Firefox Zero-Day Code Execution Hoax?

Akon writes, "eWeek is running a follow-up story on the claim by two hackers that Firefox's implementation of JavaScript is critically flawed and could result in code-execution attacks. Turns out this is a possible hoax that was overblown for laughs." Mozilla's engineers say the risk is limited to a denial-of-service issue. From the article: "'As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has... I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven't used it to take over anyone else's computer and execute arbitrary code,' Spiegelmock said." Spiegelmock also stated that the claim that there were 30 other undisclosed exploits was made solely by his co-presenter, Andrew Wbeelsoi.

Great!!

[zappepcs]

The first time that I actually started to worry that FF might have a problem, and that I should be careful, it turns out to be a hoax. I don't know whether to be happy about this or not?

Re:Great!!

[__aaclcg7560]

Be happy. It could've been worst and happen on Internet Explorer instead.

Re:

[EzInKy]

Fix the copy and paste? In both Windows and Linux it works fine for me.


I'm scratching my head too. Just to test things out I just copied and pasted from web page to location bar, web page to editor, web page to konsole session using either the mouse or keyboard shortcuts. Everything worked as expected, including shift-insert.

Re:

[gEvil (beta)]

I've encountered this bug a number of times under Firefox for Windows. Copying/pasting text from the address bar and/or webpages will work fine for hours, and then out of nowhere it will just stop working until I quit then restart Firefox. I run into this probably once every few weeks. However, I've never been able to find any rhyme or reason behind it. All I can say is that it does happen.

Re:

[gEvil (beta)]

Thanks for the tip. I'll try to keep it in mind. However, I'm pretty sure what you describe is a different bug from what I normally encounter (although I've definitely had the occasional address bar problem). The problem I usually have results in me not being able to copy text from a webpage at all. I would normally paste it into a text document from there, but Firefox's 'copy' command is greyed out in the Edit menu.

Re:

[dorkygeek]

Just because it's grayed out does not mean anything (the menu item could e.g. just have missed the selection event). You could try copying using Cmd+c or whatever it is on your platform (Ctrl+c, etc.). This invokes the copying code directly.

Re:

[gEvil (beta)]

I'm a keyboard shortcut guy. When those don't produce results, I look up to the menu items for some idea why. When the keyboard shortcuts don't work and the menu items are inexplicably greyed out, it's a bug.

Re:

[Blakey Rat]

Just because it's grayed out does not mean anything ... uh, it means there's a bug. If there's no reason he shouldn't be able to copy, and the copy menu item is greyed out, that's called a "bug." Which is exactly what the parent is talking about.

Not surprised.

[Fordiman]

Neither am I.

Re:

[Jugalator]

I bet you have few friends. :-(

It's fun to talk to yourself.

[ben there...]

No, it's not.

It's all fun and games until someone gets hurt

[davidwr]

Or until someone wastes time taking you seriously.

Yelling "bomb" in an airport isn't funny. Neither is this.

Next time, make it painfully obvious you are joking so people don't waste valuable time.

Re:It's all fun and games until someone gets hurt

[Anonymous Coward]

It was painfully obvious to anyone at the presentation that the whole thing was a joke. It was the best presentation I saw at Toorcon just for the hilarity factor. If they were talking at any other convention I'd go see them again.

Most of the press got the joke, laughed, and ignored it. It was some tool at CNET's fault for compromising his journalistic integrity and reporting satire as fact that caused the problem.

Then it wasn't painfully obvious enough

[davidwr]

If the CNET folks didn't get it, the panel should've made sure they did.

Any prank like this NOT done on 1 April needs to end with "and for those of you who left your sense of humor at home, the preceeding presentation was 100% pure entertainment and any resemblance to reality was purely to tweak your nose. Please stay for the next panel on novel approaches to perpetual motion. Thank you."

Re:

[BeeBeard]

Or alternatively, why not just have a good sense of humor in the first place? That way, you wouldn't have to constantly clue others in on what you think is so funny (and actually isn't).

All of these people [google.com] didn't seem to get the joke either, you know?

