Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Mozilla The Internet Security

Firefox 0.10.1 Released, Fixes Security Hole 441

_xeno_ writes "Firefox 0.10.1 was released today to fix a security flaw that could potentially allow a malicious site to erase files from the user's Download directory. If you already have Firefox 0.10 installed, you can go to Tools, Options, and choose Advanced, go to Software Updates and choose Check Now to grab the patch."
This discussion has been archived. No new comments can be posted.

Firefox 0.10.1 Released, Fixes Security Hole

Comments Filter:
  • done already! (Score:5, Informative)

    by tuggy ( 694581 ) on Saturday October 02, 2004 @08:42AM (#10412722) Homepage Journal
    upgrade done in 3 seconds!
    this is what i call being secured :D
    • Re:done already! (Score:2, Insightful)

      by distributed ( 714952 )
      wow.. no shit ! it actually took just 3 seconds..

      I wonder what IE can do about this...
      The windows update site takes a hell of a time to load and then scan @ a snails pace.

      And live feeds are simply amazing... thats how i check slashdot now, and cot this post.

      great work guys.
      • Re:done already! (Score:4, Informative)

        by ZeroPost ( 792045 ) on Saturday October 02, 2004 @11:22AM (#10413578) Homepage
        To be fair, Windows Update scans for updates to a lot more software than Firefox.

        Firefox can scan a lot faster than Windows Update because it is only checking for updates to a single program.

        Of course, Microsoft could make an option within IE to scan for IE-only updates, which would make updating IE much faster, but they don't.
        • by The Snowman ( 116231 ) * on Saturday October 02, 2004 @01:34PM (#10414422)

          Of course, Microsoft could make an option within IE to scan for IE-only updates, which would make updating IE much faster, but they don't.

          What is the point? Since IE is integrated into the operating system, updates require reboots even under Windows XP which is a lot better with regards to rebooting than previous versions. Anyway, even if the actual update is faster, you would still have to wait for the reboot.

          I just updated Firefox in less than ten seconds, and I did not have to restart the browser, certainly not the entire operating system (Windows XP in this case).

    • It seems to me an upgrade all the way to V1.0 would be the right way to go. Isn't V0.10.0 pretty damned old?

      BTW, I tried to follow the upgrade instructions, but apparently the exploit doesn't affect the Linux version, so you folks might want to consider an OS upgrade while you're at it.

      • Re:done already! (Score:4, Informative)

        by jd142 ( 129673 ) on Saturday October 02, 2004 @10:00AM (#10413135) Homepage
        Apparently software version numbers don't work like "real" numbers. ;) In other words, those aren't decimal places, their merely dividers. .1 is not equal to .10. The order goes .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11. 0.10.0 came out about 2 weeks ago.
    • by Epistax ( 544591 ) <(epistax) (at) (gmail.com)> on Saturday October 02, 2004 @09:06AM (#10412852) Journal
      I must admit I/it fumbled. I went to the mozilla website as posted in the subject and hit the "click here". What happened? A funny bar appeared near the top saying that Firefox protected me from the website. Luckily there was an options button which allowed me to add www.mozilla .org as a trusted site and it was all very obvious to me, but it won't be obvious for my parents (who I switched to Firefox).
      • Re:done already! (Score:3, Informative)

        by scat-cat ( 606809 )
        It stopped a popup. The bar alerts you so that you can allow popups from the sites you want.
        • Re:done already! (Score:4, Interesting)

          by Epistax ( 544591 ) <(epistax) (at) (gmail.com)> on Saturday October 02, 2004 @09:24AM (#10412938) Journal
          I don't believe it was that message. This appeared as a bar at the top which stated (loosely) that it prevented the website from running... something or other. I don't have it inform me in any way when it blocks a popup. Anyway it had an options button which had a list of trusted sites. update.mozilla .org was already on the list, however the link originated from www.mozilla .org so it wasn't picked up. I would say they should add that site to the list.
        • Re:done already! (Score:3, Informative)

          by boredMDer ( 640516 )
          http://boredmder.com.nyud.net:8090/~pmohr/images/s mart%20firefox.png
      • Re:done already! (Score:3, Interesting)

        by rainman_bc ( 735332 )
        Bit OT but...

