Forgot your password?
typodupeerror
Mozilla The Internet Security Software IT

Firefox Updated to 1.0.4 454

Posted by Zonk
from the patching-the-fox-hole dept.
Exstatica writes "Firefox has been updated to 1.0.4 and they have fixed a few critical security holes, all javascript vulnerabilities. The Mozilla Foundation announced these vulnerabilities May 7th. 'There are currently no known active exploits of these vulnerabilities although a proof of concept has been reported." You don't have to upgrade, but it's recommended.'" We've reported on these vulnerabilities previously.
This discussion has been archived. No new comments can be posted.

Firefox Updated to 1.0.4

Comments Filter:
  • Update process... (Score:5, Interesting)

    by sznupi (719324) on Thursday May 12, 2005 @08:56AM (#12508169) Homepage
    yes, I know the arguments behind it...but it would be relly nice if update didn't involve simply downloading installer (on mine 128kbps it's so so...and on slower?)
    • Re:Update process... (Score:5, Informative)

      by iamjoltman (883526) on Thursday May 12, 2005 @09:01AM (#12508214)
      I believe that a patch update system will be implemented starting with Firefox 1.1
      • Reading some of the blogs on planet.mozilla.org states just that. Lots of tiny nifty features are supposedly going to be making it into 1.1 (the back/forward cache should make my 1 sec wait non-existent now!).
    • Re:Update process... (Score:3, Interesting)

      by cyways (225137)
      How about just including an Update entry somewhere in the menus? As far as I can tell, there's no menu item or icon that automatically takes you to an update site or checks to see if an update is available. My 1.0.3 version running on Windows didn't display the update icon this morning, so I eventually clicked on the circle icon to go to the Firefox home page. Guess what? No mention of an update there, or any link to the downloads page either.

      • It's in the details (Score:3, Informative)

        by Anonymous Coward
        You can check for updates from Tools>Options>Advanced>Software Updates. If you use some themes, e.g. Littlefox, there is a button next to the Firefox home page 'circle' that you can click to check for updates.

        As for your observation regarding the red flag, I believe The Mozilla Foundation had disabled that feature on the website because of one of the critical flaws now fixed.

        -clueless

        (I need to create a login here, or did I do it previously?)
        • by grommit (97148)
          And what does that "Check for Updates" do? That's right, it downloads the full installer to your desktop and executes it which is exactly the same as downloading it manually from mozilla.org except with a couple less mouse clicks. It still has to run the entire installer asking you if you want to re-create icons on the desktop/toolbar/start menu, do a quick/custom install and a few other things.
      • Menu > Tools > Options > Advanced > Software Update > Click Check Now

        Not very easily accessible, but at least its there :)

    • Re:Update process... (Score:5, Interesting)

      by 88NoSoup4U88 (721233) on Thursday May 12, 2005 @09:27AM (#12508404) Homepage
      So can you tell me what the argument(s) behind it are ?

      I find it very strange that the people I have converted (mostly not too tech-savvy) to using Firefox, still have to make re-installs themselves.

  • by xiando (770382) on Thursday May 12, 2005 @08:56AM (#12508170) Homepage Journal
    These issues were announced on Monday, and now a security release is available. This shows how professional the Mozilla Foundation has become and how serious they take security issues. Good work! Security problems will inevitably appear from time to time in all kinds of software, how these issues are handled is to me just as important as the software itself. Good job!
    • by portwojc (201398) on Thursday May 12, 2005 @09:00AM (#12508206) Homepage
      Yes excellent work.

      Hopefully the mainstream news sources I saw will report this just as they reported the problem. I'm not holding my breath though.

    • But, on the flip side, it does show a lack of a security auditing process. This will be needed inevitably...
    • Yes, but ... (Score:5, Insightful)

      by thinkfat (789883) on Thursday May 12, 2005 @09:26AM (#12508395)
      ... as soon as the first proof of concept evolves into a worm, they will experience what it means to be deployed on millions of internet-connected pc's of clueless users.

      Rule #1: doesn't matter how fast you output a security update, if it's not being installed.

      Unfortunately it's not enough for an update to _exist_.
      • Re:Yes, but ... (Score:5, Insightful)

        by jbarr (2233) on Thursday May 12, 2005 @10:04AM (#12508714) Homepage
        And therin lies the double-edged sword. Just about everyone on /. complains about Microsoft's auto-update feature saying that it's intrusive, and they don't want some company to have control of what is installed on their PC's. Yet, in order to ensure security, an auto-update feature really becomes necessary. Of course, Microsoft and the Mozilla Foundation as companies are viewed with very different levels of "trusts." Unfortunatly, not everyone will be satisfied.