Re:

[cliveholloway]

your journal post (linked from your sig) is wrong:

"Bot sends spam directing people to a properly-registered similar-spelling secure web site run by the bad guys. The bad guys get your userid, and pass it on to one of a thousand other zombie-bots who give it to your bank and gets the picture."

The bank only serves the picture after you answer a security question. You would have to steal the cookie *and* probably access it from a geographically similar IP.

Re:

[jnf]

document.onkeypress = function () { keylog += String.fromCharCode(window.event.keyCode); } ? combined with a meta-refresh and an iframe all of that stupid sitekey shit is broken.

Re:

[jnf]

Well no, the press didn't get it, one member of the press was just first to break the story and so no one else touched it, it was not until later that night @ the party that the trolls met with the press and said 'oops, we were just kidding'

Re:

[jnf]

wtf? none of the men in that picture are mischa, and none of the men in that picture are the guys who were from microsoft.

I don't think it was a "joke".

[khasim]

I think that these two were looking for a little fame ... and did not realize how the professionals would react to their claims.

Once they realized that the professionals (who are better programmers than they) were looking into their claims, they fell back on the "it's a joke" claim.

Re:

[BeeBeard]

That's an interesting theory. They're either guilty of being fame-hungry alarmists, or creepy, untalented kids with a bad sense of humor. Either way, they need a cardboard tube beating.

you are wrong.

[weierstrass]

Your search - omfg.ppt - did not match any documents.

Suggestions:

        * Make sure all words are spelled correctly.
        * Try different keywords.
        * Try more general keywords.

Re:

[sm62704]

A better FA is here [securityfocus.com].

Members of the audience assumed that the two presenters were having a bit of fun, rather than actually criticizing the Mozilla browser's code.

"I wasn't pay much attention to what they said they had, because the whole thing was coming across as a comedy show," said Mark Loveless, security architect for Vernier Networks, who saw the presentation. "They had a whole bunch of things in there that was intended to be a joke, trying to get laughs. I didn't have any problems with the talk, I thou

Re:It's all fun and games until someone gets hurt

[Kelson]

The way this went down reminds me of an event from high school. Now, to put this in perspective, it was probably 1993, so about 5 years before Columbine.

There was a drama festival that our school attended each year, held at a nearby college. One year, one of our scenes involved prop guns. One of my classmates took one of the fake guns up onto a balcony, stood on the railing, and pretended he was going to shoot himself. Big surprise, campus security showed up, assuming he had a real gun and was really going to blow his brains out. The next year, the festival banned prop weapons. IIRC if you had a scene that needed them, you could sign up to use *their* props, which would be provided for the particular scene.

Had he done the same thing on stage, introduced as a monologue he had written, with people aware the gun was a prop, no one would have freaked out.

Back to the Firefox panel, I don't know how clearly this presentation was labeled as humor. But all it takes is someone who doesn't have the full context to take it seriously -- and security people have to take threats seriously, at least long enough to investigate and find out that the gun is just a prop.

...crash and eat up system resources...

[RHIC]

No change there then.

Re:

[Crayon Kid]

Come on, now. The latest versions of Firefox don't cra

Never believe anything without a second source

[Opportunist]

And, this should noted, this should NOT be limited to security exploits and hoaxes. It's twice as true for news that really matter. Too many people want to believe what they hear as long as it fits their personal point of view, without even questioning whether something is true or not.

As long as it fits into their view of the world, it becomes true for them and they perpetuate the lie.

Re:Never believe anything without a second source

[gEvil (beta)]

Never believe anything without a second source

Anyone want to reiterate what he said so we can know that we should believe him?

Re:Never believe anything without a second source

[chroot_james]

I'll back him up. Kind of. I propose requiring a third source. Anyone want to reiterate?

Re:

[bogie]

I disagree. Now you still have to find a 3rd source to agree with you and 3 sources to discredit me. And of course I just got off work so I have all day long to disagree with those who disagree with me in the first place. Better put on a cup of coffee. :-)

Re:Never believe anything without a second source

[Senzei]

I disagree. Now you still have to find a 3rd source to agree with you and 3 sources to discredit me. And of course I just got off work so I have all day long to disagree with those who disagree with me in the first place. Better put on a cup of coffee. :-)

Actually, I think you owe us two more sources to confirm your disagreement. Well, I would think that, but we haven't found three sources to conclusively prove that three sources are needed to conclusively prove something.