        I was just over at a friend's place and made the pitch for FF... The response I got? "But I LIKE Internet Explorer". Touch pitch. She liked clicking on the blue "e" to surf the web instead of that strange FF logo.

        I've switched a tonne of people already though. Many more comverts on the way. The campaign for FF is on!
  • by -kertrats- ( 718219 ) on Saturday October 02, 2004 @08:43AM (#10412726) Journal
    But what exactly is the worry here? It deletes files in your download directory? Does that really matter? Could someone enlighten me on why its worth the bother to uninstall and reinstall for this?
    • by neodude88 ( 799799 ) on Saturday October 02, 2004 @08:45AM (#10412734) Homepage
      Maybe because you don't need to reinstall to upgrade to this patch? Just update.

    • well, it would be quite frustrating if your download directory is your Desktop, homedirectory or any other place where you keep other files too.
      not to mention all the pron you have to download again :-) j/k

      Ricardo.
    • Some people have a dedicated download directory they only use for temp storage until moving the file into a permanent place (or deleting it).

      There are, however, a lot of users who pack all their stuff onto the desktop or into "My Documents" with no or little subfolders. For such use cases, the patch is indeed worth installing.
    • by dwhitman ( 105201 ) on Saturday October 02, 2004 @08:51AM (#10412773)
      But what exactly is the worry here? It deletes files in your download directory? Does that really matter? Could someone enlighten me on why its worth the bother to uninstall and reinstall for this?

      1. Suppose your download directory isn't dedicated to just downloads. Any files in that directory are vulnerable.

      2. You don't need to uninstall and reinstall. As the article says, just go to tools: options: advanced: software updates and hit the Check Now button

    • by LurkerXXX ( 667952 ) on Saturday October 02, 2004 @08:57AM (#10412811)
      Does it matter? My pr0n! All my precious pr0n!!!
    • by compwizrd ( 166184 ) on Saturday October 02, 2004 @08:59AM (#10412823)
      because firefox on windows uses the Desktop as the default download location.
    • Right now, the parent post :

      This may sound stupid...by -kertrats

      has just been modded, within seconds of being posted, as "Flamebait".

      How on earth is that post flamebait?

      The article discusses a vulnerablility.

      kertrats asks:

      But what exactly is the worry here? It deletes files in your download directory? Does that really matter?

      How is asking others on /. for their insight into this vulnerability "flamebait"? Isn't that what /. is all about, discussion? He/she didn't bash on Mozilla, or t

    • But what exactly is the worry here? It deletes files in your download directory? Does that really matter?

      ...you don't download to C:\, do you?
    • by igrp ( 732252 ) on Saturday October 02, 2004 @10:01AM (#10413141)
      Others have pointed out that some users may use ~ or their desktop as their download directory. That may not be a smart thing to do but that's really beside the point.

      Any vulnerability that allows remote users to alter content is by definition critical. It doesn't matter if you think it's a big deal. There should be no unauthorized access to files, period.

      Your non-critical files aren't 777, are they? Now why is that? Well, despite the fact that data is non-critical, recoverable or maybe even pure gargabe you still wouldn't want people to mess with it, would you?

      Think about it: you probably have a lots of old stuff, bank statements and what not somewhere. That data is useless to me (value == 0). By your logic, I could just throw it all out since it doesn't matter to me. It may still be valueable to you though. And even if it weren't, you still probably wouldn't appreciate me going through your stuff and tossing whatever I don't deem important.

      See, all attacks that allow any access control circumvention at all are critical. Just because it's not critical to you, doesn't mean every feels the same way.

      That's why disclosing the vulnerability and making an update available ASAP was a very good move on part of the fine folks at Mozilla. I just wish there was a mechanism to do manual network-wide mass roll-outs of critical updates (ie. rolling out critical updates immediately without having to wait for Firefox's periodical checks).

