New Vulnerabilities Discovered in Firefox 1.0

jflint writes "Today, the security firm Secunia has released 8 more security vulnerabilities it has discovered in Mozilla products, including Firefox and Thunderbird. The exploits "could be used by criminals to spoof, or fake, various aspects of a Web site, ranging from its SSL secure site icon to the contents of an inactive tab.""

First

[Anonymous Coward]

It's open source so it will get fixed quickly post.

Re:First

[Anti_zeitgeist]

crap....now i have to use IE again!

Re:First

[mrogers]

So users of Debian Stable have nothing to worry about?

Re:First

[ikkonoishi]

From TFA

If you have firefox 1.01 installed you have nothing to worry about.

Fixed days ago. Now thats speedy service.

Re:First

[felipin-sioux]

If you have firefox 1.01 installed you have nothing to worry about.

No, there are security advisories for firefox 1.01, like this one [secunia.com].

And the story didn't even link the vulnerability report on Mozilla Firefox 1.x [secunia.com] from Secunia. Anyway, just stay tuned and have your FF always updated.

Re:First

[shaitand]

It is a stretch to even call that a vulnerability. It would be easier to trick a user into downloading and executing code themselves than to get them to drag a properly crafted image into the address bar and then use the url.

Re:First

[DrXym]

Sorry, but that's a pretty unlikely exploit. To carry it out, someone has to be convinced to drag and drop an image onto an empty address bar. Have you seen many sites that do that? Have you seen many users who either understand or follow such instructions?

Re:First

[Anonymous Coward]

Journalists are scum when interpreting technical articles without experience or familiarity with the aspects compared-the report differed significantly from the site-article summary of it. Slashdot should be a collection of technical articles written by technical professionals for interested parties, but it has fallen to the scum of journalistic manipulations of information. On technical level, vulnerabilities in both are posted as significant user base has yet to update either or both the program (is it no

Re:First

[sl4shd0rk]

> It's open source so it will get fixed quickly post.

Don't forget, you also have a choice to go back to IE and OE if you feel they are more secure. The existence of choice is another important factor of OSS.

Re:First

[paulatz]

I have tryed, but IE crashed with wine.

New Discovery?

[fembots]

Today, the security firm Secunia has released 8 more security bugs it has discovered in Mozilla products, including Firefox and Thunderbird. [......] If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about

Firefox 1.0.1 update was out before today, so did Secunia just look at what 1.0.1 update fixes and release its "bug" report, or did they discover something new to 1.0.1?

Re:New Discovery?

[chrisbtoo]

Chances are that they found the 8 bugs in 1.0, reported them to Mozilla, who kept it quiet and fixed them for 1.0.1.

I guess this is trumpet-blowing from Secunia, together with an advisory as to how important it is to upgrade to 1.0.1.

Re:New Discovery?

[SuperficialRhyme]

Secunia just put the list together. Copy/pasting the list and who found them from secunia since someone didn't link to it in the article.

1) The vulnerability is caused due to the temporary plugin directory being created insecurely. This can be exploited via symlink attacks to delete arbitrary directories with the privileges of the user running Mozilla or Firefox.

2) The problem is that an inactive tab can launch an HTTP authentication prompt, which appears to be displayed by a website in another tab. This may be exploited to trick a user into entering some sensitive information (e.g. user credentials).

This is similar to:
SA12712

3) An error in the handling of shortcut files (.lnk) can be exploited to overwrite arbitrary files by tricking a user into downloading a shortcut file twice.

4) The problem is that a XML document can include XSLT stylesheets from arbitrary sites, which may be exploited to disclose some sensitive information.

5) An error in the form fill feature (autocomplete) allows reading suggested values before they are chosen. This can be exploited to disclose some potentially sensitive input by tricking a user into arrowing through some autocompleted values.

6) A memory handling error in Mozilla string classes may allow overwriting of memory if the browser runs out of memory during string growth. This can potentially be exploited to execute arbitrary code.

7) The problem is that the hostname can be obfuscated in the installation confirmation dialog by including an overly long username and password. This can be exploited to trick users into accepting installations from untrusted sources.

Successful exploitation requires that the malicious website is allowed to request installations.

8) It is possible to cause a heap overflow due to an error when converting malformed UTF8 character sequences to Unicode. This may be exploited to cause a heap overflow and execute arbitrary code, however, general web content is not converted using the vulnerable code.