Re:

[Billosaur]

Does that include the article saying it was a hoax? What are we to believe?!?!?

Re:

[Opportunist]

Simple. The next credible source talking about it. And since it's disputed, it might be a good idea to wait for a third source before believing it.

Then again, seeing is believing. If someone produces a reproducable proof, that's good enough for me.

Re:

[HRbnjR]

The Sun rotates around the Earth.

It's true.

(someone back me up on this ;)

Re:

[flosofl]

The Sun rotates around the Earth. It's true. (someone back me up on this ;)

Well, duh.

It's obviously supportable by casual observation. Just stand outside. I can clearly see that while I'm standing still the sun is travelling across the sky. Ergo: The sun moves around the earth.

Re:

[Opportunist]

Sorry, you're standing against proof.

Claims backed by proof are true, independent of the people backing it. Science is not a democratic process where the majority is right, science is based on facts and a proof outweighs any number of voices you can raise. Unless you can back your claim with proof, too, your opponents is standing on way higher ground. And when you can, it gets really funny. 'cause then we don't have claim against claim, we got proof against proof. Since there can only be one truth by the ve

Re:

[NickFortune]

The Sun rotates around the Earth.

Of course it does. Well, it's as valid a viewpoint as any other, anyway. That's what relativity is all about.

You can have the entire universe revolve around you, personally, if you like; all you need to do is define a suitable fixed point.

You may however encounter some debate as to whether your system is the most useful to eamine the universe.

Microsoft link?

[masklinn]

This is to be taken with a grain of salt and not as a proof of anything until further inquiries, but since it's going to be posted anyway it may as well be posted with some warnings:

A blog called Geemondo [blogspot.com] also reports that Mischa Spiegelmock seemed to have had dinner with Microsoft guys. [2y.net]

(PS: mods, if you want this post to be seen without me karma whoring, just mod it funny)

Re:

[jnf]

no, none of those people are who the poster is saying they are. Here is a picture of Mischa [livejournal.com], you can find it on his blog @ http://revmischa.livejournal.com/ [livejournal.com]. I can't find any pictures of the MS guy's who were there, but that was totally not them, the parents post is a fraud.

Re:

[jnf]

p.s. Mischa is the idiot in the yellow, that was the same outfit he wore at the talk.

Re:

[jnf]

The picture and idea is false, I don't know who is in that picture, but it's not mischa nor the guys from ms who were @ toorcon. Furthermore, I know they didn't eat out with anyone on saturday night, and they hid all day sunday in their hotel room.

Assholes!

[BeeBeard]

Now I don't feel so bad for making fun of their last names!

Not a funny joke

[loconet]

There is also a post about this on the Washington Post [washingtonpost.com]. Apparently, they were just having fun?

If I was Alistapart, I would have gotten rid of this "clown" immediately.

Re:

[thrillseeker]

Apparently, they were just having fun?

Those are two guys who will never work for me or anyone I know. Such intentional bullshit claims caused a tremendous amount of angst among too many people, not to mention the effort various developers went to in attempting to validate their claims.

Re:

[soliptic]

Admittedly, I didn't RTFA, but.... I'm confused, where does alistapart come into this?

I don't see Spiegelmock or Wbeelsoi listed here [alistapart.com] or even anywhere here [alistapart.com].

(OT ramble: Mind you, I wouldn't be entirely surprised if this "clown" was involved in ALA, considering how much it has gone downhill lately. A few years ago it was essential reading (sliding doors and suckerfish dropdowns and whatnot) but all the articles lately have been a real waste of time imho. Waffley PHB crap like like [alistapart.com] this [alistapart.com], or techniques li

Re:

[dorkygeek]

I guess he meant SixApart, of whome Spiegelmock is an employee.

Re:

[loconet]

Nope, you are totally right. I had read from another source it was ALA who employed this guy. It seems like people (including me) are getting it mixed up and the employer is Six Apart not Alistapart.

