Security-Updated Versions Of Mozilla Released 375
petabyte writes "As mentioned in this Mozillazine article, there are new versions of the Mozilla Suite (1.7.2), Mozilla Firefox (0.9.3) and Mozilla Thunderbird (0.7.3) available. They address 4 security bugs (linked from the Mozillazine article). Unlike Firefox 0.9.2, these can't be fixed with just a XPI upgrade, so you'll have to download a new binary and install."
Does this mean that . . . (Score:2, Insightful)
Why otherwise would it be required to download an entirely new browser to fix a few problems?
Re:Does this mean that . . . (Score:4, Insightful)
So, while you may have to re-download the whole browser, the actual file size is still smaller.
Re:Does this mean that . . . (Score:5, Funny)
Re:Does this mean that . . . (Score:5, Informative)
Re:Does this mean that . . . (Score:3, Interesting)
Re:Does this mean that . . . (Score:4, Funny)
Re:Does this mean that . . . (Score:3, Informative)
Piffle. Took me all of 30 seconds on cable, no mirrors used.
Re:Does this mean that . . . (Score:2, Redundant)
Re:Does this mean that . . . (Score:2, Informative)
Re:Does this mean that . . . (Score:3, Insightful)
This becomes less true, though, when Firefox requires you to download the 4 mb browser an infinite number of times. Which seems to be what it wants, since when I start 0.9.3 it tells me that a new critical update is available and that update turns out to be... 0.9.1. (And of course, if I install that and launch it, it will tell me that a new update is available...).
Re:Does this mean that . . . (Score:2)
Sure, but tell that to the poor guy who's using a 56k modem to download it, and has finite on-line time in a month before it starts costing him more. Not everyone has broadband, not by a long shot.
Even without that, the hassle of the updating process is just too much for your average user -- or even most power user geeks -- to put up with for long.
Re:Does this mean that . . . (Score:5, Insightful)
Maybe version updates. However, most IE fixes are a couple of hundred K. Right now, I have a cumilative update that's 2.8 meg that fixes a small handful of things. What you're suggesting would require a 4 megabyte download just to fix a typo in the credits.
"So, while you may have to re-download the whole browser, the actual file size is still smaller."
This would only be true under strange scheduling circumstances. On top of that, IE updates don't require an uninstall.
I easily prefer Firefox to IE, but this statement is misleading in a couple of different directions. Microsoft definitely has Mozilla beat when it comes to the efficiency of updates like this, whether you focus on just the size of the file or if you expand that out to the total end user experience.
Re:Does this mean that . . . (Score:5, Informative)
Internet Explorer 6 Service Pack 1 [microsoft.com]
I quote:
Thats just *one*, and its larger than the 5MB 0.9.3 release.
NeoThermic
Re:And? (Score:4, Insightful)
Since when is a service pack not an update?
Update [reference.com]:
1. Information that updates something.
2. The act or an instance of bringing something up to date.
3. An updated version of something.
Now. Please. Tell me how a Service pack doesn't count as an update?
NeoThermic
Re:And? (Score:2)
Four and more (Score:5, Informative)
The new Mozilla Firefox release fixes four security problems and all the other bugs that have been fixed in the aviary branch. Microsoft, on the other hand, hasn't published fixes to IE's layout engine since 2001.
Re:Four and more (Score:5, Insightful)
Re:Does this mean that . . . (Score:5, Insightful)
Maybe if you add together all the small IE updates, it totals more than 4mb at Windows Update.
I can download and install the full Mozilla package faster than I can reboot my computer every time there's an Internet Explorer patch.
That puts Mozilla ahead of IE, at least in my book. :)
Re:Does this mean that . . . (Score:3, Insightful)
Also consider that this *one* new install fixes what would require from microsoft as *four* patches. (and god know how much time between each)
As a side note, I got 0.9.3 before
Re:Does this mean that . . . (Score:5, Funny)
I'm impressed! How'd you get the 15,000x speedup?
[
for the math impaired:
1500KB/s = 12000Kb/s
12000Kb/s / 768bps = 15625.
