Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Mozilla The Internet

Security-Updated Versions Of Mozilla Released 375

Posted by simoniker from the guard-dogs-at-the-ready dept.
petabyte writes "As mentioned in this Mozillazine article, there are new versions of the Mozilla Suite (1.7.2), Mozilla Firefox (0.9.3) and Mozilla Thunderbird (0.7.3) available. They address 4 security bugs (linked from the Mozillazine article). Unlike Firefox 0.9.2, these can't be fixed with just a XPI upgrade, so you'll have to download a new binary and install."
This discussion has been archived. No new comments can be posted.

Security-Updated Versions Of Mozilla Released More

Security-Updated Versions Of Mozilla Released

Comments Filter:

  • Does this mean that . . . (Score:2, Insightful)

    by Anonymous Coward
    Due to Microsofts previous wealth of experience in fixing security problems, can it be true that their patching process is more effiecient than the Mozilla's?

    Why otherwise would it be required to download an entirely new browser to fix a few problems?

  • Grumble Grumble (Score:5, Insightful)

    by (54)T-Dub ( 642521 ) <tpaine.gmail@com> on Wednesday August 04, 2004 @08:03PM (#9884647) Journal
    I'm getting tired of the whole uninstall, delete, re-install, get plugins, import bookmars, set settings, get skins (optional) routine. I wish they would hurry up and fix the installer so that I could simply update the browser and save all my stuff.

    • Re:Grumble Grumble (Score:4, Interesting)

      by doofsmack ( 537722 ) * on Wednesday August 04, 2004 @08:06PM (#9884669)
      I hod no problems just letting the installer overwrite my old Firefox directory. After it upgraded, all my extensions/bookmarks were still there.
    • I just installed over it, and it worked fine.

    • Mod parent up. (Score:4, Insightful)

      by hot_Karls_bad_cavern ( 759797 ) on Wednesday August 04, 2004 @08:10PM (#9884714) Journal
      i know it'll be an unpopular one about these parts, but: yeah, i'm with you bro. i should only have to click "Upgrade" on the Moz page to get the newest browser. Bitch and moan all you like, that's the way it should be: an icon in the corner: "upgrade now"...you can ignore if you like, you can build from source if you like, but me? Hell, just get me a new browser now....when i click. Yeah, yeah, save me all the "but, if it's just click and go and the security and the users and malware pages"...save it. Code against that, let me upgrade on the fly (restart okay...reboot not-okay) with a click. Tough to do? Hell, look about at the OS that this browser runs on (for the most part at this time): click and do for 'em eh? Not that much to ask. Give 'em a, 'no thanks, i'll do it the hard, trusted, but sure way' button. i'm not banging that in any way...hell, with some packages that's the only way i'll trust 'em. Moz is a safe bet: give us s 'click an' go to the newest version' button k? Yep.

      • Re:Mod parent up. (Score:5, Insightful)

        by (54)T-Dub ( 642521 ) <tpaine.gmail@com> on Wednesday August 04, 2004 @08:23PM (#9884836) Journal
        Here here. And their "handy" little update notification in the lower right corner has never worked for me. It is constantly telling me that I have to upgrade to version 0.9.1 (which I'm running). Even now it still says the same freaking thing.

        Don't get me wrong, I love Mozilla and open source. But it's those little things that developers hate coding that get to me sometimes. Don't even get me started on a Linux install.
      • Well, it kinda works this way already.
        apt-get update
        apt-get dist-upgrade
        PS ;)
      • These mumblings on what I do is for the Windows version of Mozilla only, and I don't have many themes or plugins installed. There is no warranty on the information I give and I recommend backing up both your Mozilla profile and Mozilla program directory before doing what I do. This is what I do myself so that I can restore anything that may get damaged.

        I use Mozilla NOT Firefox but what I do for upgrades is this (and I do not loose my installed plugins, Orbit theme and settings). My memory is a little vag

    • <broken record>
      Just install over the top of your previous version, everything comes up and works fine.
      </broken record>

    • Re:Grumble Grumble (Score:5, Informative)

      by steeef ( 98372 ) <steeef@@@gmail...com> on Wednesday August 04, 2004 @08:13PM (#9884742)
      Installing over the old version often works, but sometimes not.