Re:

[tsu doh nimh]

I think the most interesting part from the Post piece on this is this last line, about LiveJournal's Mischa Spiegelmock, who co-presented this Firefox malarky.

"The Toorcon talk was given by Mischa Spiegelmock a software engineer for Six Apart's LiveJournal blogging service, and a guy speaking under the pseudonym "Andrew Wbeelsoi."

Also, Wbeelsoi, or "Weev" as he is called by friends, is part of a group that calls itself "Bantown," a loose-knit outfit that claimed responsibility for a fairly high-profile [washingtonpost.com]

FTA: Meant "to be humorous" ??

[BeeBeard]

Are nerds really that unsocialized that something like this qualifies as humor?

Moo

[Chacham]

FireFox has no exploits. All exploits are actually in IceWeasel [slashdot.org], to avoid legal action from Mozilla [slashdot.org].

In other news, Microsoft has said thet their version of Genuine Internet Explorer has no bugs, and any bugs, must be due to a bad download, or user tampering. As such, all user installs of Internet Explorer will be renamed to "Meshed-Screen Interpolated E-reader" (MSIE for short), and will subsequently be subject to licensing fees.

FireFUD

[Foofoobar]

Let the speculation about whether this was FUD funded by our favorite Redmond-ians begin

he hasn't gotten it to do so?

[Lord Ender]

It takes a very rare and specific skill set to write a memory corruption exploit. The fact that one person was unable to go from overflow to arbitrary code execution proves absolutely nothing about whether doing so is possible.

Re:

[AlgorithMan]

The fact that one person was unable to go from overflow to arbitrary code execution

of course big, complex programs (like a JavaScript VM) have errors, if you want proof, you have to make a hoare calculus http://en.wikipedia.org/wiki/Hoare_logic [wikipedia.org] for the source code and beleive me, this is really really much work! - - - but this alleged error seems to be nothing but posing...

Re:

[makomk]

I'm not aware of any way of exploiting a stack overflow for arbitrary code execution, though this isn't really my area of interest, so I could be wrong. Is there one?

Re:

[Lord Ender]

I'm not aware of any way of exploiting a stack overflow for arbitrary code execution, though this isn't really my area of interest, so I could be wrong. Is there one?

Are you aware of any way of exploiting memory corruption errors? A stack overflow is the easiest type of memory corruption flaw to exploit.

See this. [owasp.org]

And information security is my area of expertise, though I have never written a memory corruption exploit.

Yep, and all it takes is *one* success...

[patio11]

Its hard to go from overflow to arbitrary execution. Its freaking trivial to go from arbitrary code execution to a black hat library. All the bad guys need is one really smart guy and that exploit is then in play for anyone with a modicrum of technical skill. Thus is pays to be really freaking vigilant about memory management.

Incidentally: you can fool some of the people all of the time, you can fool all of the people some of the time, but you can not fool all of the people all of the time. Similarly, y

Not "a FORMER developer"?!

[Keith Russell]

You mean Six Apart hasn't sacked Spiegelmock yet? What's Mena waiting for? Maybe she's having all the chairs in her office bolted down in case she has the sudden urge to impersonate Steve Ballmer during the exit interview. I know if I caught an employee pulling the shit Spiegelmock just did on my watch, I'd need the most sound-isolated conference room in the building.

Re:

[Stanistani]

If you want some fun, google Mischa Speigelmock and catch the returns - geesh!
>Mischa Spiegelmock is a 19-year old boy in San Francisco, CA. is single. is tagged bbqs, dork, and frisbee.
>Mischa Spiegelmock. Yo yo beezies this is m-spizzle straight outta ... keep it real up being studious and shit at the university of muhfuh san francisco and ...
>Hi, my name is Mischa Spiegelmock. I'ma software engineer intern at LiveJournal.
>Picture Gallery: The Great SF Pillow Fight. The Great San Francisco Pil

Trust but verify

[ursabear]

I'm with some of the folks here about secondary verification.

Something deep inside me gives a knee jerk any time a developer or product engineer starts any sentence with "I have not succeeded in making this code do..." or "I cannot reproduce..." (no pun intended).