  • by theparanoidcynic ( 705438 ) on Saturday October 02, 2004 @08:45AM (#10412737)
    Who finds this version numbering scheme damn confusing? The actual program calls itself 1.0PR but the directory structure on the Mozilla server and CowboyNeal call it 0.10.1. Anyone care to explain what's going on here?
    • by wongn ( 777209 ) <nathan.random@g m a il.com> on Saturday October 02, 2004 @08:50AM (#10412764) Homepage
      It is quite confusing. I believe that 1.0PR was called 0.10 in order to distinguish it better from 1.0RCs and above. THe program actually calls itself "Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040913 Firefox/0.10.1", as in 0.10.1, but the "laymans" name is 1.0PR... you could say ;)
    • Ya know, those dudes at Mozilla might be using hex instead of decimal, i.e. Firefox 1.0 == Firefox 0.16
      1. Who finds this version numbering scheme damn confusing?

      It's a traditional numbering scheme. I've used similar ones for about 15 years!

      To eliminate some confusion, I tend to use numbers like this ...

      5.02.003.0456

      ... instead of ...

      1.3

      ... since the leading zeros sort more easily!

      The numbers breaks down like this;

      major.minor.beta.build

      Where

      major = public number people can identify
      minor = public revision number
      beta = showing that this is not a formal release
      build = the build number or date

  • by Mustang Matt ( 133426 ) on Saturday October 02, 2004 @08:47AM (#10412750)
    So after doing the update through the advanced options should my browser report 0.10.1 under help about? Because I still have 1.0PR
    • Ah nevermind (Score:3, Insightful)

      I see the 0.10.1 at the bottom in the user agent string.
    • I was confused too. Until I broke it down.

      0.10.1 = Version 0, 10=October, 1=day of release.

      • While your logic is good, your reasoning is wrong. This is just version 0.10.0 also known as 1.0PR with a security update which bumped it up to 0.10.1. Doesn't have anything to do with dates, just a coincidence.
        Regards,
        Steve
    • by Anonymous Coward
      This isn't really that confusing if you understand the new Firefox naming algorithm, which was implemented with one line of Python:

      version = ''.join([random.choice('10.') for x in range(random.randrange(10))])

      At each release point, this algorithm will be run and the version will be numbered accordingly.

  • Helpful bug (Score:5, Funny)

    by Ford Prefect ( 8777 ) on Saturday October 02, 2004 @08:48AM (#10412753) Homepage
    ...could potentially allow a malicious site to erase files from the user's Download directory

    My download directory in Windows is my desktop. Have you seen my desktop? [man.ac.uk] It's a fairly old screenshot, too - it's only got worse since then. My iBook's equally bad, except everything's just randomly strewn around the place...

    A bit of remote tidying-up would be greatly appreciated. :-)
  • When... (Score:5, Interesting)

    by Moby Cock ( 771358 ) on Saturday October 02, 2004 @08:48AM (#10412755) Homepage
    I'm just curious if anybody knows how long this patch took to be released. That is, what was the turnaround time from the discovery of the bug to the release of this patch? In the past it has been a fast as a few hours. The longest I think was only a day or too.

    • Re:When... (Score:5, Informative)

      by aliebrah ( 135162 ) * on Saturday October 02, 2004 @09:32AM (#10412972) Homepage
      In a few days, you'll be able to see the full bug report here:

      http://bugzilla.mozilla.org/show_bug.cgi?id=2597 08

      Currently, it's not scheduled to be marked as public before 4th October. It's still marked as private so that people have an opportunity to upgrade before the details are made public.
    • Re:When... (Score:3, Informative)

      by Stuwee ( 739059 )

      I'm just curious if anybody knows how long this patch took to be released.

      Looking through Mozilla's Bugzilla [mozilla.org], it would seem as if the bug was first realised on the 23rd of September in a comment to bug 240068 [mozilla.org], and then had a seperate security-sensitive -- and hence restricted access -- bug report opened yesterday. I'll leave others to comment on the acceptability.

      Bugzilla links referring from Slashdot are blocked, so the above links will have to be manually opened unless your referrer header is obfus

  • No go (Score:3, Interesting)

    by Anonymous Coward on Saturday October 02, 2004 @08:51AM (#10412772)
    "Firefox was not able to find any available updates" - this on a vanilla install of the 1.0 PR.
    • Re:No go (Score:3, Informative)

      by ricotest ( 807136 )
      No matter, just visit the press page linked by CowboyNeal and click the link to install the XPI patch directly.