9) Various errors make it possible to show the "secure site" lock icon with certificate information belonging to a different site.

Provided and/or discovered by:
1) Tavis Ormandy
2) Christian Schmidt
3) Masayuki Nakano
4) Georgi Guninski
5) Matt Brubeck
6) Independently discovered by:
* Daniel de Wildt
* Gaël Delalleau
7) Phil Ringnalda
8) wind li
9) Mook, Doug Turner, Kohei Yoshino, M. Deaudelin

Re:New Discovery?

[aneroid]

2) The problem is that an inactive tab can launch an HTTP authentication prompt, which appears to be displayed by a website in another tab. This may be exploited to trick a user into entering some sensitive information (e.g. user credentials).

i always wanted that modal dialog to be made non- and only appear for that tab (when it's in focus).

i doubt this would've prevented the bug. but the page it was appearing for would be obvious. a possible hack to that could be...have a javascript window which is already open make the connection. in that case, even if the js window is shown, with the browser most likely behind it, it wouldn't be obvious. could fix that too :P by outlining the window/tab that calls it. of course, even that could...

Re:New Discovery?

[LnxAddct]

Or how about just stopping the javascript interpreter when the window isn't in focus. And if a child window is being viewed make sure thats its parent windows gain focus behind it or something to that affect. That would more or less cover all the cases, would it not?
Regards,
Steve

Re:New Discovery?

[ajs318]

Or how about just stopping the javascript interpreter when the window isn't in focus.

As another poster has pointed out, this could break timing-based stuff ..... for instance, you could not simply background a tab until the enforced-view adverts disappeared :)

Nonetheless, it'd be a good idea to allow as an option.

And if a child window is being viewed make sure thats its parent windows gain focus behind it or something to that affect.

I thought of this too ..... if a tab wants to bring up any kind

SOP for Secunia...

[Anonymous Coward]

They released their list of major vulnurabilities in IE two days before MS released the update and months after they reported the problems originally.

They're just glory whores.

Re:SOP for Secunia...

[Myen]

In the case of Mozilla, Secunia regularly regurgitates the offical Mozilla.org advisories (as is this case [secunia.com]). Pretty much the time flow goes like:

• vulnerabilities discovered; reported to mozilla.org
  
• they sit for a while
  
• eventually fixed and go into the next release
  
• after a few days, mozilla.org opens up the security bugs fixed in that release and posts advisories
  
• Secunia sees them and posts info on same advisories
  
• people see Secunia with Mozilla vulnerabilities
  

And I know Secunia didn't come up with the list because

1. they link to mozilla.org (except in one case, where they linked to iDefense) as original advisories
   
2. "Please note: The information, which this Secunia Advisory is based upon, comes from third party unless stated otherwise. Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others."
   
3. I recognize names from the list - Phil Ringnalda is the Chatzilla guy, and Doug Turner is Minimo. So they already work on Mozilla a lot. That, and I'm in the list (probably undeserved).
   

Re:New Discovery?

[darkmeridian]

The thing that sucks is that there is no update button in Firefox 1.0. Well, there is, but it only updates the Extensions when I run it. That could lead the average user to believe that they have already updated their browser. Will this be fixed in Firefox 1.1? Or should I file it?

Re:New Discovery?

[Daniel Boisvert]

The update button showed up for me today. I clicked it and it ran me through the download and install of 1.0.1. The automatic update was intentionally delayed because of server capacity issues; apparently they've got them sorted out now.

Re:New Discovery?

[taylortbb]

They started rolling it out for windows only but they had the cancel it. Linux and Mac users were getting the windows only code and that was causing problems so it was disabled. It is now back for windows users.

http://weblogs.mozillazine.org/asa/ [mozillazine.org]

Re:New Discovery?

[MattJakel]

The thing that sucks is that there is no update button in Firefox 1.0. Well, there is, but it only updates the Extensions when I run it. That could lead the average user to believe that they have already updated their browser. Will this be fixed in Firefox 1.1? Or should I file it?

It looks like [mozillazine.org] they are aware of these problems and are working on them.

Re:New Discovery?

[juhaz]

There is.

Asa mentioned something about server problems and activating the update for 1.0.1 later, and indeed it did show up today. Granted, it's a week since the release and that's a long time for security update... And windows-only apparently, though Linux users probably update trough their native package systems anyway.