I think Firefox is pretty good. So far (since the first public betas), I get very few issues at runtime (besides the occasional spin-forever cursor when Firefox encounters a site with some really bad browser-side code.)

Translation: We, the wannabe script-kiddies...

[CharonX]

Well seems like my notion was right after all.
They are nothing but sad wannabes, scriptkiddies who wanted to pose as l33t haX0rZ. Well, heads up guys, this will have been your last convention for quite some time because somehow quite unexpectedly (for you) most of the community didn't go "we really got punked!!! LOLOLOLOLOL! you win teh internets!" Bottom line. Don't be an asshole, or you will pay for it.

He should be fired, prosecuted

[hyrdra]

Everyone here should read this article:
http://blog.washingtonpost.com/securityfix/2006/10 /zeroday_firefox_exploit_claime.html [washingtonpost.com]

It actually turns out that Mischa Spiegelmock and Andrew Wbeelsoi are closely related. As we all now know, Misa works for LiveJournal. Andrew Wbeelsoi is part of Bantown, who claimed responsibility for a Javascript attack on LiveJournal (see http://blog.washingtonpost.com/securityfix/2006/01 /account_hijackings_force_livej.html [washingtonpost.com]).

The two are obviously related, and LiveJournal should consider immediate termination of their employee Mischa, as he is in league with Wbeelsoi, who attacked LiveJournal members themselves.

Here as some nice quotes from the article:

"We do have exploits for all the stuff we're going to show you," the 21-year-old calling himself Wbeelsoi said. "We'll give them away to anyone who proves their actions are going to be politically motivated. We don't care what side you're on as long as you commit yourself to destruction."
"We were just trying to have some fun up there," Spiegelmock said.

Mozilla should really consider civil, if not criminal actions. Damage to the Firefox brand has already been done, regardless if the exploit is real or not.

:-/ That won't happen, Six Apart are pansies.

[Ayanami Rei]

Mischa works for Six Apart _because_ Bantown "pwnzed" them two years back.

Six Apart didn't try to fight them, instead they tempted them with guided tours and positions in the company.

Utter idiocy.

Re:

[tlhIngan]

Mischa works for Six Apart _because_ Bantown "pwnzed" them two years back.

Six Apart didn't try to fight them, instead they tempted them with guided tours and positions in the company.

Utter idiocy.

Actually, there's more than enough supposition to imply that SixApart's software is contaminated with trojans. Face it, you have someone who wants to claim they have a flaw, and they want to make a secret communications network. The best way to do it is to use sites like LiveJournal and people who use software like

Re:

[David Gerard]

Bantown is part of the LJDrama/Encyclopedia Dramatica group. Remember the Craigslist asshole? Them. I'm amazed anyone working for Sixapart is allowed to speak to anyone from LJDrama/ED.

Re:

[hyrdra]

While it may be true that all this is one elaborate prank. However that does not change the fact that real damage is done by these jokes. As far as I'm concerned, they're no better than the people who author e-mail virus hoaxes.

Like I said, at the very least, Mozilla needs to consider civil action against these guys.

ONLY a crash and eat up system resources??

[NekoXP]

> I have not succeeded in making this code do anything more than cause a crash and eat up system resources

Okay so it's not a bug at all, just normal Firefox behaviour. Fine, we can all rest easy :D

Surpise me ...

[LizardKing]

So a pair of crackers get up on stage and describe an exploit with no proof and some people are surprised when it's a hoax. When you consider the primary motivation of many crackers, the hoax shouldn't come as a surprise. Every cracker or wannabe cracker that I've ever met is a sad individual with low self-esteem looking to counter this with a bit of ego boosting. Why else do a lot of the more theatrical exploit demonstations come with an obligatory swipe at the quality of the code they have supposeldy expl

Re:Moo

[masklinn]

Anyone who releases it on their own is sued for copyright violations.

Actually not, it's trademark violation, and it's only if you release it under the name of "firefox". Call me the day when I can fork Internet Explorer and release my patched version as "Intarweb Implorer" without getting sued though.

Re:

[Svartalf]

It probably would be more aptly named Intarweb Imploder...

Re:

[TheNetAvenger]

Call me the day when I can fork Internet Explorer and release my patched version as "Intarweb Implorer" without getting sued though.