        Personally, instead of displaying the tiny unobtrusive update indicator as it currently does, I would love see Firefox do something like change the window color to red and display a system message dialog stating the problem with a link to the update. Maybe a good compromise?
        • Re:Yes, but ... (Score:3, Insightful)

          by Ogive17 (691899)
          I downloaded firefox as soon as it was "officially" released.

          Now I consider my knowledge of computers and software as advanced, but I'm definately not an expert. I found the interface to be less friendly than IE and trying to change options was a chore. Also, until 3 days ago, I didn't know how to automatically update Firefox until I saw someone mention clicking the red arrow on the top right portion of the window. Now, I had gone to mozilla.org and downloaded the latest versions on my own, but this wa
      • Re:Yes, but ... (Score:3, Interesting)

        by tyler_larson (558763)
        ... as soon as the first proof of concept evolves into a worm...

        Point taken, but let's bear in mind that this POC can't evolve into a worm. It can't even evolve into an exploit now that the only site on the default whitelist no longer exists.

        That's why they didn't put out a stop-gap fix release at the beginning of the week--the threat had passed completely.

        Firefox developers got lucky this time--they could remove the threat with a simple server-side modification. With most vulnerabilities of this s

      • Unfortunately it's not enough for an update to _exist_.

        True. But it's also not enough for a bug to exist either. It has to be _exploitable_.
  • Already upgraded (Score:5, Interesting)

    by Walkiry (698192) on Thursday May 12, 2005 @08:57AM (#12508177) Homepage
    Posting from 1.0.4 right now. Funny thing, after I upgraded and restarted the browser, I still had the "updates available" little red arrow on the top right corner of the browser. After checking for upgrades (and finding none), it's disappeared. Bug? Leftover registry entry or config file from 1.0.3?
    • I had that too, I think it's to do with extentions. When I clicked the arrow (on 104) it complained that an update to Copy Plain Text wasn't available after all.
    • Not related to your syxtem, but if someone is on linux and using debian for example, they disable the update functionality for the browser for the browser itself and allow it for the extensions only. This is to ensure that firefox gets updated by the package manager, in the example's case: apt-get.

      It has reportedly sometimes the bad effect that the red update arrow stays red forever.
    • Re:Already upgraded (Score:3, Informative)

      by kbrosnan (880121)
      There is a flag variable in about:config 'app.update.updatesAvailable' that gets set to true. The notification would have gone away on its own in about a day when Firefox checked for updates.
  • by PlancksCnst (877593) on Thursday May 12, 2005 @08:57AM (#12508185) Homepage
    This guy at work noticed I was using firefox (he's an IE user), and said, slyly, "You know, there's a couple of really bad security holes." Good think FF fixes their holes faster than MS.
  • by CABAN (818466) <adelleda@NosPaM.gmail.com> on Thursday May 12, 2005 @08:57AM (#12508186)
    Next time I try to help a friend out I'm not suggesting firefox. I'm suggesting Netscape! Wwwait.
  • hmmm... (Score:3, Informative)

    by prophetmike (789248) on Thursday May 12, 2005 @08:59AM (#12508194) Homepage
    Firefox 1.0.4 was posted sometime between 11 and 11:30PM last night EST. I got it about 11:40 :D (Yes, geek alert) That aside, with all of these newfound vulnerabilities popping up so often, could Firefox become (later down the line) the new Internet Explorer? May seem highly unlikely now.. but as the New York Lottery says... "Hey, you never know."
    • Re:hmmm... (Score:3, Insightful)

      No. The real issue with IE wasn't the security that were found (this will ALWAYS be the case with ANY software), it was thier lax attitude about fixing the issues.

      FireFox right out of the box proved to be a pretty solid browser (they had the chance to learn lessons from those browsers that came before). And when an issue does come up the take it seriously and try to fix it promptly.

      I'd not only argue FireFox will never be IE (of a year or two ago), but I'd also bet IE (of today) will never be IE (
  • by iamjoltman (883526) on Thursday May 12, 2005 @08:59AM (#12508196)
    It should be noted that the Mozilla Suite has also relased an update, 1.7.8.
  • I don't have an upgrade arrow yet :P

    • Re:Wheres my arrow? (Score:3, Informative)

      by michrech (468134)
      I don't know this as fact, but I think it is all in what time your browser checks for updates. I can't tell for sure, but I think it is set to do a random check (mayhapps it even checks every so many days and yours is still not showing an update as others are because you installed so many days after they did)...

      I dunno..