      Firefox will probably block it, but two more button-presses to whitelist www.mozilla.org for patch installations and you'll be able to apply it.

      If this sort of thing continues they should definitely add www.mozilla.org to the default whitelist.
  • Cool. Upgrade Path (Score:5, Insightful)

    by darkmeridian ( 119044 ) <william,chuang&gmail,com> on Saturday October 02, 2004 @08:52AM (#10412784) Homepage
    This is what open-source needs: a quick and convenient upgrade/patch system. I went to the system settings and ten seconds later, my Firefox was patched.

    Now if only Gaim does this.

    Will
    • by jrcamp ( 150032 ) on Saturday October 02, 2004 @09:17AM (#10412899)
      No, this is the job of package management systems under Linux, be it apt-get, emerge, urpmi, yum, etc. Individual programs don't need to start implementing their own update schemes. For third party packages there will be autopackage.org one day I hope, and updates could be done through that.
  • These hurt... (Score:4, Insightful)

    by deminisma ( 703135 ) on Saturday October 02, 2004 @08:52AM (#10412786)
    Considering Firefox is supposed to be the secure alternative, 13 security advisories [secunia.com] in the last 6 or so months isn't a good look.

    Sure it isn't that bad, but nonetheless, it doesn't help the Firefox's image at all and looking at Secunia, Firefox has had more advisories than any other browser, (yes, that includes Internet Explorer and the Mozilla Suite) since May this year.
    • Re:These hurt... (Score:5, Informative)

      by kryptkpr ( 180196 ) on Saturday October 02, 2004 @08:55AM (#10412797) Homepage
      You must not be aware that the mozilla foundation has put out a bounty [mozilla.org] where they reward security researchers $500 for finding critical remotely-exploitable vulnerabilities and reporting them.

      What you're seeing are the results of this program.. people are finding bugs, submitting them, and the bugs are being fixed before blackhats can exploit them.

      This is a very wise decision on the part of Mozilla considering how close they are to a v1.0 release.
    • Forget about the number of holes. Remember, this is still a 0.x release.

      In otherwords, it's beta. This kind of stuff is going to happen.

      Aside from that rather mediocre detail, rather than counting the number of holes in something, try and take a look at the period of time that exists between initial discovery and when the hole gets closed.

    • Re:These hurt... (Score:5, Informative)

      by lachlan76 ( 770870 ) on Saturday October 02, 2004 @09:30AM (#10412957)
      13 security advisories in the last 6 or so months isn't a good look.

      And how many are there in IE that we haven't found yet? The dangerous exploits are the ones we don't know about.
      And besides, do you expect Secunia to have all the security flaws from when IE was in beta? Or do you find it strange that a beta product has had more security flaws found in the last 6 months than the one that's been around and insecure for years.

      Not to mention that none of the advisories were ranked "extremely critical", and only 2 were critical.

      Not to bad for a beta product. Also (from Secunia):
      1. Microsoft Internet Explorer 6 with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Extremely critical
        Currently, 19 out of 60 Secunia advisories, is marked as "Unpatched" in the Secunia database.
      2. Mozilla Firefox 0.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical
        Currently, 2 out of 13 Secunia advisories, is marked as "Unpatched" in the Secunia database.

      Which would you trust?
  • It's way too late to save netscape as a company (and maybe a good thing too, their releases sucked), but ms is definitely on the skids judging by the access logs of the sites I run (not just the linux related ones).

    • by timmyf2371 ( 586051 ) on Saturday October 02, 2004 @09:00AM (#10412826)
      What type of sites is it you operate? Here are some logs from a 100% non-technology related site which still shows Internet Explorer as by far the most-used browser.

      Note that the Opera browser shown in Rank 3 should not be taken as accurate as this merely runs a "ticker" on auto-refresh setting every 10 minutes.