Ring... Answer your phone...

Not to burst your rant bubble, but IE has allowed for using its engine and being named anything people want, several of the 3rd party browsers even do sound a lot like Internet Explorer. MS has to date never sued any of these companies. I have seen many names that sounded like or reflected IE, like "IE Plus", etc.

Re:

[masklinn]

Not to burst your rant bubble, but IE has allowed for using its engine and being named anything people want, several of the 3rd party browsers even do sound a lot like Internet Explorer. MS has to date never sued any of these companies.

Sorry to burst your bubble, but linking against MSHTML.dll or using Internet Explorer's rendering engine was absolutely and utterly not the subject of my post. Thanks for playing though.

Re:NoScript

[TheRaven64]

But...

But...

Web 2.0!

*splutter*

Re:

[Ant P.]

NoScript is a feature Firefox should have had from day one, and IE has had for over 10 years.

GMail and JavaScript

[Kadin2048]

You obviously don't use GMail,

You can use GMail just fine without JavaScript. It complains and writes you a message at the bottom of every page saying something like 'To take full advantage of Gmail, use a supported browser...'

It does however still work just fine without it.

Re:

[gorre]

You obviously don't use GMail, Google Calendar, and the like.

With NoScript one can designate sites that are allowed to run javascript, it's just that it is disabled by default. I use NoScript and have simply whitelisted google.com and any other trusted sites that require javascript.

Re:

[dedazo]

To anyone who is "pro-IE", I always show them Firefox with AdBlock. That gets them every time.

IE can be used safely if it is patched and you don't have the habit of visiting random websites (most people visit only a handful of sites anyway), but FF+AdBlock simply trumps everything else. I know about Proxomitron and all the other solutions for IE, but they simply can't come close to AdBlock.

Paired with a few other must-have extensions like TabMix Plus and CustomizeGoogle, I will happily live with Firefox

Re:

[dedazo]

You know, I just realized I sort of implied that you were "insulting" your friends or something - sorry. I'm sure that's not the case =)

It all comes down to using the right tools for the job. For a while now Firefox has been the right tool for browsing the web on Windows, in my opinion. Maybe that will change later when IE7 is released. Who knows.

Re:

[masklinn]

It all comes down to using the right tools for the job.

A baseball bat is always the right tool for the job of convincing people that your views of the world are better than theirs.

Re:

[masklinn]

You, sir, clearly aren't a ninja (that, or your grandma's a better ninja than you)

Re:

[cascadingstylesheet]

>Maybe we could debunk the Firefox is a memory hog [mozillazine.org] hoax, too.

We could if it *were* a hoax. Since it's reported by decent folk all over the place, I don't think we can.

If the problem really is just extensions, then Mozilla *still* needs to do something about it. Don't list them on the official extensions list until they are fixed. As somebody in the thread you linked to mentioned, what's the point of using FF if you can't use extensions?

Re:

[Captain Splendid]

If it's not a hoax, it's fucking close to one. Sure, back in the 1.x days, problems ensued, but post-1.5 Firefox is freaking ridiculous with the amount of punishment it can take (and i sure do love dishing it out.)

Re:

[cascadingstylesheet]

>So, I don't understand what the point is,

The point of what?

The situation is: lots of people complain about FF memory usage to this day, including 1.5+, how the memory usage grows over time while the program is open and being used. FF developers say "no it doesn't!" or "it's the extensions' falut!"

My point is, even if it is the fault of extensions, at a minumum FF needs to respond by not listing these extensions on their official list on their website. For many, many users the whole point of using FF i

Re:

[joranbelar]

Hey genius, you replied to his sig ;)

Re:

[cascadingstylesheet]

>Hey genius, you replied to his sig ;)

Keeps me humble ;)

Re:

[Captain Splendid]

The point of what?

ROFL, you must be new here, that's my sig.

at a minumum FF needs to respond by not listing these extensions on their official list on their website

Fuck me that's a little draconian. How about, y'know, reading the user comments under each extension to see if it has any particular problems. Lazy attitudes like that are the reason IE dominates.