      ---
      telnet://sinep.gotdns.com [gotdns.com] -- Telegard BBS -- Enjoy!
  • Mirrors (Score:5, Informative)

    by bunburyist (664958) on Thursday May 12, 2005 @09:01AM (#12508213)
    Mozilla.org will probably get hammered!! Here's a google cache of the Firefox Mirror List [64.233.183.104]

    And while you're at it don't forget those extensions:

    FoxyTunes: http:www.iosart.com/foxytunes/firefox/ [iosart.com]

    AdBlock: http://adblock.mozdev.org/ [mozdev.org]

    Or you can just go get more at: update.mozilla.org [slashdot.org]

    Happy Browsing!
  • Locales (Score:2, Informative)

    by bjprice (863197)

    Unfortunately there's no British English version of 1.0.4 yet.

    It'll appear in the list of locales here [149.174.36.116] when it's ready, but it looks like we limeys are stuck with 1.0.3 (or speaking American English) until then.

    • Re:Locales (Score:5, Funny)

      by InsideTheAsylum (836659) on Thursday May 12, 2005 @09:25AM (#12508388)
      You know, you don't have to wait for Firefoux to come out, you can just use the regular old Firefox..
      • Re:Locales (Score:3, Funny)

        by dagnabit (89294)
        Isn't the British version named Foyerfox?
      • I went into the options screen, and I had lost the settings for my "Fonts and Colours".

        All that was left was "Fonts & Colors" (whatever they are).

        In reality, I never once noticed I had the english version until I just went and checked.
    • Re:Locales (Score:2, Funny)

      by Anonymous Coward
      What exactly is different? I didn't see any obvious spelling differences on my American English version of Firefox. It's not like our version says "Open Location Beeyotch!" instead of "Open Location".
      • True, but one need to realise the differences are small but still exist; it's like running Firefox on different tyres. :-)
  • Impressive (Score:5, Interesting)

    by PenguinBoyDave (806137) <david@davidmNETBSDeyer.org minus bsd> on Thursday May 12, 2005 @09:05AM (#12508245)
    While I don't care for the update process, I am exceedingly impressed that Mozilla makes fixes so quickly, and doesn't try to hide them (like another browser company has done in the past). Professionalism...very nice to see this from Mozilla. Kudos!
  • by Anonymous Coward
    I copy the exe installer into a folder on a windows share, explorer crashes when I access the folder from certain clients. Same happened with 1.0.2 but not with 1.0.3

    I wildly guess it's a race condition or something arising from reading the embedded icon resourse as that doesn't show? No I don't really have a clue what causes it.

    All machines are fully patched W2K, thank buddha for memory sticks!
  • by denis-The-menace (471988) on Thursday May 12, 2005 @09:07AM (#12508254)
    Why can't we have extensions that don't die just because they changed the release number?

    Extension authors can't keep up.
    Mozilla Update is slow to update itself.
    and Users like me are left looking to google for help.
    Silly me thought Mozilla Update there to centralized things.
  • Damn. Can't upgrade to 1.0.4 since the English (British) version is not available yet :( Can't be installing the American version ;)
  • by Anonymous Coward on Thursday May 12, 2005 @09:11AM (#12508292)
    As a system admin for our company, every new Firefox release means that I will have to go around to 150 workstations and manually reinstall the browser again to keep it up to date. I wish there was some sort of way to remotely update the browser on all machines or a way to patch vulnerabilities without a full reinstall.
  • by Feng (63571) on Thursday May 12, 2005 @09:13AM (#12508307)
    Does middle clicking on a link open a new tab for OS X yet? The last I heard you had to patch FF to enable this feature. Middle clicking works fine on Safari, it's one feature I really miss when using FF on OS X.
  • by jbarr (2233) on Thursday May 12, 2005 @09:16AM (#12508324) Homepage
    My wife pointed out an article on Google News (that I had already seen earlier) showing that Firefox had some security vulnerabilities. She winced because I had just converter her to Firefox. I told her not to worry. I said, "Mark my words, there will be a security fix within a week." Well, today the fix was released and she was impressed. Not only has the Firefox development team improved the product, but they have made my wife happy! Life is good!
  • Will some one please post a .torrent? Highly apreciated thanks.
    • You're obviousile eager to update your firefox rapidly, I suppose because of the security fixes of that new version.

      But you're willing to download it from any source as you're requesting a torrent, which can contain a "modified" version ?

      I fail to see the logic... I'd advise you to wait till you can download it from the main mirrors.

