Microsoft Not Worried about FireFox

didde writes "It seems like our friends in Redmond are quite happy about IE. According to this article, they won't be updating it until Longhorn. My favorite quote would be [We have a very, very innovative set of capabilities that we're putting in the next version. And in the meantime it's an extensible platform, and there will be a set of extensions that Microsoft does as well as others.] Oh boy, are they actually working side by side with the virusmakers and phishers?" That just gives the MozBoys a year head start.

browser security check

[exhilaration]

If you're still using an older (more than 6 months since you've patched) web browser, I suggest you check out this browser security check [scanit.be], which will test it for exploits.

At your own risk, of course. Firefox 1.0PR passed with flying colors.

Re:browser security check

[stratjakt]

No it didnt, I just tried.

Firefox 1.0 has 1 high risk vulnerability.


High Risk Vulnerabilities
Sun Java Plugin Arbitrary Package Access Vulnerability (idef20041123)
Description

Java Plugin allows web browsers to run Java applets. Java plugin may be used by Internet Explorer, Mozilla (and Mozilla-base browsers, such as Firefox), Opera and other browsers.

When a browser opens a web page that contains a Java applet the browser automatically downloads the applet and runs it locally. To protect the user from malicious applets all the applets run in so called "sandbox". The sandbox restricts what an applet can do. For example, the sandbox will not allow an applet to open local files or start programs.

This bug in Sun Java Plugin allows a web site to bypass the sandbox and execute Java code that the sandbox will normally not allow and possibly gain control over the client computer.
Technical Details

Sun Java Virtual Machine contains sun.* packages that are only supposed to be used internally, by the virtual machine itself. Some private classes allow direct access to memory or modifying private fields of Java objects. If an applet attempts to load one of those packages a security exception is thrown. If an applet could load those classes it could turn off Java Security Manager and break out of Java sandbox.

JavaScript can access properties and methods of Java applets embedded on the page. It is possible to load a private package from JavaScript as shown in the code below:

var c=document.applets[0].getClass().forName('sun.text .Utility');
alert('got Class object: '+c)

Java Reflection API allows objects to examine their own structure (for example, find out the class of the object or the available methods). Reflection API defines getClass() function that returns the object's class. forName method of Class object loads the named class. The same operation done from the Java applet instead of JavaScript would fail.
Recommendations

Upgrade Java Environment to version 1.4.2_06 or later. It can be downloaded from http://java.sun.com/j2se/1.4.2/download.html


Sure, it's a Java vulnerability, but a vulnerability nonetheless.

Why hasnt FireFox automatically updated Java for me?

At the end of the day, every time one of you sticks FireFox on some clueless' machine, and tell them they're "safe", you're lying (or just ignorant).

Re:What would they Add?

[electrichamster]

Difficult to aquire you say?

Choose your poison:
apt-get update
up2date
emerge sync && emerge -u world

(apologies to any I missed)

Opera 7 passed.

[eddy]

Opera 7.54u1 build 3918 passed.

The Browser Security Test is finished. Please find the results below:
High Risk Vulnerabilities 0
Medium Risk Vulnerabilities 0
Low Risk Vulnerabilities 0

Re:'Innovations'

[rainman_bc]

Of course when you copy and paste you tard:

...At only 47.3MB (Windows), Firefox ...

Meanwhile Pepsi says

[stratjakt]

Don't worry about the new formula from our competitor, we have something even better coming very soon.

Seriously, this isn't news, this is basic marketing. No company is ever going to admit that the competition is superior, which is what they'd be doing if they said they were worried.

No athlete is going to say he's worried on game day, either. "Gee we suck! I sure hope the Bears don't hurt us!". It doesn't happen.

But anything to bash MSFT, I suppose.

Re:browser security check

[Tarcastil]

Funny how this article comes up when the media just released information about a new virus. Phel uses IE to remotely control any version of windows, even windows xp sp2.
http://www.computerworld.com/securitytopics/securi ty/holes/story/0,10801,98636,00.html

Re:We're heard this line before

[Haydn Fenton]

I think the grandparent is referring to the story about an MS article reviewing MSN Search which features a screenshot [flickr.com] of MSN Search in the Firefox browser. Microsoft, being Microsoft, denied it completely, even though we all had the evidence on many websites.
Of course I may be wrong.

Re:browser security check

[baba]

Firefox 1.0PR passed with flying colors.

I had less success with FF 1.0 release for OS X. I tried the test a couple of times, and FF crashed both time midway through the tests.

Re:MS has no reason to fear loss of market share.

[The One KEA]

Have you heard of Nvu [nvu.com]? Being part of the coding-HTML-in-sleep brigade, I haven't actually tried it yet ;-)

Browser based apps

[L.Bob.Rife]

but honestly, is anybody still thinking that an entire OS can be replaced by a web browser?

At my workplace, I've implemented new browser based apps, and love them.

Everything is centralized, so I don't have to worry about maintaining software on 50 different machines.

There are no OS specific requirements. Any company computer can now run ANY os that has a browser, and still be able to do ALL of the core company work.

That means, I can give people a bare bones box, with no hard drive, and a knoppix cd, and they can do everything required for work.

Unless MS does somethign which makes me really want to use IE, then there is no reason to even be using MS.