It does no good to say "the base browser is fine"

Actually, yes it does, ESPECIALLY when a) the stability gets better, b) new featu

Re:

[prockcore]

We could if it *were* a hoax. Since it's reported by decent folk all over the place, I don't think we can.

Decent folk who don't understand memory management at all.

Let me put it this way:

Say you have 1 gig of ram. Say firefox is taking up "an unbelievable 500 megs!". If you wrote a program that allocated 600 megs of ram, you'd see firefox's memory usage shrink by 100 megs.

That's because firefox uses a memory cache. The ram used by the page you visited 3 pages ago is "free" but firefox has tagged it for c

Re:

[Osiris Ani]

That's because firefox uses a memory cache.

Despite having changed the browser.cache.memory.capacity setting on Firefox 1.5.0.7 — running only Talkback 1.5.0.7 and Adblock 0.5.3.042 — to 16MB (half of the automatic default for 1GB RAM) on the XP Pro-equipped employer-issued ThinkPad, I only have to leave the app open for a couple of days before it hits 300MB, and it never stops there. Because of this behavior, I now close Firefox prior to directing the ThinkPad to hibernate for the night, unless

Re:

[gEvil (beta)]

Have the Debian folks come up with a new name for Firefox yet? If not, I suggest Firehog.

Re: Benchmarks vs. Anecdotes

[bunratty]

Somebody may have some anecdotal 'evidence' that they ran it with a small memory print but generally Firefox will bloat to several hundred MB and keep climbing unless you close it completely and restart it

Sorry, no one can seem to reproduce this "bloat to several hundred MB and keep climbing" thing you're referring to. Can you give us some hints about how to do it? Without being able to reproduce it, I think we'll eventually have to brand this problem as a hoax, too. Especially if people are able to repro

Re:

[Ja'Achan]

http://www.mozilla.org/projects/seamonkey/ [mozilla.org]Seamonke y is currently using 351 MB of memory, according to Windows Taskmanager. That's after 5 days of uptime, and no exception. I know, it's not Firefox, but I suppose there is a large code base shared.

Re:

[WilliamSChips]

I haven't had Firefox memory problems since the days of 1.0. And I have lots of tabs open.

Re:

[ehrichweiss]

The instance I'm running right now(with very few extensions installed, I might add) that has been running(idling mostly) for about 12 hours is already at 102meg and once I start using it again, it'll soon jump over 200 meg easily. If I restart it, it'll start around 40meg and then within 10 minutes(without me doing much more than visiting google) it'll be around 80meg again. I can repeat this time and time again without fail. Eventually it starts hogging enough that it requires another restart. I might get

Re:

[Tim C]

All I can do is throw an anecdote at your anecdote, but the day before yesterday I had FF taking up 759MB of RAM after a day or so of idling, followed by an hour or so of actual use.

That's unusual, I'll grant you, but I regularly see FF using 150-200MB of RAM. It's gotten to the point now where I rarely bother checking; I just shut it down every day or two on general principle.

Re:

[Tim C]

These days, "0day exploit" seems to have changed to mean "an exploit for which there is currently no fix". Not quite the same...

[Slashdot requires you to wait between each successful posting of a comment to allow everyone a fair chance at posting a comment.

It's been 4 minutes since you last successfully posted a comment.]

Re:

[a.d.trick]

Moreover, what we used to call a 'hang' seems to be a DoS. In order for firefox to be DoSed, the browser needs to be performing some security-critical service. Firefox is not a service, it doesn't have anything in /etc/init.d/ or whatever your OS does. Firefox hangs.

Re:

[jbeaupre]

Or is it really slander? Either way, the Mozilla Foundation might not thing the prank is very funny and decide to spank these guys.

Re:

[Ant P.]

It still uses a fake UA in version 9? How do they expect anyone to take them seriously?

Re:

[Reverend528]

Just suck it up and install GNU tar. It comes with the feather feature.

Re:

[kayditty]

there's no apostrophe in A. Wbeelsoi.

Follow that link at your own risk

[emurphy42]

It leads to a piece of JavaScript - either an attempted proof of concept, or just an annoying fork bomb - I didn't bother to work out which, but either way, I recommend sticking with "Save As" or wget or what have you.