      If not, I usually save my plugins, delete the directory, install, then copy my plugins. My settings, bookmarks, and skins are all in my profile, and I haven't had to delete/recreate that in a while.

      It sounds like you're just being too careful.

      • Re:Grumble Grumble (Score:3, Informative)

        by Derek Pomery ( 2028 )
        Even easier, symlinking /usr/mybrowser/plugins to /usr/mozilla/plugins and relinking on upgrade.
        Heck, if you upgrade it yourself, it is as easy as aliasing
        tar xvfz mozilla.tar.gz && cd mozilla && rm -rf plugins && ln -s /usr/foo/plugins .

      • Re:Grumble Grumble (Score:3, Interesting)

        by DarkEdgeX ( 212110 )
        If you install over an old version it's been my experience that the user-agent and other settings don't get updated for whatever reason.

        I'll confess, updating should be painless for Firefox/Mozilla, but it's not.
    • (Score:-1, Gentoo Fanboy)

      Mod me as fanboy, I don't care, but this is solved with Gentoo. Is it perfect? Nope, but solves the above grumble, as well as a slew of other things that I enjoy over my 2nd fav Linux, Slackware (which is no slouch in it's own right...)

      CB
    • It takes me only a few moments to download and install a newer version, and get my stuff from extensionroom.mozdev.org.

      Its a painless process, which I do about once a week since I like to use the nightlies.

      No one is forced to move to a newer version. The older versions also work well.
    • While all of these people say to just install over your old version, they would be wrong. Over time, old files start sifting through. One of the most common problems of not-uninstalling is your UA string stays on the old version, but your browser is definately the new version.

      You'll want to take a look at bug 237727 [mozilla.org]* to see that they are going to clear out some of the old files if you choose to reinstall over your old version. They have already done some good work on that bug for the next versions (FX 1
    • While we're on the topic of bashing the Mozilla installers, let me complain that unattended/silent installations of Firefox/Tbird are completely broken. The installer's config file promises to allow silent installs, but in practice it pays no attention to that option. Silent installations are necessary for deployment to lots of systems with proper settings and without user intervention.

      The only ways I can see to accomplish a silent install are either:
      • rewrite the installer so it actually does work (pain i

    • Its not that hard (Score:4, Informative)

      by gad_zuki! ( 70830 ) on Thursday August 05, 2004 @01:39AM (#9886310)
      Granted, I'd like to see a patcher/updater that works, but this is still sub 1.0 software.

      Rename current firefox directory.

      Install firefox.

      Copy plugins folder to new install.

      Load firefox.

      That's it. Your bookmarks and settings are in your profile, NOT in the install directory.

      Some plug-ins will need to be reinstalled.

  • RPM's ? (Score:2, Interesting)

    by Anonymous Coward
    Any idea where to get RPM's ?

  • 0.9.? (Score:2, Insightful)

    by asd-Strom ( 792539 )
    If things keep going this way we end up with 0.9.55 or seomething. They should think about some patching systems..

  • libpng (Score:5, Interesting)

    by HungWeiLo ( 250320 ) on Wednesday August 04, 2004 @08:05PM (#9884664)
    According to the forum, a libpng vulnerability also just happens to crash IE.

  • FireFox Release Notes (Score:3, Interesting)

    by Lord Crc ( 151920 ) on Wednesday August 04, 2004 @08:10PM (#9884715)
    I might be dafter than a regular brick, but I can't see that the FireFox Release Notes mentiones what is actually new in this release?
    Oh well... perhaps I'm just weird for wanting to know what's new in this sub-release.

  • Try again if 0.9.3 for Windows didn't work earlier (Score:5, Informative)

    by sakyamuni ( 528502 ) on Wednesday August 04, 2004 @08:16PM (#9884779)

    The timestamps in the 0.9.3 release directory [mozilla.org] show that the Windows binary has been updated.

