Firefox Updated to 1.0.4 454
Exstatica writes "Firefox has been updated to 1.0.4 and they have fixed a few critical security holes, all javascript vulnerabilities. The Mozilla Foundation announced these vulnerabilities May 7th. 'There are currently no known active exploits of these vulnerabilities although a proof of concept has been reported." You don't have to upgrade, but it's recommended.'" We've reported on these vulnerabilities previously.
Re:Quick and serious on security (Score:5, Insightful)
Hopefully the mainstream news sources I saw will report this just as they reported the problem. I'm not holding my breath though.
IE still #1 a-ok (Score:0, Insightful)
Re:Many Eyes ? (Score:5, Insightful)
Oh, and hats off to the Firefox devs for the scorching turnover on this flaw. When Firefox 1.1 comes out (with its more diff-style updated) the process will be even more streamlined and painless.
Re:Great (Score:2, Insightful)
Until Firefox has an upgrade mechanism that doesn't feel like extracting teeth, the Microsoft approach, regrettably is going to win out.
-Steve
Re:Quick and serious on security (Score:2, Insightful)
Good work guys (Score:1, Insightful)
We appreciate it.
'all javascript vulnerabilities'? (Score:3, Insightful)
rotfl (Score:0, Insightful)
Seriously, what's the point in banging together a link to the 2 most popular extensions, etc?
Yes, but ... (Score:5, Insightful)
Rule #1: doesn't matter how fast you output a security update, if it's not being installed.
Unfortunately it's not enough for an update to _exist_.
Re:Will someone please... (Score:2, Insightful)
But you're willing to download it from any source as you're requesting a torrent, which can contain a "modified" version ?
I fail to see the logic... I'd advise you to wait till you can download it from the main mirrors.
Re:It's in the details (Score:2, Insightful)
news? (Score:5, Insightful)
Why is this news? Does this mean that every time firefox decides to update, it should be front page news? Can't you (slashdot) create a seperate field where the latest versions of popular products are announced? Like:
product | version | last update
firefox | 1.0.4 | today
Re:Quick and serious on security (Score:1, Insightful)
Re:Yes, but ... (Score:5, Insightful)
Personally, instead of displaying the tiny unobtrusive update indicator as it currently does, I would love see Firefox do something like change the window color to red and display a system message dialog stating the problem with a link to the update. Maybe a good compromise?
Re:It's in the details (Score:2, Insightful)
You have broadband. Lots of people still don't. For instance, every time Firefox releases a new version, I have to burn it to a cd for a friend of my wife's at work so they don't have to sit around for an hour at home waiting for it to download.
Re:It's in the details (Score:3, Insightful)
The Buddha says there is no you and there is no me, only "us".
Re:Yes, but ... (Score:2, Insightful)
"Often" is an overstatement. There were serveral incidents but given the number of patches they've released, your comment amounts to flamebait.
Re:hmmm... (Score:3, Insightful)
FireFox right out of the box proved to be a pretty solid browser (they had the chance to learn lessons from those browsers that came before). And when an issue does come up the take it seriously and try to fix it promptly.
I'd not only argue FireFox will never be IE (of a year or two ago), but I'd also bet IE (of today) will never be IE (of a year or two ago). XP SP2 had a lot of fixes and MS$ has been much more both pro-active and reactive about security (thanks to the kick in the pants from FireFox).
Please put down your torches and pitch-forks
That is however one of the issues with MS$. They have soooo much going on, there are times when a product (IE) will be such a low priority these things can happen. Over the last few years MS$ has been working on high-priority tasks like (new VS.NET, new SQL Server, XP SP2, and Longhorn) just to name a few. With those big core company projects happening, IE kind of fell through the cracks since they felt un-touchable in the browser market. Luckily, FireFox came around and woke them up. If you use IE or not, for the good of everyone it is good to see they have woken up a bit and lets hope it never happens again!
Re:Mozilla Suite updated as well (Score:3, Insightful)
Re:hmmm... (Score:3, Insightful)
Wait... IE is a major Windows app. Why was there no dedicated development group working on it as a matter of course?
Oh yeah. MS stops important development on applications once they have no competition...
Re:IE still #1 a-ok (Score:4, Insightful)
Of course, there were settings you could change that would fix that. They were in Advanced>Settings>Options>Burning>Defaults>Input. You just had to uncheck "Always burn with error correction (may cause some discs to burn slower)" which simply fixed the garbled data, and "Always burn with high-precision laser" (so you don't get coasters). Checking those 2 boxes results in the application working perfectly every time.
Would anyone use that? No! People would laugh it off and comment on just how stupid it is. Why IE gets a free pass for almost the same transgressions is beyond me. Oh, wait, no it isn't -- it's because people started using it years ago and are afraid of changing to something better because it's "different." "I've already got those boxes checked."