      # Hits User Agent
      1 31005 15.75% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
      2 20925 10.63% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1
      3 11074 5.63% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Opera 7.50
      4 10596 5.38% Opera/7.50 (Windows NT 5.0; U) [en]
      5 9893 5.03% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko
      6 8281 4.21% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
      7 7856 3.99% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProd
      8 6113 3.11% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
      9 5286 2.69% Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)
      10 4868 2.47% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
      11 4795 2.44% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko
      12 2915 1.48% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2) Opera 7.50
      13 2885 1.47% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko
      14 2783 1.41% Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)
      15 2645 1.34% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.54
    • by aardvarkjoe ( 156801 ) on Saturday October 02, 2004 @09:01AM (#10412830)
      it's nice to see ms finally losing the browserwars
      Yeah, now not only do we get a browser as good as IE, it's got similar security "features" too...
    • ms is definitely on the skids judging by the access logs of the sites I run (not just the linux related ones).

      evidence like this is worthless without a clearer picture of your target audience, number of hits, etc., etc.
      remember too that the giant OEMs like Dell continue to ship seven to nine million XP-SP2 systems each month with IE 6 installed as the default browser.

  • by 3seas ( 184403 ) on Saturday October 02, 2004 @08:55AM (#10412801) Homepage Journal
    ... under the main menu edit, then preferences ... then advanced... to Software updates
  • Probable bug . . . . (Score:5, Informative)

    by theparanoidcynic ( 705438 ) on Saturday October 02, 2004 @08:55AM (#10412802)
    I ran this thing last night forgetting that Firefox was installed to a location that user accounts can't write to.

    Seeing the error mesage and remembering this fact I lit Firefox as root and ran the update. This left Firefox mangled and incapiable of downloading things from the user accounts.

    The moral of the story: do be careful using the update thingy. Now, off to fill out a bug report.
    • by aonifer ( 64619 ) on Saturday October 02, 2004 @09:32AM (#10412971)
      I just installed the fix as root, closed Firefox, reopened Firefox as root to verify that the fix was applied, then closed it and reran as a regular user. The regular user account doesn't know that the fix was applied (the red button is there and when I click on it, it says it needs to download the fix). Either there's some kind of permissions problem, or the update information goes into root's profile, and not system-wide.
      • by aonifer ( 64619 )
        It turns out it's a permissions problem. If you check ${FIREFOX_HOME}/install.log, you see it replaces components/nsHelperAppDlg.js and installs defaults/pref/bug259708.js. In my case, they both were readable only by root. I just did a "chmod +r" on those files and now it works fine.
  • Funny, but my 'tools' menu doesn't have 'options' in it. I have 'edit->preferences' then an 'advanced' option in that preferences area.

    Is the terminology different on different versions?
  • by dacarr ( 562277 ) on Saturday October 02, 2004 @09:06AM (#10412853) Homepage Journal
    Another user has pointed out that the Advanced option is under Edit|Preferences. Note, you must be root to do this - not merely 'su', but 'su -' at the bare minimum.

    If this doesn't work, of course, you'll have to download and install, which is almost as painless as the upgrade frob. The red 'upgrade' icon may still be present, so you'll have to click that so that Firefox will find that all is well with the world.

    As always, YMMV.

  • by kikensei ( 518689 ) <joshua@nOspaM.ingaugemedia.com> on Saturday October 02, 2004 @09:07AM (#10412856) Homepage
    Last night I noticed a nifty pulsing red bubble in the upper right-hand corner of my Firefox toolbar. Clicking it revealed a message from the software-updater stating that an urgent fix was availeble. I clicked allow install, and it was done in ten seconds. Very nice that the browser alerted me to a fix and patched itself in no time at all.
  • by fine09 ( 630812 ) on Saturday October 02, 2004 @09:17AM (#10412895)
    The issue isn't that there is a new expliot. The good thing is that we found out about the exploit by having to apply the patch to fix it.

    No software is perfect, any software that has any contact with the internet can have a exploit. It all depends on how fast the developers are able to discover and fix the problems.
  • by pestario ( 781793 ) on Saturday October 02, 2004 @09:19AM (#10412908) Journal
    "...a security flaw that could potentially allow a malicious site to erase files from the user's Download directory."

    I would consider this a feature more than a bug. It's like someone breaking into your house and taking out the garbage for you...
    • I would consider this a feature more than a bug. It's like someone breaking into your house and taking out the garbage for you...