]
Re:Does this mean that . . . (Score:2, Funny)
LK
Re:Does this mean that . . . (Score:3, Informative)
Speaking of download speeds, this is something I saw on a university link
OT: Re:RPM is RealAudio? (Score:3, Informative)
audio/x-pn-realaudio-plugin rpm
and should be:
application/x-rpm rpm
I have not come across any realmedia files with the
Re:Does this mean that . . . (Score:3, Informative)
Bullshit. [microsoft.com] There's a fix for an IE exploit. 365K. Would you want to reinstall your entire browser, just to fix that one little thing that you urgently want to get corrected?
Re:Does this mean that . . . (Score:4, Informative)
We are talking about IE here, not 2K.
As for a IE patch that is large?
IE6 SP1 [microsoft.com] - 8.7 MB to 12.7MB
IE5 SP2 for ME [microsoft.com] - 6MB to 17MB
Internet Explorer 6 SP1 Update: "HTTP 404 - File Not Found" Error Message When You Try to Visit Web Pages That Are Opened by JavaScript Functions in Frames or in Windows [microsoft.com] - 1.3MB
October 2003, Cumulative Patch for Internet Explorer 6 Service Pack 1 [microsoft.com] - 2.1MB
October 2003, Cumulative Patch for Internet Explorer for Windows Server 2003 [microsoft.com] - 4.2MB
October 2003, Cumulative Patch for Internet Explorer 6 [microsoft.com] - 2.5MB
Need me to continue? Or have I proved my point?
NeoThermic
Re:Does this mean that . . . (Score:3, Interesting)
Yes, you are correct, I pasted the wrong link. I'm sorry about that
"Need me to continue? Or have I proved my point?"
Yes, you have made your point. However, I have a counter point to make. We're comparing two different things I believe. I was talking about individual patches, you're talking about cummulative updates in most of your links here. Even the big single one you show is 1/4th of the size of Firebird. (Mozilla? I keep getting the names confused.) M
Grumble Grumble (Score:5, Insightful)
Re:Grumble Grumble (Score:4, Interesting)
Re:Grumble Grumble (Score:3, Informative)
Re:Grumble Grumble (Score:2)
Could this work with Firebird? (Score:2)
I would've upgraded by now, but I don't want to have to redo all my settings and junk.
Mod parent up. (Score:4, Insightful)
Re:Mod parent up. (Score:5, Insightful)
Don't get me wrong, I love Mozilla and open source. But it's those little things that developers hate coding that get to me sometimes. Don't even get me started on a Linux install.
Re:Mod parent up. (Score:5, Informative)
Worked for me.
Re:Mod parent up. (Score:2)
Re:Mod parent up. (Score:2)
I use Mozilla NOT Firefox but what I do for upgrades is this (and I do not loose my installed plugins, Orbit theme and settings). My memory is a little vag
Re:Grumble Grumble (Score:2)
Just install over the top of your previous version, everything comes up and works fine.
</broken record>
Re:Grumble Grumble (Score:5, Informative)
If not, I usually save my plugins, delete the directory, install, then copy my plugins. My settings, bookmarks, and skins are all in my profile, and I haven't had to delete/recreate that in a while.
It sounds like you're just being too careful.
Re:Grumble Grumble (Score:3, Informative)
Heck, if you upgrade it yourself, it is as easy as aliasing
tar xvfz mozilla.tar.gz && cd mozilla && rm -rf plugins && ln -s
Re:Grumble Grumble (Score:3, Interesting)
I'll confess, updating should be painless for Firefox/Mozilla, but it's not.
Re:Grumble Grumble (Score:2)
Mod me as fanboy, I don't care, but this is solved with Gentoo. Is it perfect? Nope, but solves the above grumble, as well as a slew of other things that I enjoy over my 2nd fav Linux, Slackware (which is no slouch in it's own right...)
CB
Re:Grumble Grumble (Score:2)
Its a painless process, which I do about once a week since I like to use the nightlies.
No one is forced to move to a newer version. The older versions also work well.
Re:Grumble Grumble (Score:2)
You'll want to take a look at bug 237727 [mozilla.org]* to see that they are going to clear out some of the old files if you choose to reinstall over your old version. They have already done some good work on that bug for the next versions (FX 1
yeah, and unattended installs too (Score:3, Interesting)
The only ways I can see to accomplish a silent install are either:
Its not that hard (Score:4, Informative)
Rename current firefox directory.
Install firefox.
Copy plugins folder to new install.
Load firefox.
That's it. Your bookmarks and settings are in your profile, NOT in the install directory.
Some plug-ins will need to be reinstalled.