    Got the supposed 0.9.3 for Windows earlier today, which didn't work. Process appeared in task list, but no window came up. Also, any place the version number appeared, it was still listed as 0.9.2. With the caveat that I don't know how those folks do their releases, I'll say that with the proper automation [pragmaticprogrammer.com], that oops-i-forgot-to-increase-the-version-number snafu should never happen.

  • The actual vulnerabilities (Score:5, Informative)

    by Anonymous Coward on Wednesday August 04, 2004 @08:17PM (#9884785)
    Copy & Paste, Bugzilla hates us:

    http://bugzilla.mozilla.org/buglist.cgi?bug_id=251 381,249004,250906,253121

    • Importing false CA certificate leading to error -8182 (perm DoS), especially exploitable by email
    • null (%00) in filename fakes extension (ftp, file)
    • new libpng buffer overflow vulnerabilities
    • lock icon and certificates spoofable with onunload document.write


    IE catches shit for 2 out of the 4 bugs.

    libpng buffer overflow - a lot of bitching goes on around here with regards to "OH M$ EVEN HAD AN OVERFLOW IN BMP HANDLING IN IE!!!"

    null (%00) in filename fakes extension (ftp, file) - Variation of this got IE in trouble...

  • MAC OSX Complains (Score:5, Insightful)

    by OlivierB ( 709839 ) on Wednesday August 04, 2004 @08:18PM (#9884788)
    While this is not a showstopper, can somebody explain me why Firefox for mac ever since 0.7 has a problem with Expose feature? IE one can se a small window attached to the main window?
    Also, why is it we cannot search the bookmarks in the sidebar wihtout crashinf the whole application?

    Small annoyances but we are getting awfully close to 1.0 and still no sign of improvement.
    Safari is catching up in terms of speed and is looking ever more appealing!
    • > Also, why is it we cannot search the bookmarks in the sidebar wihtout crashinf the whole application?

      I also get this on my Windows box. I thought maybe my profile files were causing the problems, and that using a new profile might solve the crash occurances...

    • Re:MAC OSX Complains (Score:2, Informative)

      by bdaehlie ( 537484 )
      The way Mozilla does windowing, it creates an invisible root window. You can see that it exists without expose by trying to apple-tab through pages. So far the developers have not found a way to redo the windowing system so that this invisble window is no longer necessary. Its been there since the NS 4.x days I think. I bet if you use FF 0.7 on a box with expose you'll see it there too.

      • That's not the problem. (Score:4, Interesting)

        by Trillan ( 597339 ) on Wednesday August 04, 2004 @08:41PM (#9884961) Homepage Journal

        I use an invisible root window in my application as well. Many applictions use invisible windows, and they do not foul Exposé at all. Exposé will not show an invisible window, nor will it show an offscreen window (which is frustrating to me, as I have several tools that try to remember where windows were last displayed even on smaller monitors).

        I really do not know what Mozilla is doing, but it is not that simple.

    • My problem is that NONE of the themes other than the default work on OSX. What's the point in a cross platform browser if it's gonna be this screwy? Camino would be much better if it had adblocking. I'll just stick to Safari and PithHelmet I guess.

      • Camino would be much better if it had adblocking. I'll just stick to Safari and PithHelmet I guess.

        This is why I use Junkbuster [junkbuster.com] as opposed to relying on a browser based system.

        No matter what browser I decide to use Safari, Moz, Firefox, Camino or IE (shudder) I get the same filtering rules.

        I tried Privoxy [privoxy.org], but I found that for some odd reason it really slowed down local PHP scripts and since I use my PowerBook mostly for development I went back to Junkbuster.

      • Re:MAC OSX Complains (Score:3, Informative)

        by sbszine ( 633428 )
        My problem is that NONE of the themes other than the default work on OSX.

        That's due to this bug [mozilla.org], which mangles any cross-platform theme using native scrollbars. (You'll have to cut and paste the link, as Bugzilla fears Slashdot).