His blog [mozillazine.org] has more.

Re:New Discovery?

[einhverfr]

I personally am grateful to Secunia for helping to look at Firefox's security the way that we should be.

Like it or not, we need these sorts finding vulnerabilities before the bad guys. No software is 100% secure. But any software has a security record better than IE.

Re:New Discovery?

[boredMDer]

'But any software has a security record better than IE.'

What about Windows proper? :)

Re:New Discovery?

[LnxAddct]

It is certainly good that people are looking out for bugs, but Secunia didn't find these. They just compiled a list of known bugs that were fixed in 1.0.1. Their site is supposed to be a consolidated source for finding vulnerabilites and researching the security of applications, which means whether or not they find the vulnerabilites, they report on them.
Regards,
Steve

Re:New Discovery?

[raehl]

A site that just compiles a list of information produced by others? Who would read something like that?

Maybe if it had comments.....

Re:New Discovery?

[einhverfr]

Ok.... IE has two major security issues inherent in its design and that is zone permission elevation while the other is ActiveX related.

Mozilla/Firefox has another-- XUL display. XUL is a great technology, but it is difficult to handle because the main UI rendering is too closely tied to the rendering of the web site. There is a security barrier which is designed to keep one from harming the system but it is not designed to prevent spoofing of apps. Hopefully a defence barrier can be built in.

Don't believe me? pasting this into your address bar: chrome://navigator/content/navigator.xul (only works in Mozilla)

For example, something simple like "Components in Chrome are locked by default and only unlocked components can be modified outside of Chrome" would be a nice start.

Re:New Discovery?

[interiot]

Riiiiiight.

Sure, you can copy-and-paste anything you want into your URL bar, and hit enter. This takes time, and thought, and you have to look at the string in two different places, so it's reasonably secure based on that.

The only security problems that could arise would be if there were links that you could click on, or bookmark them. Try it here [68k.org] (slashdot won't let you write chrome:// URLs unfortunately). It doesn't work.

There are tons of security measures related to XPI/XUL, the Firefox team has IMHO taken an OVERLY aggressive approach to XUL/XPI issues. You know why there are several extra steps required in Firefox to install an XPI plugin [mozdev.org]? Because there were some theoretical exploits where someone might ask a user to click on a place on the screen over and over (eg. hit the monkey), and then display the XPI dialog there, and the user might end up clicking "yes, please install" before they realized that they were running potentially suspicious code. So now users have to wait a few seconds before being able to click.

Users CAN actually configure their browser to let remote sites do just about anything [mozilla.org], include read/write files, change the clipboard, etc., because this is sometimes something that's useful that users might want from a few special sites. But it's a pain in the butt to get the several security configuration settings set properly, and again, as a developer, I think they might have overdone it.

Re:New Discovery?

[einhverfr]

The fact that you can't just click on a link doesn;t mean that this is not a problem. Yes there are security measures and barriers in place, but this is the *problem* not the solution.

Your see, the security barriers exist because you want to provide some functionality which is more trusted than others. This is part of the reason why IE is so darned insecure: It has too many of these security barriers.

Instead, the problem is that you have the problem that the security barriers are fundamentally permeabl

What the hell?

[Anonymous Coward]

Why is Slashdot linking to some guy's blog that no one has heard of rather than the actual Securnia advisories [secunia.com] page? The blog entry doesn't even link there! I don't even see how this is a story since Firefox 1.0.1 [slashdot.org] has already been covered on Slashdot, and these vulnerabilites were announced then [mozilla.org].

Re:What the hell?

[AndroidCat]

Firefox 1.0.1? What the..?! Windows Update never mentioned a thing about that, must be broken!

Re:What the hell?

[The-Perl-CD-Bookshel]

Neither has Firefox Update...Yet [slashdot.org]

...only affects v1.0

[Tumbleweed]

If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about. The Mozilla 1.7.6 and Thunderbird 1.0.1 released should be out this week as well.

No worries, just keep your browser updated.

Re:...only affects v1.0

[gordgekko]

I'm rather unimpressed with Firefox today. The update button popped up this afternoon yet the update itself was dated Feb. 25. I realize they didn't want a mass stampede to their server but that means a heck of a lot of people were unprotected (and remain unprotected) if they don't habitually check /. or Mozilla.org to see if there are new versions available.