Re:It does this already (Score:4, Informative)
Last time I tried to install over an existing installation i seriously regretted it. Took me 3x as long to get everything worked out. So now I uninstall first.
Link on Firefox page is incorrect (Score:3, Informative)
Re:Grumble Grumble (Score:3, Informative)
From Point 14:
If Nautilus has been configured to use the Mozilla Gecko rendering engine, installing a mozilla.org binary on top of that may cause odd problems and conflicts. You should use the package of Mozilla supplied by your Unix or GNU/Linux distribution, as their version should work properly with their package of GNOME.
I have personally experienced problems where Mozilla refused to render anything secure (https) because I had overwritten
Re:Grumble Grumble (Score:5, Insightful)
RPM's ? (Score:2, Interesting)
0.9.? (Score:2, Insightful)
libpng (Score:5, Interesting)
FireFox Release Notes (Score:3, Interesting)
Oh well... perhaps I'm just weird for wanting to know what's new in this sub-release.
Try again if 0.9.3 for Windows didn't work earlier (Score:5, Informative)
The timestamps in the 0.9.3 release directory [mozilla.org] show that the Windows binary has been updated.
Got the supposed 0.9.3 for Windows earlier today, which didn't work. Process appeared in task list, but no window came up. Also, any place the version number appeared, it was still listed as 0.9.2. With the caveat that I don't know how those folks do their releases, I'll say that with the proper automation [pragmaticprogrammer.com], that oops-i-forgot-to-increase-the-version-number snafu should never happen.
Re:Try again if 0.9.3 for Windows didn't work earl (Score:2, Informative)
Your right about automation, even InstallShield can do it!
The actual vulnerabilities (Score:5, Informative)
http://bugzilla.mozilla.org/buglist.cgi?bug_id=25
IE catches shit for 2 out of the 4 bugs.
libpng buffer overflow - a lot of bitching goes on around here with regards to "OH M$ EVEN HAD AN OVERFLOW IN BMP HANDLING IN IE!!!"
null (%00) in filename fakes extension (ftp, file) - Variation of this got IE in trouble...
Re:The actual vulnerabilities (Score:2)
MAC OSX Complains (Score:5, Insightful)
Also, why is it we cannot search the bookmarks in the sidebar wihtout crashinf the whole application?
Small annoyances but we are getting awfully close to 1.0 and still no sign of improvement.
Safari is catching up in terms of speed and is looking ever more appealing!
Re:MAC OSX Complains (Score:2)
I also get this on my Windows box. I thought maybe my profile files were causing the problems, and that using a new profile might solve the crash occurances...
Re:MAC OSX Complains (Score:2, Informative)
That's not the problem. (Score:4, Interesting)
I use an invisible root window in my application as well. Many applictions use invisible windows, and they do not foul Exposé at all. Exposé will not show an invisible window, nor will it show an offscreen window (which is frustrating to me, as I have several tools that try to remember where windows were last displayed even on smaller monitors).
I really do not know what Mozilla is doing, but it is not that simple.
Re:MAC OSX Complains (Score:2)
Re:MAC OSX Complains (Score:2)
This is why I use Junkbuster [junkbuster.com] as opposed to relying on a browser based system.
No matter what browser I decide to use Safari, Moz, Firefox, Camino or IE (shudder) I get the same filtering rules.
I tried Privoxy [privoxy.org], but I found that for some odd reason it really slowed down local PHP scripts and since I use my PowerBook mostly for development I went back to Junkbuster.
Re:MAC OSX Complains (Score:3, Informative)
That's due to this bug [mozilla.org], which mangles any cross-platform theme using native scrollbars. (You'll have to cut and paste the link, as Bugzilla fears Slashdot).
Re:MAC OSX Complains (Score:4, Informative)
The four vulnerabilities... (Score:4, Informative)
# False certificates aren't really an exploit
250906 null (%00) in filename fakes extension (ftp, file)
# fake extense aren't exploits
251381 new libpng buffer overflow vulnerabilities
# okay that is an exploit
253121 lock icon and certificates spoofable with onunload docume...
# that is not an exploit either
I think they should be more like bugs. I think Mozilla is just trying to play it safe. Ironically by them "being up front" they may end up driving people away from the browser...
--Joey
Re:The four vulnerabilities... (Score:5, Insightful)
Fake certificates help in all sorts of scams. Spyware, eBay scams, whatever. "Oh, this is signed by Macromedia. It must be safe!"