Re:Yes, but ... (Score:4, Insightful)
The fact that Firefox security updates don't automatically install unless you notice and click on that red arrow in the upper right corner pretty much guarantees that a large fraction of copies will remain unpatched. When I've visited people for whom I installed Firefox 1.0 when it came out, I've noticed that none of them have noticed the red update icon or updated Firefox on their own.
If users have to go and get updates, many machines will remain vulnerable to security holes.
Re:It's in the details (Score:2, Insightful)
Apart from the fact that there are still a lot of people on dial-up, I think it can be considered bad practice to download stuff you already have (like 90% of the program you are trying to update or patch).
I have broadband as well, but I'd rather save the extra bandwidth and used megabytes (yes, my connection has a limit) for something else.
By the way - suppose this was an Oracle database where the installer would be several gigabytes, would you still download it again?
Re:news? (Score:2, Insightful)
Re:Yes, but ... (Score:3, Insightful)
Now I consider my knowledge of computers and software as advanced, but I'm definately not an expert. I found the interface to be less friendly than IE and trying to change options was a chore. Also, until 3 days ago, I didn't know how to automatically update Firefox until I saw someone mention clicking the red arrow on the top right portion of the window. Now, I had gone to mozilla.org and downloaded the latest versions on my own, but this was a hassle. And if "I" didn't know about the auto-update, my grandmother, parents, sister, brother, and a few friends I've turned to Firefox are not going to know either.
Sometimes reading through
Re:news? (Score:4, Insightful)
I saw many IT magazines, mostly targeted at management, with significant space (even a few covers) devoted to the exploit. It is an example of the Firefox (and Mozilla) team's committment that a patch came out so quickly. This is very important, as it shows open source products can compete in the very tough browser market.
The progress of Firefox is now being watched by many - opponents and supporters alike. Firfox is under the spotlight and responding the serious issues - especially security, which has plagued IE - is crucial for the browser's future success. This is more about PR and brand recognition than security.
Re:Firefox speed..... (Score:3, Insightful)
avengine - 22meg (antivirus)
IExplore - 11 meg
When speaking of stability and mem usage, it's not worth the hype.
Ummm... right. Now count the memory usage of all the DLLs IE requires which are loaded into memory as part of Windows (after all, it is embedded). That 11MB does not include that. Once you factor that in, I'd wager it is much closer to the Firefox footprint.
1.0 crashed and the mem usage became as issue
And as for stability... I can't tell you the last time an official release of Firefox crashed on me. I find that most people with crashing issues have done something fucked up to their system.
Just my opinion.
Re:Quick and serious on security (Score:2, Insightful)
These issues were announced on Monday, and now a security release is available. This shows how professional the Mozilla Foundation has become and how serious they take security issues. Good work! Security problems will inevitably appear from time to time in all kinds of software, how these issues are handled is to me just as important as the software itself. Good job!
Yes, yes, very good.
Coming from a corporate background, however, I should point out that it's not enough that an update should be available quickly, but that the update should have been fully regression tested against all scenarios. If you ask Microsoft, it's this testing that invariably delays the releases of their patches and this is also one of the reasons why they've moved to the "patch Tuesday" model.
Remember that if you have a potential DOS vulnerability (as an example) that is patched with a dodgy patch that kills the application, you'll have just succeeded in doing what hundreds of script kiddies try and do all day...but all by yourself :-)
I'm not being an apologist for anyone, but do not underestimate the importance of testing and also the importance of knowing that a patch has been tested to the acceptance of Firefox in the wider corporate community, which has seen only small uptakes of Firefox to date...
Re:Firefox speed..... (Score:3, Insightful)
1. What version of Firefox?
2. Any Firefox extensions installed?
3. Did you start with a clean profile, or import an old one?
4. Did you install Firefox into a clean directory, or was it into an existing directory?
5. Are you running any network security software?
6. Is your company using a firewall/filtering device on the network?
And that is just preliminary questions regarding software/networking. Other things to check include motherboard firmware updates, memory tests, etc. Often programs will use the same areas of memory and you'll run into strange problems due to bad memory modules.
The problem is not just some firefox stability issue, since I use it all the time and it is rock solid. This implies something is different about your system that is causing the instability, or it could be a bug rendering whatever page you were on that it hung on, but if this is a continual crashing problem, I am guessing the former.
As for the memory, not five minutes ago I just had nothing open but the download window. Out of curiosity, I checked the mem usage on firefox.exe, to find that it was 69MB physical/81MB VM. That's just way, way too much, especially since it's just downloading one file.
My primary response to this is, memory is cheap and abundant nowadays. However, it likely wasn't using 69MB of memory just to download a file. Presumably you had been browsing quite a bit before hand, and things are cached in memory.
Like it or not, browsers are huge, complex programs that allow you to browse huge, complex data mines, and they require many resources. Just because IE hides its usage well doesn't mean anything.