They greeted this security update better than Microsoft usually does...but not much better.

Re:...only affects v1.0

[Tumbleweed]

I think it has - I was seeing some autoupdate popup things going on with it last night as I was using it, but never got around to investigating it to make sure that's what was going on.

Re:...only affects v1.0

[owlstead]

The answer seems to be no. In advanced there is a button [check] (which does not work correctly, click multiple times). Maybe they should add torrent functionality to download signed updates or something similar.

Re:...only affects v1.0

[_xeno_]

Supposedly. By my reading of Asa's blog [mozillazine.org], if you use the en-US version (most of Slashdot), then you should be able to get an update. Specifically, check out the entries localized 1.0.1 updates [mozillazine.org] and another try at update [mozillazine.org].

However, I use the en-US version, and my Firefox refuses to auto-update. So it doesn't appear to be working for everyone. (I'm behind a firewall, if that matters.)

Re:...only affects v1.0

[lakeland]

If I have to keep tabs on secunia and worry about grabbing the latest hotfixes, I may as well be using IE.

Go ahead. We don't mind. Really.

patch here

[Coneasfast]

you can find the patch here [microsoft.com]. ;)

Re:patch here

[Anonymous Coward]

don't mod parent as troll, it's a joke, a parody of the fact that someone posts a link to firefox when there is a IE vul. story.

oh forget it, some of you mods are dumber than a deck of cards.

Re:patch here

[Anonymous Coward]

oh forget it, some of you mods are dumber than a deck of cards.

I am a deck of cards, you insensitve clod!

bizzt!

[Leers]

-1 Insulting Mods

Emergency!

[Peter_Pork]

Oh my God! I'm switching back to Internet Explorer right away!

Re:Emergency!

[someonewhois]

Uhh, insightful? I think it was meant to be funny..

Re:Emergency!

[kagelump]

uh... funny? i think this meant to be informative

Re:Emergency!

[LiquidCoooled]

Firefox is already fixed....

The others won't be long.

from the article:
If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about. The Mozilla 1.7.6 and Thunderbird 1.0.1 released should be out this week as well.

And yet...

[tannmann]

I still feel safer than when I use IE.

That's how the FUD engine works

[EmbeddedJanitor]

Nobody ever got fired for buying Microsoft.

If you encounter bugs while using IE, it is not your fault, it is Microsoft's fault.

If you encounter bugs while using Firefox,, it is your fault - you should have been using IE. You screwed up.

That's unfortunately the mentality that will keep MS in business for a long time yet.

Re:That's how the FUD engine works

[nacturation]

Nobody ever got fired for buying Microsoft.

Given that it's a free download, if you bought Internet Explorer, you *should* be fired.

Re:That's how the FUD engine works

[cerberusss]

If you encounter bugs while using IE, it is not your fault, it is Microsoft's fault

This is funny, but very true. The same goes for MS Office documents. If you open a Word document in a different version of MS Word and it gets fragged, it's not your fault, it is Microsoft's fault.

If, however, you open that same document in OpenOffice and it renders it wrong because of some crazy layout (think table cells that span multiple pages...), then YOU are to blame. You should have "just used normal programs"...

This stuff drives me mad...

Re:..the worst infestation ever...

[cortana]

By default, Firefox will only allow extensions (XPIs) to be installed from a whitelist of sites that starts out as (update.mozilla.org).

For you to become infested with spyware by viewing a web site, you either added that site to the whitelist, or you were a victim of an unreported security problem. Did you report the site that infected you to bugzilla.mozilla.org?

The downside of popularity

[confusion]

Most all software has serious bugs, and the up-tick in firefox bug was as predictable as the sun rising. The real key is going to be in how the bugs are dealt with.

Jerry
http://www.syslog.org/ [syslog.org]

Re:The downside of popularity

[confusion]

great examples of popular software!

Re:The downside of popularity

[confusion]

If someone in my organization came to me with that, I would have to reprimand them. As the creators of applications, we have to be focused completely on quality, but the reality is that there WILL be bugs and you have to plan for them.

Converse to your arguement, now that we have everyone completely committed to writing secure & quality code, we can stop code audits, QA, and pen testing, because hey, we have a committment to quality.
Give me a break man, it's not nearly as clearly defined as you're maki

The most important part of TFA

[Zocalo]

"If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about."