Fake extensions. We've all seen the results of simply adding a
Lock icon spoofable. So you go to a site you THINK is secured, but it turns out it isn't. Happy funtime on your credit card!
Not all exploits are code-based, not all exploits are related to software.
Re:The four vulnerabilities... (Score:3)
# fake extense aren't exploits
Except this would allow text files (on your hard drive) to be parsed as html files (and get the javascript associated with them). However, it's not earthshattering as it would be in IE because if it were IE, it would get extra "local zone" permissions. The only addition of permissions in moz is being able to link to other file: locations.
# 251381 new libpng buffer overflow vulnerabilities
# okay that is an exploit
Howev
Linux installer bug (Score:5, Informative)
I downloaded the linux installer version (firefox-0.9.3-i686-linux-gtk2+xft-installer.tar.g z)ked from the Firefox page and itself seems to have a little bug:
** (firefox-installer-bin:3120): WARNING **: Invalid UTF8 string passed to pango_layout_set_text()
It winds up with an incomplete installation. However, if you just download the gzipped tarball without the installer from here [mozilla.org] and untar it over your old firefox directory you should be just fine.
payment for finding critical bugs (Score:4, Interesting)
x86_64 anyone? (Score:3)
Why does Thunderbird use IE??? (Score:2)
Re:Why does Thunderbird use IE??? (Score:3, Funny)
If you tell them about the problem they'll hurry to solve it, I'm sure...
one thing to note (Score:3, Insightful)
Anyone managed to build 1.7.2 from source? (Score:2, Redundant)
I tried grabbi
Gentoo (Score:5, Funny)
Not on Gentoo, you insensitive clod!
Easiest of upgrades (Score:4, Interesting)
Upgraded from 0.9.1 to 0.9.3. Didn't have to fiddle with turning off extentions or re-downloading them and reconfiguring them this time. Continues to use the same
Where are the Changelogs? (Score:3, Interesting)
I remember that for every release there used to be a link to the Changelog with details on all the new changes since the last minor update (eg v1.6.1 to v1.6.2). Is the new site/design just too "user friendly"?
(After some browsing I did find a link to an *external* website with change details, but can't find it again now... @_@)
Reality check, please. (Score:5, Insightful)
Prior to 0.9, Firefox was only being updated ever few weeks, with each release holding many fixes since the last release. I think the increase in releases has mainly been due to the fact that in the last month or so the user base of Firefox has gone up dramatically.
I am sure this has put a lot more stress on the Firefox dev team because now people are starting to rely on their browser to be as good as IE and with whole organisations now looking at using Firefox over IE, the pressure must really be on to make sure it lives up to expectations.
Once Firefox hits version 1.0, people will get real shitty if it has bugs and security flaws, so the more they fix during 0.9.+ the better. Until then, I am happy to keep downloading it, daily if needed.
Get the news first... (Score:4, Informative)
http://www.mozilla.org/community/developer-forums
MozillaZine.org also does a good job of summarizing the development, but it's almost always 2-3 days late.
For the true cutting-edge lizard in you, there's always the feedhouse:
http://feedhouse.mozillazine.org/ [mozillazine.org]
And of course it has RSS feeds.
For those of you wanting to know when specific bugs have been fixed, I find the "edge" websites to be most simple to read (although not thorough):
The Rumbling Edge (for Thunderbird):
http://weblogs.mozillazine.org/rumblingedge/ [mozillazine.org]
The Burning Edge:
http://www.squarefree.com/burningedge/ [squarefree.com]
Saddly, there is no information about the releases almost a day after they have been out on http://mozillaeurope.org/en/ [mozillaeurope.org]
Enjoy!
Letting People Know (Score:5, Interesting)
What I find odd is that despite this release being focused on patching security vulnerabilities there's no noticable mention on the web site of the importance of this update. I leave my home page set to the FireFox page in hopes that there will be a clear message saying if there's a need to upgrade, but the page itself only says 0.9 -- and I'm fairly confident that the average user isn't going to figure out the difference from the front page (which now says 0.9.3, but how many users are aware of what version they're using?) It wasn't until I read slashdot that I was made aware of the release of this security update, and who knows if something could have happened since then?
While I don't expect a windowsupdate.com for Mozilla, being that a main criticism of users is their failure to keep software updated why don't the developers make it more clear that an update is even present?