    • Re:MAC OSX Complains (Score:4, Informative)

      by nxg125 ( 30911 ) on Wednesday August 04, 2004 @08:39PM (#9884949)
      Well, Firefox 1.0 on OS X will be delayed [mozilla.org] a bit from the other platforms to clean up some issues such as this. The Expose thing you mentioned has been written up [mozilla.org] in Bugzilla (copy & paste the URL to see the bug.)

  • The four vulnerabilities... (Score:4, Informative)

    by Joey7F ( 307495 ) on Wednesday August 04, 2004 @08:21PM (#9884815) Homepage Journal
    249004 Importing false CA certificate leading to error -8182 (pe...

    # False certificates aren't really an exploit

    250906 null (%00) in filename fakes extension (ftp, file)

    # fake extense aren't exploits

    251381 new libpng buffer overflow vulnerabilities

    # okay that is an exploit

    253121 lock icon and certificates spoofable with onunload docume...

    # that is not an exploit either

    I think they should be more like bugs. I think Mozilla is just trying to play it safe. Ironically by them "being up front" they may end up driving people away from the browser...

    --Joey

    • Re:The four vulnerabilities... (Score:5, Insightful)

      by black mariah ( 654971 ) on Wednesday August 04, 2004 @08:53PM (#9885026)
      Are you fucking stupid? Every fucking one of those is EASILY an exploit, not of code but of the user.

      Fake certificates help in all sorts of scams. Spyware, eBay scams, whatever. "Oh, this is signed by Macromedia. It must be safe!"

      Fake extensions. We've all seen the results of simply adding a .jpg before a .exe, and how much shit does MS take for THAT one? Like it's their fault that people are fucking stupid enough to double click on 0wnyourcomputer.jpg.exe. Faked extensions are worse, because they don't even have the fucking .exe at the end.

      Lock icon spoofable. So you go to a site you THINK is secured, but it turns out it isn't. Happy funtime on your credit card!

      Not all exploits are code-based, not all exploits are related to software.
    • #250906 null (%00) in filename fakes extension (ftp, file)
      # fake extense aren't exploits

      Except this would allow text files (on your hard drive) to be parsed as html files (and get the javascript associated with them). However, it's not earthshattering as it would be in IE because if it were IE, it would get extra "local zone" permissions. The only addition of permissions in moz is being able to link to other file: locations.

      # 251381 new libpng buffer overflow vulnerabilities
      # okay that is an exploit

      Howev

  • Linux installer bug (Score:5, Informative)

    by FunkyRat ( 36011 ) * <.moc.liamg. .ta. .taryknuf.> on Wednesday August 04, 2004 @08:27PM (#9884865) Journal

    I downloaded the linux installer version (firefox-0.9.3-i686-linux-gtk2+xft-installer.tar.g z)ked from the Firefox page and itself seems to have a little bug:

    ** (firefox-installer-bin:3120): WARNING **: Invalid UTF8 string passed to pango_layout_set_text()

    It winds up with an incomplete installation. However, if you just download the gzipped tarball without the installer from here [mozilla.org] and untar it over your old firefox directory you should be just fine.

  • payment for finding critical bugs (Score:4, Interesting)

    by cipher uk ( 783998 ) on Wednesday August 04, 2004 @08:33PM (#9884914)
    i wonder if the people who uncovered these bugs qualified for the $500 payment or if it contributed to them being found.

  • x86_64 anyone? (Score:3)

    by bani ( 467531 ) on Wednesday August 04, 2004 @08:37PM (#9884937)
    looks like the mozilla binary builds for x86_64 havent been updated yet.
  • When I goto 'Help' -> 'Release Notes' on Thunderbird's text menu bar, IE opens... why is that? This occurs even though I've disabled access to IE in the WinXP 'Set Program Access and Defaults' section.