      Or for most of us, it would mean someone breaking into your house, shreding your porno mags, demagnetizing the VHS porn, and scratching and shredding the DVD porn...bastards! :P
  • Explaining 0.10.1 (Score:5, Insightful)

    by XoloX ( 816533 ) on Saturday October 02, 2004 @09:20AM (#10412913) Homepage

    The reason (for as far as I know) that Firefox uses this versioning scheme:

    If 1.0PR would have a version-tag with 1.0 in it, it would be more complicated for (for example) extensions to differentiate 1.0PR and the real 1.0. And home-users would probably not even get to see these version-numbers. They would just notice there is a new update.

    And about the bugs, I know I'm stating the obvious, and that it's been said before in this thread, but I'll try again:

    First of all, because Firefox performs so well people tend to forget this is still beta-software! Second, these bugs are discovered partially because of the bughunting program with rewards. So these bugs could well have existed for months before being discovered. It's good news they have already been squashed! And third, some of these bugs actually appeared because of the way Windows fucks up! (Remember the shell:// protocol?)

    Hope this helps,

    XoloX

  • by Anonymous Bullard ( 62082 ) on Saturday October 02, 2004 @09:20AM (#10412917) Homepage
    The other day I met a friend of mine who looked unusually exasperated and distressed and knowing that I fiddle with 'puters he asked for my help (or anyone's to that matter, he was ready to dig deep to get his problems sorted) in solving issues with his brand new 2-week old system.

    I haven't done (ms-)windows since the beginning of time and since he doesn't know *anything* about computers it was hard trying to figure out what might've been the problem, but it sounded like the typical standard unprotected ms-windows setup that was probably also loaded with spam and ad-ware, bogging down even his simple efforts at browsing the web.

    Knowing that quite a few people here have experience with cleaning up the standard MS-install mess, I would like to ask what needs to be done to plug the major holes and deficiencies in a new MS setup?

    Firefox is an obvious rescue tool to replace MSIE so are there any issues when installing it or does it automatically and painlessly migrate all necessary MSIE data?

    And what about utilities to remove the spyware his machine may already be infested with? Any suggestions?

    I'm hoping to be able to burn all these goodies on a CD to give him so I also wonder whether they're easy enough to operate by a total non-techie?

    Since his "computing needs" appear to be very simple I'm also giving him a Linux liveCD (perhaps Ubuntu-based Gnoppix would be a good starter with its simplified GUI and it also comes with Firefox) to try out and play with but before completing his conversion I'd need to evaluate how well e.g. OpenOffice.org fulfills his needs at this point.

    • If they are going to stick with Windows, the three things I always install are Zonealarm [zonelabs.com] - free firewall, Adaware [lavasoftusa.com] spyware removal - free for personal use, and Spybot search and destroy [safer-networking.org] - another free spyware removal that complements Adaware also inncoculates IE against common exploits. There are also good free virus checkers (don't know any off the top of my head) but people I have helped have all already had virus checking software installed at least.

      I also usually try to get them to install a router wit
  • by ngunton ( 460215 ) on Saturday October 02, 2004 @09:27AM (#10412948) Homepage
    The thing that strikes me here is that the ability for browsers to have convenient, automatic features (and, in the case of Firefox, UI customization capability up the wazoo) is simply another form of the same mentality that made IE into such a security nightmare. The ability for a browser to download and execute things on the client automatically is just a huge security risk, regardless of the measures that the designers think they have put in place. The Mozilla press release even has a "click here" link to automatically install the patch! Who doesn't think that this kind of thing will have endless potential for hackers to exploit in the years ahead. The bloated XUL interface engine that makes Mozilla (and Firefox) next to unusable on my old workstation (450 MHz, RH 7.3) also means that the UI can be totally changed - this, to me, is very scary. Because if something can be totally changed, then I can guarantee that eventually someone will figure out a way to totally change it without my consent.

    Why not just design a browser that works on multiple platforms, using an established cross-platform GUI such as wxWidgets, rather than going away to create a browser and coming back with another new, slow, bloated, universal uber-platform swiss-army-knife UI language... yeah, I know, "Do it yourself dude", and plenty of geeks out there just love the customizability of XUL, but truthfully all I want is a fast, small browser. It just seems like everything is getting larger, slower and more bloated these days. Even Firefox, which is supposed to be sleek and fast, runs like a dog on my workstation. I don't see why I should have to upgrade my computer just for a fricking browser, when every other piece of software that I use runs just fine thanks very much.