  • by DaHat (247651) on Thursday May 12, 2005 @09:20AM (#12508344) Homepage
    That sounds awful ominous and near impossible... perhaps instead the line should be 'all known javascript vulnerabilities'?
  • Bleeding edge (Score:5, Informative)

    by imipak (254310) on Thursday May 12, 2005 @09:22AM (#12508360) Journal
    Although I've been an enthusiastic mozilla/firefox user & supporter since the late 90s (yes I was browsing with a 'naked' gecko control, HA! :P) I was surprised to find I'd lost track of development to the extent that I didn't realise the trunk builds have a much more up-to-date gecko engine. The gecko in the 1.0.x series (inc. 1.0.4) are a year old! Those users who prefer livin' on the edge might prefer to get a faster, smaller, much less memory-leaky build from: ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nigh tly/latest-trunk/ [mozilla.org]
    • For Mac users the Nightly builds also sorts a few problems .
      The browser is much smother , the middle mouse buttons works for things like auto scroll , open in a new tab and close tabs.
      Also the menu interface has been redone and is far more hetrogeneous to the os X enviroment.
      I tried out 1.0.4 and the mac problems above seemed not to be fixed so the nightly builds do provide a far more comfertable browsing experiance on os X
  • by amichalo (132545) on Thursday May 12, 2005 @09:25AM (#12508379)
    ...FireFox downloads double to 100 Million [spreadfirefox.com]!
  • Firefox speed..... (Score:3, Interesting)

    by SammysIsland (705274) on Thursday May 12, 2005 @09:36AM (#12508454)
    Back in the day when I first downloaded FireFox, one of my favorite parts of using it was how fast it would load up the first window when opened. It was almost instantaneous.

    The more I use it, the longer this actions takes. It doesn't matter if I clear cache and cookies, un-install plugins, or just plain uninstall and reinstall the browser.

    Is it simply the newer versions that cause it to load so slowly? My roommate has the same problem. Is anyone else experiencing this and is there an answer?

    Responses greatly appreciated. Thanks.
  • news? (Score:5, Insightful)

    by Errtu76 (776778) on Thursday May 12, 2005 @09:59AM (#12508675) Journal
    Disclaimer: I like firefox. I use firefox.

    Why is this news? Does this mean that every time firefox decides to update, it should be front page news? Can't you (slashdot) create a seperate field where the latest versions of popular products are announced? Like:

    product | version | last update
    firefox | 1.0.4 | today

    • Re:news? (Score:4, Insightful)

      by globalar (669767) on Thursday May 12, 2005 @12:02PM (#12509845) Homepage
      Most of the time, Firefox updates are not very important. However, the exploits which 1.04 fix were highly publicized.

      I saw many IT magazines, mostly targeted at management, with significant space (even a few covers) devoted to the exploit. It is an example of the Firefox (and Mozilla) team's committment that a patch came out so quickly. This is very important, as it shows open source products can compete in the very tough browser market.

      The progress of Firefox is now being watched by many - opponents and supporters alike. Firfox is under the spotlight and responding the serious issues - especially security, which has plagued IE - is crucial for the browser's future success. This is more about PR and brand recognition than security.
  • by carambola5 (456983) on Thursday May 12, 2005 @11:19AM (#12509437) Homepage
    I can't run the executable "firefox.exe" at work because it "has been disabled by the administrator." Solution? Rename to firefox2.exe.

    The only pain comes when firefox is updated... it leaves the firefox2.exe executable from the previous installation, and adds the new firefox.exe to the install folder. It then becomes a dumb little task to update all the icons and shortcuts scattered about my system.

    Wish there was some way to specify, during install, the resulting executable name. Of course, I have to be one of the maybe twenty people in the world who needs this, so maybe it's not worth the miniscule bloat.
  • by Master of Transhuman (597628) on Thursday May 12, 2005 @11:25AM (#12509504) Homepage

    leaves several vulnerabilities at LEAST as serious as the Firefox ones open UNTIL NEXT MONTH!

    Who said something about "time to patch" favoring MS?

    Firefox: vulnerabilities announced Monday.
    Patched by Thursday morning.

    Microsoft: vulnerabilities announced months ago.
    Patched - "Next month - maybe".

  • by masklinn (823351) <slashdot.orgNO@SPAMmasklinn.net> on Thursday May 12, 2005 @12:44PM (#12510336)
    It should be noted that 1.0.4 also features a JS bugfix which hastes said JS execution by around 20%.

    May sound like it suck... if you don't know that the whole XUL thing (basically everything in firefox but the Gecko engine itself: interface, extensions, userscripts, ...) is pure Javascript.
  • by baadger (764884) on Thursday May 12, 2005 @01:17PM (#12510733)
    If Slashdot wasn't so eager to sniff Firefox's hind leg this post would, and should, have mentioned Mozilla 1.7.8 as being released too.

Any program which runs right is obsolete.

Working...