Why this wasn't in the write up is beyond^W entirely to be expected given the recent track record of Slashdot editors... :P

It's obvious

[SlashThat]

They want it to look more like "news".

Re:The most important part of TFA

[monophaze]

Secunia collectively rated the vulnerabilities as "Moderately Critical," and said that only Firefox has been fixed. Users should download the newest edition, Firefox 1.0.1, which was released last week.

The vulnerabilities have been corrected in Mozilla, but the patched edition, 1.7.6, has not yet been officially released. The same goes for Thunderbird, the Mozilla Foundation's free e-mail client, which is also susceptible to the bugs. Both Mozilla 1.7.6 and Thunderbird 1.0.1 should roll out this week, Mozi

Re:The most important part of TFA

[sd.fhasldff]

That has to be the most pathetic slashdot blurb I've ever seen. It's grossly misleading and links to a completely assinine site (which, in return, doesn't even link to the Secunia report - the real source).

Re:The most important part of TFA

[ptudor]

recent track record

Recent? If by recent you meant 1997 to 2012.

Security

[Scoria]

I was actually expecting this. Firefox is an immature fork. One vulnerability eliminated is one less to be discovered later. It is inconvenient now, but should expedite relative maturity in the base. I am, however, still awaiting an automatic update for my installation of Firefox 1.0... ;-)

The bugs have already been fixed

[Anonymous Coward]

The bugs have already been dealt with. From TFA: "If you have downloaded the Firefox 1.0.1 update, you have nothing to worry about". In other words, Firefox has already fixed these security bugs and all Firefox user have to do is upgrade to 1.0.1 [mozilla.org]

remember people

[Anonymous Coward]

Your bank can and will ask you to confirm your password at random intervals via email.

If in doubt about who sent the email, click on the link they provide in the email to get to your bank's website to make sure it's them.

And remember, even banks sometimes forget to get their ssl certificates in order. No worries though, MS has been focusing on security for the last couple of years and IE is almost as solid as Firefox is....

Hah!

[Anonymous Coward]

That's why I use Firef... uhhh what???

Firefox bugs

[benspikey]

Open source or Closed Source... makes no difference bugs and exploits will always exists. Claiming that firefox is the answer to all security problems is silly. Software by it very nature can be exploited for evil and no code is completely secure. Until people realize that the convience of software is bundled with the risk of exploits and that no matter how many patches or code rewrites exists problems will always exist. Makes me glad i'm in the software bussiness as I know my future is secure..

Every day is insecure

[rueger]

Really, do we need a story every time some security problem appears in some software package? Surely anyone with half a brain understands that security relies on multiple protections.

Firewall, virus scanner, frequent updates to all software. Maybe a change in OS.

I really ignore all of these endless warnings any more and just trust that frequent updates and scans, and a reasonable amount of common sense and skepticism will protect me pretty much fully.

Re:Every day is insecure

[Chuck Chunder]

Really, do we need a story every time some security problem appears in some software package?

No. But then we aren't getting that either.

Firewall, virus scanner, frequent updates to all software. Maybe a change in OS

All great tools against browser spoofing I'm sure...

Re:Every day is insecure

[bonch]

Slashdot loves to post articles on Microsoft software vulnerabilities. It's only fair that OSS vulnerabilitie be covered as well.

So is Billy counting bugs to go to sleep

[gelfling]

You know the MS PR warmachine will make the most of this, don't you?

Re:So is Billy counting bugs to go to sleep

[The Bungi]

Kinda like the open source PR war machine (valiantly spearheaded by Slashdot) made the most of every single IE advisory and vulnerability in the past four years?

Welcome to the real world. You can't have your cake and eat it.

Why doesn't Firefox 1.0 update to 1.0.1?

[Mustang Matt]

Does anyone have an explanation as to why firefox's online update feature doesn't upgrade to 1.0.1?

Re:Why doesn't Firefox 1.0 update to 1.0.1?

[dicepackage]

It does, Mozilla delayed the update because the servers were getting overloaded when it first came out. By now it should report there being an update and allow you to install that.

Where's the update?

[teslatug]

What's the use of having an update feature if you never enable it or get it in a working state? I have never been able to update firefox through the built-in feature.

Food for thought...