    I don't hate Mozilla, these are just my honest reactions to the whole affair over the last couple of years.
    • The browser relies on a trusted sites white list for execution of the type of files in question.
    • by groomed ( 202061 ) on Saturday October 02, 2004 @10:18AM (#10413246)
      It's not that simple. To fully support CSS, for example, Gecko (the page rendering engine that's used by Mozilla, Firefox, and Thunderbird) has to be able to change the way buttons and other elements are drawn. And it has to be able to control z-ordering, i.e. it has to be in control of what happens when you draw two buttons on top of eachother. The same goes for things like charset support, printing, accessibility, etc.

      To provide full support for the W3C standards, you need widgets that provide very specific capabilities. Toolkits like wxWidgets have the opposite goal: they work by hiding specifics from the application programmer. There is a fundamental mismatch between the two.

      If you want to fully support all the standards that make up the web across different operating systems, you end up with something like Firefox. It's not primarily some geek pride thing (although that always plays a role); it is primarily a consequence of the complexity and scope of the standards involved.
    • The user has to actually initiate the update themselves. You simply see a little red arrow, click it, and then are asked to update. Why is this bad if mozilla.org knows how to secure itself?

      "Who doesn't think that this kind of thing will have endless potential for hackers to exploit in the years ahead."

      Don't you think they've thought of that? Update installs are coded for mozilla.org only and I expect other layered security to come as well. Give them a little credit already. When mozilla/firefox becomes t
    • The Mozilla press release even has a "click here" link to automatically install the patch! Who doesn't think that this kind of thing will have endless potential for hackers to exploit in the years ahead.

      I don't think that. Because mozilla uses whitelisting to mark servers you're allowed to install from. If you try installing from another server, it throws up an error. A user would have to manually add a server to the allowed list before an exploit could be installed. Ofcourse, there might be a bug in the
  • I just checked with "check for updates" on my 0.9.3 version, it said there's no updates needed. Why putting the button if it won't work properly? Ok yes it's beta, but c'mon, the potential userbase for mozilla is for microsoft-basher and most importantly, people who don't trust IE to be safe/secure anymore.

    Ok with the release of 1.0 it's been fixed, I grant that, but still, I'm really annoyed after seeing this. And while at it, why do we have to go so deep to get updates? there should be an upgrade butto
  • Too Complicated? (Score:5, Insightful)

    by jeremyds ( 456206 ) on Saturday October 02, 2004 @09:31AM (#10412964)
    Why does a user have to go to Tools -> Options -> Advanced to check for updates to Firefox? For the average non-technical user, this should be much more accessible.
  • One thing I didn't like is that when I got the notification from Firefox for a "critical fix" there was no indication of exactly what it was supposed to fix. I like to know why I need to install an update before doing it. Or am I just blind?
  • by tippergore ( 32520 ) on Saturday October 02, 2004 @09:43AM (#10413032) Homepage
    They still have yet to fix a much [livejournal.com] more serious [mozilla.org] bug.

    Just because most of us don't live in South America doesn't mean it isn't huge problem.
  • by scupper ( 687418 ) * on Saturday October 02, 2004 @09:55AM (#10413109) Homepage
    It would be a useful addition to add an FF Profile Manager that included FF Update and Extension Install/Update permissions for multi-user workstations . I looked through MozillaZine, but didn't find much. I can prohibit other users from updating FF and installing/updating extensions using NTFS permissions, User group settings and GP settings, but it would handy to have it included in a FF Profile Manager.
  • by fr8_liner ( 780267 ) on Saturday October 02, 2004 @10:01AM (#10413148)
    I just installed and patched the PR edition on my system and added AdBlock and Firesomething. My friend who is a Microsoft developer was watching this process which took 2 minutes. He was taken aback and had to admit that things have improved for installing applications for Linux. He also said that most Windows users would be lost following the instructions to install from a terminal window or doing any installation requiring "./configure, make, make install." He has a point. We need more "Windows-like" app installation to get more Windoze users to migrate to Linux.

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...