from the US Department of Commerce and export sanctions by the Department of Treasury. But what do you do when your application is open source and freely available to anyone in the world? Do the same the rules apply? It's a question that Mozilla asked the US government about. The answer they received could have profound implications not just for Firefox but for all open source software vendors. 'We really couldn't accept the notion that these government rules could jeopardize the participatory nature of an open source project, so we sought to challenge it,' Harvey Anderson, VP and General Counsel of Mozilla, told InternetNews.com. 'We argued that First Amendment free speech rights would prevail in this scenario. The government took our filing and then we got back a no-violation letter, which is fantastic.'"

WARM3CH writes "AnandTech tested a laptop with an AMD CPU, a laptop with an Intel CPU, and a netbook to compare battery life while running Internet Explorer 8, Opera 10, Firefox 3.5, Safari 4, and Chrome. They tested on simple web pages and flash-infested ones. IE8 had the best battery life on both laptops (followed by FF + AdBlock), and Safari had the worst battery life. On the netbook, Chrome was slightly ahead of IE8. The report concludes: 'Overall, Internet Explorer and Firefox + AdBlock consistently place near the top, with Chrome following closely behind. Opera 10 Beta 3 didn't do as well as Opera 9.6.4, and in a couple quick tests, it doesn't appear that the final release of Opera 10 changes the situation at all. Opera in general — version 9 or 10 — looks like it doesn't do as well as the other major browsers. Safari is at the back, by a large margin, on all three test notebooks. We suspect that Safari 4 does better under OS X, however, so the poor Windows result probably won't matter to most Safari users.'"

ruphus13 was among the readers sending word of Motorola's Android handsets yesterday, along with a "socially aware" application layer called MotoBlur. The Motorola Cliq is expected in a few weeks. T-Mobile is Motorola's carrier partner in the US. A second Android phone will be marketed in other countries under the name Dext. Reuters called the market's reaction to Motorola's announcement "muted." "Dr. Sanjay K. Jha, Co-CEO of Motorola and CEO of the company's Mobile Devices division, unveiled Motorola's Android platform play. ... Key to both of the phones, and key to Motorola's overall Android strategy, is a new interface and application layer called MotoBlur. It's focused on 'a single stream' for social networking features, software updates, messages, syncing, e-mails, videos, photos... The Cliq phone has a 5-megapixel camera, slide-out keyboard, 24 frame-per-second video capabilities, GPS, a headphone jack, an advanced browser from Google, integrated Exchange service, and Google roaming services including Google voice search, access to maps, Google calendar, and more. It also provides one-click access to Android Market and the thousands of Android applications there."

juct writes "Beginning with versions 3.5.3 and 3.0.14 of Firefox, Mozilla is going to check the version of installed Adobe Flash plug-ins and warn users if it discovers an outdated version with potential security holes. Mozilla confirmed this new security feature and said that the Flash version check was part of a wider commitment to 'protect users from emerging threats online.' Just recently, a study confirmed that 80 per cent of users surf with a vulnerable version of Adobe's plug-in."