[Ericzombie]

Anyone else notice how now that Firefox has gotten pretty big, you're mostly hearing about firefox issues, rather thant he slew of IE issues that we used to be swarming over. In essence it makes sense as most /.ers have upgraded to Firefox, however it just seems to be working that way. I don't think that M$ could have gotten all of the kinks out of IE, so whats the deal?

Re:Food for thought...

[WillAffleck]

you're right ... I agree they attack Firefox while ignoring IE issues that were never addressed. So, in case anyone hasn't heard this: I just wanted to say IE sucks really bad, especially if you're on a Mac and they won't do anything useful.

Phishing "vulnerabilities" need a special category

[argent]

I don't think these kinds of "phishing exploits" should be classified with security vulnerabilities. They make it easier to fool a naive user... but they're not at all necessary... the existing phishing attacks will continue to succeed as long as companies keep asking people to do stupid things.

I really have recieved real, legitimate mail from Microsoft asking me to download and apply a patch... and nobody at Microsoft I spoke to saw anything strange about it... and the IT people where I work have done the same kind of thing even after I asked them not to and they agreed they wouldn't.

The term "Security vulnerabilities" needs to be restricted to things like remote execution attacks, watering it down doesn't help anyone.

This just in...

[Transcendent]

...slashdot doesn't display correctly in Firefox 1.0+

More at 11.

i'll take it!

[nuckin futs]

i'm willing to deal with a couple firefox vulnerabilities over that browser that runs activeX controls.

Phew, I'm safe!!

[Anonymous Coward]

I use Internet Explorer.

the real difference

[IdentifiedDareDevil]

(for me) isn't really the technology or the security. IE and firefox are really not that far apart in terms of bugs/features (yet).. the main difference to me is that one on hand, you have a greedy, monopolistic company working outside proper market forces - allowing it to decide when and how it improves its software (IE 6.0 released in Aug 2002 - what major sw app can get away with a 3 year major release cycle?) vs. Firefox/Mozilla - a grass-roots colaboration of people who are trying to make something significant and have fun at the same time.

The choice for me is not a lot different than choosing to live in the Soviet Union or the United States. I'd rather not eat the gruel (or browser) someone else thinks is all I deserve.

I find it interesting

[harryoyster]

I would love to see how they actually find some of these vulnerabilities. Direct from secunia : "The vulnerability is caused due to missing URI handler validation when dragging an image with a "javascript:" URL to the address bar. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site by tricking a user into dragging an image to the address bar." Dont think ive ever dragged anything from a web page in my life.. I maybe a newbie though (only been on the net since 1992..

Re:Here we go...

[hawks5999]

I actually got an email from a friend of mine on the redmond campus warning me to be careful since I use that dangerous firefox browser about 3 hours ago. I told him I wouldn't believe it until I saw it on slashdot! :D

Re:Here we go...

[dcam]

I think you mean, you won't believe until you have seen the dupe on slashdot.

Re:Here we go...

[NEOtaku17]

"How long before Microsoft jumps all over this, and uses it as yet another FUD related reason not to use Open Source software..."

Try this one: How long does it take for Linux people to jump all over Windows vulnerabilities that have already been patched as a reason not to use Microsoft products?

Re:Here we go...

[Statecraftsman]

I see this as the beginning of what could be called a vulnerability war. We all know there are tons of bugs in any software that's actually released to the wild. With that said, the number of vulnerabilities that are found is really just a function of how hard people look.

Once found, if people want to be malicious about it, they'll release the vulnerability information to black hats, then the public, then the company(if at all). If bugs cause people to switch browsers, all that needs to be done is make su

Re:I frequently talk up

[jrcamp]

Yeah except Avant still uses Internet Explorer as its backend. All of these fixes for Firefox are for potential exploits, not something that's in the wild. It's a lot better track record than Microsoft has by far. Plus nobody's going to pay for Opera and they certainly won't put up with having ads in their browser.

Re:I frequently talk up

[badriram]

firescrolling exploit example... [www.mikx.de]. caution exploit code

been out for atleast 2 weeks..... just because the media does not cover something does not mean it doesn't exist.

Re:I frequently talk up

[gl4ss]

well.

whatever you recommend them to use, anything that fondles with data that's downloaded from random sites should be updated frequently.

i'm not entirely sure, but doesn't firefox's default start page mention if there's a new version available?