Firefox browsing speeds

[Anonymous Coward]

I'm a fairly long-term Firefox user anyway but until today I had thought that it was not much better than IE for browsing speed. However I just read this article from The Inquirer [theinquirer.net] about how to make Firefox fly along - takes about a minute to change a few settings. If you're on broadband this is superb, particularly on sites with a lot of small graphics eg news.bbc.co.uk

Re:We're heard this line before

[Eric Giguere]

Here are some articles I wrote related to this topic:

• How to detect Internet Explorer [ericgiguere.com]
• Masquerading your browser [ericgiguere.com]
• HTTP header viewer [ericgiguere.com]

Eric

Re:Some other famous quotes...

[cain]

No. He said it was the "end of major combat operations". And since then, 1000 US soldiers have been killed. In fact the heaviest fighting of the war so far happened after that speech.

Re:We're heard this line before

[upsidedown_duck]

has MS EVER lost a market once they came to dominate it?

They will. Every single market that Microsoft currently dominates has solid gaining competitors, because the technology is becoming commoditized more and more. Office suites are something people should not have to pay a lot of money for, any longer, as are operating systems. That could be a big one-two punch for Microsoft.

When in history has there been such a broad line of software products with a common base? Sun JDS, Xandros, Linspire, Red Hat, SuSE, etc. all have the same overall source base plus their value added goodies for their target markets. This should be making Microsoft very very nervous about the future of Windows. No one can really take Windows, customize it, call it their own, and sell it, like people can with open source systems.

Go-faster tweak for Firefox

[Valiss]

Yet ANOTHER reason Firefox is a great browser is the great plug-ins and tweaks the community produces!

[ from boingboing.net ]

Here's a great go-faster tip for Firefox, the free, rock-solid, secure browser from the Mozilla Foundation:

1.Type "about:config" into the address bar and hit return. Scroll down
and look for the following entries:

network.http.pipelining network.http.proxy.pipelining
network.http.pipeli ning.maxrequests

Normally the browser will make one request to a web page at a time. When you enable pipelining it will make several at once, which really speeds up page loading.

2. Alter the entries as follows:

Set "network.http.pipelining" to "true"

Set "network.http.proxy.pipelining" to "true"

Set "network.http.pipelining.maxrequests" to some number like 30. This
means it will make 30 requests at once.

3. Lastly right-click anywhere and select New-> Integer. Name it
"nglayout.initialpaint.delay" and set its value to "0". This value is the
amount of time the browser waits before it acts on information it receives.

If you're using a broadband connection you'll load pages MUCH faster now!

Enjoy!

Re:If they have to say they aren't worried...

[msoftsucks]

I guess you haven't tried to develop applications in .Net that will work correctly on both IE and non-IE browsers. M$ has done everything possible to corrupt and distort the Internet so that only their crap-o-lla works properly. In a default ASP.Net installation, any browser that is not IE is brought down to Netscape V4.0 standards. Basically, if you decide to use any of the ASP controls, your web site will display properly only in IE. Anything else gets crappy HTML and you have spent enormous amount of time to make sure it works properly. To change this, you have to mess with the machine.config file, and redefine the how .NET and ASP.NET respond to non-IE browsers. And even then you have to be very carefull. This requires abit more intelligence than what your average MSCE has. Basically, if you want a site that works properly across all browsers, ASP.NET is not it.

Use something like Perl or PHP instead. This even gives you portability to other platforms later on.

Re:I am worried about Firefox. Still needs work.

[arpy]

I've watched Mozilla development for a few years now, and I can tell you that this is actually a good thing... By listening to everyone you end up with (among a million other things) a kitchen sink.

Ahem. [mozilla.org]

Re:We're heard this line before

[complete loony]

That link to the picture is broken, This one works [1918.com]

Re:We're heard this line before

[denison]

So this [amazon.com] means that Open Office is now relevant to the market?

Re:Mozilla, Viruses and Exploits

[roca]

> Oh, gee, your impression? Well, hey, that proves
> it.

Without access to the IE source code, it's hard to be sure, but there have been a number of bugs related to string buffer overflows in different parts of IE.

> In SP2, they recompiled all system libraries,
> including IE, using the VS2005 compiler with
> overflow detection.

That approach is not perfect, and would have been less necessary if they were using a safe string library. Still, it probably would be a good idea for Mozilla.org to build Firefox with the same options if they don't already.

> Has Mozilla done a code audit?

Mozilla.org has not done a systematic code audit, as far as I know, other than the regular code reviews that happen before checkin. I do know that people have studied the code, some using automated tools, others by hand, but we only know if people choose to tell us. (Which they often do to claim money under the bugs bounty program.)

Re:We're heard this line before

[Decaff]

Tell the users "We'd like to enable you to work faster. From this point forward, just doubleclick this. We installed a new version of Office and Internet explorer, they are called OpenOffice and Firefox. If you don't like this, feel free to use your Windows98 system."

I had zero Win98 users within a month, and zero Windows XP users within 3 months. That's a 400+ user environment.

Excellent!

I have managed the same thing, even with users who were very familiar with Windows. After many complaints that extensive training would be needed for a new platform, they just got on and used the Linux desktop, with no productivity loss.