  • one thing to note (Score:3, Insightful)

    by dwgranth ( 578126 ) on Wednesday August 04, 2004 @08:48PM (#9885007) Journal
    Yeah, i see a lot of people on this list complaining about Mozilla having so many patches... dang, at least they put them out there... also im sure the opensource nature of mozilla/firefox lets many eyes see the bugs... while in IE there could be millions of little goodies that could be exploited and we would never know. I'm just impressed that the coding team has fixed the bugs so quickly. Yes.. they do need to build in a better patching mechanism.. but every project has a few growing pains.
  • I grabbed the 1.7.2 source tarball and configured as usual (Linux/gtk2, disabled everything but the browser), but there appear to be some files missing. The build first bombs when trying to create nsBuildID.h (missing the Perl module Moz/Milestone.pm, which I assume is part of the developers' environment). If I hand-copy nsBuildID.h.in to nsBuildID.h, it then bombs later because a variety of the needed Makefile.in files are missing (there are a bunch of warnings about this during configure).

    I tried grabbi

  • Gentoo (Score:5, Funny)

    by mroch ( 715318 ) on Wednesday August 04, 2004 @08:54PM (#9885033)
    "...so you'll have to download a new binary and install."

    Not on Gentoo, you insensitive clod!

  • Easiest of upgrades (Score:4, Interesting)

    by whovian ( 107062 ) on Wednesday August 04, 2004 @09:52PM (#9885379)
    That was what an update should be!

    Upgraded from 0.9.1 to 0.9.3. Didn't have to fiddle with turning off extentions or re-downloading them and reconfiguring them this time. Continues to use the same .mozilla directory. The only nit to pick was that search plugins aren't stored in userspace, but copying them over is trivial.

  • Where are the Changelogs? (Score:3, Interesting)

    by Codeala ( 235477 ) on Wednesday August 04, 2004 @09:58PM (#9885410)
    Where are the Changelog? From the website, you only know there is a new version for these three apps, but there is not description of what has been changed since the last version?

    I remember that for every release there used to be a link to the Changelog with details on all the new changes since the last minor update (eg v1.6.1 to v1.6.2). Is the new site/design just too "user friendly"?

    (After some browsing I did find a link to an *external* website with change details, but can't find it again now... @_@)

  • Reality check, please. (Score:5, Insightful)

    by Lexomatic ( 779253 ) on Wednesday August 04, 2004 @10:08PM (#9885457)
    Firefox is still pre-version 1.0 at the moment, so people should be expecting these sort of updates.

    Prior to 0.9, Firefox was only being updated ever few weeks, with each release holding many fixes since the last release. I think the increase in releases has mainly been due to the fact that in the last month or so the user base of Firefox has gone up dramatically.

    I am sure this has put a lot more stress on the Firefox dev team because now people are starting to rely on their browser to be as good as IE and with whole organisations now looking at using Firefox over IE, the pressure must really be on to make sure it lives up to expectations.

    Once Firefox hits version 1.0, people will get real shitty if it has bugs and security flaws, so the more they fix during 0.9.+ the better. Until then, I am happy to keep downloading it, daily if needed.

  • Get the news first... (Score:4, Informative)

    by MagicFab ( 7234 ) on Wednesday August 04, 2004 @10:48PM (#9885645) Homepage
    One way to keep updated about Mozilla releases and developments in many different areas is by subscribing to one of the developer mailing lists:
    http://www.mozilla.org/community/developer-forums. html [mozilla.org]

    MozillaZine.org also does a good job of summarizing the development, but it's almost always 2-3 days late.

    For the true cutting-edge lizard in you, there's always the feedhouse:
    http://feedhouse.mozillazine.org/ [mozillazine.org]

    And of course it has RSS feeds.

    For those of you wanting to know when specific bugs have been fixed, I find the "edge" websites to be most simple to read (although not thorough):

    The Rumbling Edge (for Thunderbird):
    http://weblogs.mozillazine.org/rumblingedge/ [mozillazine.org]

    The Burning Edge:
    http://www.squarefree.com/burningedge/ [squarefree.com]

    Saddly, there is no information about the releases almost a day after they have been out on http://mozillaeurope.org/en/ [mozillaeurope.org] ... I wrote a note this morning but I imagine they are submerged.