Re:I frequently talk up

[merdaccia]

I disagree, though I wouldn't call your post a troll. But since I can't post and untroll you, I'll post and hope someone else might ...

You shouldn't change your tune when security holes are discovered. Security holes exist in any application. Some are discovered, and some aren't. Your defense against security holes is two fold. The first part is that you want security holes to be discovered. The second part is that you want them fixed. The FOSS ideology helps with discovering them. And Mozilla's diligence helps with fixing them ... in fact, these holes have already been fixed.

Compare this with not being able to discover security holes and not being able to fix them, and you start to see why FOSS is good and why Firefox is brilliant.

Re:Internet Commerce On Its Way Out

[GeorgeMcBay]

Prediction: In 10 years, if there is no fundamental fix for these sorts of spoofs, or if the underlying model of the web is not changed, web-based commerce will be all but dead.


Are you on crack? People don't hesitate to hand their credit cards over to be carbon copied by pimply faced 17 year olds to make purchases at The Gap, why would they worry about SSL not being perfectly secure?

Re:Internet Commerce On Its Way Out

[Chuck Chunder]

SSL implementations have been barely usable for real people years with their laughably tiny "padlock" indicator.

Bugs aside things are just starting to look reasonable as far as SSL in browsers is concerned.

Firefox puts the "padlock" where someone will actually stand a chance of seeing it (in the urlbar) and also color codes the URL.

Opera does something similar in it's recent beta but also displays the organisational name of the certificate owner aside the padlock.

The spoofing problem isn't a fundamental flaw that is going to doom the future of browser based commerce. The reinvigoration of browser competition has started making things better for the end user.

What's the problem with credit cards?

[TheLink]

With my credit card, in event of fraud - it's NOT my money that's gone.

I just have to inform the card company that the transaction was not good. And I don't have to pay for it. And since it's not MY money, it's someone else's problem.

At worst, I can't use the affected card and the card company issues me a new card.

That's OK - I have more than one credit card.

I'm far more puzzled by the popularity of debit cards. If stuff happens it's YOUR money that's gone, so YOU have to be the one working your butt of

Re:THANK YOU SLASHDOT!!!

[Nemo Black]

I too have noticed that lately the /. front page has not been reloading correctly. I am in no way an expert with web page design, so correct me if I am wrong, but could it have something to do with style sheets?

I only have this problem is only with the /. front page and no other page that I frequent.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:THANK YOU SLASHDOT!!!

[helix_r]

...Funny how Slashdot is the only site I have ever seen that renders so poorly as to make it unreadable at times under Firefox ...

What?
I never had a problem with slashdot. What exactly makes it "unreadable"?

Re:THANK YOU SLASHDOT!!!

[Anonymous Coward]

What?
I never had a problem with slashdot. What exactly makes it "unreadable"?

Sometimes the stories or comments get shoved into the left nav. Sometimes the tables don't render at all leaving a largely blank page. This has been a problem since Netscape 7.0 came out (whatever version of mozilla that was.) In fact, when Slashdot put up the story about NS7 being release, I immediately downloaded it and just as quickly found the problem. I don't use windows much, but under linux, this has been a problem for

Re:THANK YOU SLASHDOT!!!

[njcoder]

I've seen it on other sites as well. Something about table widths being set to 100% or something. On some sites, the main text table cell doesn't show up until there's a reload. The same ctrl- ctrl+ fixes those too or a reload. It's really annoying.

Re:Firefox ad hack!

[arootbeer]

Hmmm...do you have a webserver on your box, and a no-ad hosts file?

I ran into that when I had IIS installed and a hosts file with many ad servers sent to 127.0.0.1.

I fixed it by turning off the Web Publishing Service.

Re:Firefox 1.0 doesn't tell you about 1.01

[Soldrinero]

I also waited for Firefox to alert me that an update was available, both to be kind to the servers and to see how the update process worked. Yeasterday it alerted me to the update via a new icon next to the activity icon in the upper right of the window.

Interestingly, when I went through the update process, it downloaded and installed the full 1.01 package. Does anyone know if this is how updates will be done in the future, or if Mozilla will migrate to a patch system?

Re:gentlemen, start your engines

[dicepackage]

I think you saw this as "New Vulnerabilities Discovered in Internet Explorer." The vulnearabilities have been fixed in Firefox 1.0.1 but there hasn't been much press about them until now.