Version MisMatch Alert. (Score:3, Informative)
Just a heads-up to everyone rushing to download without checking. The mozilla.org web guys might want to fix that too.
Cheers.
Unfortunately this still doesn't fix the render (Score:3, Informative)
Re:Unfortunately this still doesn't fix the render (Score:3, Informative)
If you want fixed Slashdot, go and get a trunk nightly build.
Auto Update (Score:3, Interesting)
Anyone know why the version information for the file for 0.9.3 lists 0.9.0.0? Right click firefox.exe and then properties then version tab.
IE has an executable of a few KB (WinXP).
Re:Auto Update (Score:3, Insightful)
Hmmmm (Score:4, Interesting)
Now, getting back to IE, yes, I did look at ripping it out. Not so easy on XP Pro as any user who signs in gets linked to the program in default. I could banjax the progam directory, and stop it being used that way, but if I do that, I believe I can still call windowsupdate.com via an explorer window. I presume however, that anyone using the same method uses the same cuplable browsing that impairs IE. Thus I'm not really solving the problem, just fending it off until the users get smart.
In terms of Mozilla and Firefox, sadly I have to say the security failure regarding
Today, I'm told if I had rolled Mozilla, someone's just committed me to a whole sale re-roll out just because they can't patch, they have to fix it in a new install.
I've said it before, I'll say it again, doing this to me just puts me right off even contemplating it. Next week, watch out, the next Mozilla issue will rear its ugly head.
I sadly have to put aside the OSS/MS stuff, because whatever I put out there has to work, and its not about Ideaology, I do not care about Ideaology. Mozilla is a fine effort, but the security side leaves much to be desired. One is hard pushed to claim that its a quantum leap in browser security.
AdmV
Re:Firefox (Score:3, Insightful)
I suggest we tell the Mozilla Foundation guys to buy some OReilly security titles and read up, and come back with something that's actually not buggy
Hi, welcome to Firefox beta .93
Anyway, do you think that FF/Moz should take the Windows route and refuse to acknowledge vulnerabilities, and simply hope they pass by with no one else noticing? Please, think a little bit before posting a comment.
Re:Firefox (Score:3, Insightful)
Yeah, Firefox beta, right up there next to Mozilla 1.7.2. Just keep talking about how it's all 'unfinalized, buggy beta software' and I'm sure you'll convince a lot of people to stop using Internet Explorer.
That being said, I'm glad to see the bugs being acknowledged and fixed, even if I don't personally agree with the way some of these bugs have been handled.
Re:Firefox (Score:2)
Touche'. Although I've never thought of Moz at V1.0 to be usable enough to make into my main browser anyway. Hopefully FF1.0 will be really really redicuosly good working.
However, it's my opinion that FF >> IE, in so many respects as to be overwhelming. I was having a conversation with someone the other day about FF extensions, and how they do so many cool things so easily. How will IE ever be able to catch up? It seems like anything for IE with the usefullness of the FF/Moz extensions (10k - 100
Re:Firefox (Score:2, Interesting)
Re:Firefox (Score:2)
Re:Firefox (Score:2)
Re:Firefox (Score:2)
Re:First Post! (Score:3, Interesting)
Anyway, I am really glad to see this. I work at an ISP, and deal with a lot of these ad/mal/viral-ware that gets onto IE despite our best efforts. So, we have been deploying Mozilla Fire(something) and Thunderbird programs - and PEOPLE LOVE IT!
What makes them happy - makes me very happy!
Re:slashdot still refuses to render in firefox (Score:5, Funny)
Re:Except nobody's making these excuses (Score:3, Interesting)
"At 5MB for Firefox (on windows), its far smaller than the average IE 'patch', which normally are around 7 MB or so."
"IE catches shit for 2 out of the 4 bugs."
"Anyway, do you think that FF/Moz should take the Windows route and refuse to acknowledge vulnerabilities, and simply hope they pass by with no one else noticing? Please, think a little bit before posting a comment."
Thank you,
Xeon
Re:UI Spoof Not Fixed (Score:5, Funny)
Yes.... FireFox is your father.
Re:For $500... (Score:4, Funny)
I don't have to imagine it; we can see how well it works with microsoft products.
They have paid programmers so there is no exploits and flaws in their software, right?
Re:Mozilla 1.7.2 and Slackware 10 (Score:3, Insightful)