    Enjoy!

  • Letting People Know (Score:5, Interesting)

    by MournsForHumans ( 801478 ) on Wednesday August 04, 2004 @11:08PM (#9885745)

    What I find odd is that despite this release being focused on patching security vulnerabilities there's no noticable mention on the web site of the importance of this update. I leave my home page set to the FireFox page in hopes that there will be a clear message saying if there's a need to upgrade, but the page itself only says 0.9 -- and I'm fairly confident that the average user isn't going to figure out the difference from the front page (which now says 0.9.3, but how many users are aware of what version they're using?) It wasn't until I read slashdot that I was made aware of the release of this security update, and who knows if something could have happened since then?

    While I don't expect a windowsupdate.com for Mozilla, being that a main criticism of users is their failure to keep software updated why don't the developers make it more clear that an update is even present?

  • Version MisMatch Alert. (Score:3, Informative)

    by technix4beos ( 471838 ) * <cshaiku@gmail.com> on Thursday August 05, 2004 @12:07AM (#9886002) Homepage Journal
    The windows version listed for download [mozilla.org] at the FireFox product page [mozilla.org] is not the same as the windows version [mozilla.org] listed on the main download page [mozilla.org].

    Just a heads-up to everyone rushing to download without checking. The mozilla.org web guys might want to fix that too.

    Cheers.

  • Unfortunately this still doesn't fix the render (Score:3, Informative)

    by Tim_F ( 12524 ) on Thursday August 05, 2004 @12:27AM (#9886080)
    problems that Firefox .9.x has had with slashdot. It seems that the side menu bars randomly overlap the main page content. It really looks ugly.

  • Auto Update (Score:3, Interesting)

    by Anonymous Coward on Thursday August 05, 2004 @02:01AM (#9886385)
    The main executable for firefox is ~6MB... It would seem to me that this is not a very efficient method for updating the program. Perhaps they'll design the next version with modules that can be updated more efficiently by smaller downloads?

    Anyone know why the version information for the file for 0.9.3 lists 0.9.0.0? Right click firefox.exe and then properties then version tab.

    IE has an executable of a few KB (WinXP).

    • Re:Auto Update (Score:3, Insightful)

      by chx1975 ( 625070 )
      a few KB? what about mshtml.dll, a 2+ Mbyte DLL... iexplore.exe is small, 'cos it's not much more than a dummy dll loader.

  • Hmmmm (Score:4, Interesting)

    by AdmV0rl0n ( 98366 ) on Thursday August 05, 2004 @04:22AM (#9886856) Homepage Journal
    During the recent Ject issue, I looked into trying to rip out IE. I have like 120 machines to look after, I don't have the money to active directory, and I have certain limits. I'll use psexec but even so, its a long tedius job maintaining 120 machines.

    Now, getting back to IE, yes, I did look at ripping it out. Not so easy on XP Pro as any user who signs in gets linked to the program in default. I could banjax the progam directory, and stop it being used that way, but if I do that, I believe I can still call windowsupdate.com via an explorer window. I presume however, that anyone using the same method uses the same cuplable browsing that impairs IE. Thus I'm not really solving the problem, just fending it off until the users get smart.

    In terms of Mozilla and Firefox, sadly I have to say the security failure regarding :shell: made me rather glad I had'nt committed a massive workload in the name of switching to a new bugwridden, secuirty glitched browser.

    Today, I'm told if I had rolled Mozilla, someone's just committed me to a whole sale re-roll out just because they can't patch, they have to fix it in a new install.

    I've said it before, I'll say it again, doing this to me just puts me right off even contemplating it. Next week, watch out, the next Mozilla issue will rear its ugly head.

    I sadly have to put aside the OSS/MS stuff, because whatever I put out there has to work, and its not about Ideaology, I do not care about Ideaology. Mozilla is a fine effort, but the security side leaves much to be desired. One is hard pushed to claim that its a quantum leap in browser security.

    AdmV

Slashdot Top Deals

E = MC ** 2 +- 3db

Close