Another Denial of Service Bug Found in Firefox 2

An anonymous reader writes "A second security flaw that could cause the new Firefox 2 browser to crash has been publicly disclosed. The vulnerability lies in the way the open-source browser handles JavaScript code. Viewing a rigged Web page will cause the browser to exit, a representative for Mozilla, the publisher of the software, said Wednesday. Contrary to claims on security mailing lists, the bug cannot be exploited to run arbitrary code on a PC running Firefox 2, the representative said. This flaw in the JavaScript Range object is different than the denial-of-service vulnerability in Firefox 2 that was confirmed by Mozilla last week. That bug is related to a more serious security hole, which was fixed in earlier versions of Firefox, the organization has said. The two 'crashers' are the only publicly released vulnerabilities that have been confirmed by Mozilla in the week since Firefox 2 was launched. The issues are only minor, the organization has said."

Old times

[managementboy]

It used to be that if one an application crashed and it was called just that: it crashed. Today its a DOS attack! Imagine how many DOS my old Windows 3.11 had... come to think of it, it only had one DOS.

We present "DOS reloaded"!

Re:

[utlemming]

If you read the article, Microsoft is calling one of their's a design decision. I love those undocumented features...

Re:

[eklitzke]

Like it or not, the fact remains: if you can cause someone's application to crash, it is a denial of service. Treating it as a security flaw is completely justified.

Re:

[kfg]

Treating it as a security flaw is completely justified.

While it is a flaw in the code, I would call shutting down on the detection of a maliciously rigged web site a security enhancement.

KFG

Re:

[Merusdraconis]

Unless it's IE, in which case it's yet another example of Microsoft's shoddy coding?

Re:

[Fred_A]

Hence the Denial Of Slacking. That's why the problem ought to be fixed as soon as possible.

Re:

[kfg]

It used to be that if one an application crashed and it was called just that: it crashed. Today its a DOS attack!

Wait until next year when it becomes a suspected cyber warfare attack.

KFG

Re:Old times

[cperciva]

It used to be that if one an application crashed and it was called just that: it crashed. Today its a DOS attack!

Not necessarily. Application-crashing bugs are Denial of Service bugs if they can be triggered remotely.

There's a fundamental difference between "I can make my copy of FireFox crash" and "I can make your copy of FireFox crash".

Re:

[phorm]

It is, but it seems that the term is broadly. In many cases, the term DOS was often used as a term to describe an attack which would render an entire system inoperable. That is to say, when I heard it used in this context, I expected that it would crash the browser, and lock or disable the OS. As it is, it's still an annoying bug, but having to simply restart the browser hardly seems as serious as a full-out machine crash.

Re:

[WilliamSChips]

I remember DOS making entire systems unusable... :P

Re:Old times

[jesser]

More to the point, there's a fundamental difference between "I can make your copy of Firefox crash when you visit my site" and "I can make your copy of Apache crash".

Crash bugs in client software such as web browsers are "crashes", not "DoS vulnerabilities".

Re:

[CastrTroy]

Exactly. If all the browser does is crash every time you go to a specific website, then the user is just going to stop visiting that website. Or, they're stupid and don't understand cause and effect. I wouldn't call it a DOS attack since you can't really make the user visit your website to crash it. It's still a bug, and still needs to be fixed, but I think calling it a DOS is blowing it a little out of proportion. If it somehow broke firefox and made it unable to visit any site, until it was reinstall

Re:

[a.d.trick]

Hm, that's weird, because by using JavaScript or CSS in the right places there are about a million and one ways to crash IE. This isn't from using malformed stuff, it's just what I've come upon as a webdeveloper trying to get my site to work with a broken browser. I've only crashed Firefox once, and while I consider that bad for a web browser, it's much better than the day's I've spent with IE. The problem with IE was also complicated by the fact that explorer is everywhere, so when it hung, it screwed ever

firefox 2

[tedmg09130913]

Is anyone else thinking that running firefox 2 with noscript installed means this vulnerability is no big deal?

Re:

[bassgoonist]

noscript ftw! https://addons.mozilla.org/firefox/722/ [mozilla.org]

should be part of FF...

Re:

[baadger]

Interesting you say that, the Gentoo Linux Firefox ebuild (package) maintainers recently added a "restrict-javascript" USE flag (install option) which installs the NoScript extension system wide (for all users).

It also has newbie's privacy bug

[cucucu]

It also has a beginner's privacy bug: (full disclosure: my blog) http://tech-dissect.blogspot.com/2006/10/firefox-p rivacy-bug.html [blogspot.com].
In short: Ctrl-Shift-Del doesn't delete everything you expect it to delete, your browse history can still be recovered.

Re:

[smeagols_ghost]

1.5.0.7 on xp clears the javascript console on browser close.

But it should wipe it on ctrl-shift-del

Re:

[account_deleted]

Comment removed based on user account deletion

I want a refund!

[www.sorehands.com]

Another bug?? I want a refund! It's free? I want double my money back!

Re:

[geminidomino]

IE is "free" in the same way the shell is "free" when you buy the canolli.

Install

[ms1234]

You could install NoScript addon... Great utility :)

Re:

[CCFreak2K]

Parent has a point. These kinds of attacks are mitigated by user-created plug-ins. Once again, the problem is semi-contained before it's even released. There's still people that will be affected by it, but the simple and elegant plug-in system as well as plug-in writers (yes, they're simple and elegant, too) bring great tools to extend the usability of Firefox.

End marketing rant.

And...

[Pacifist Brawler]

I remember reading about the memory leak. While others see this as a "failure" of the browser, I see it as increasing the odds that the browser exits and frees up your memory. I mean, how hard is it to re-open a browser?

Re:

[RAMMS+EIN]

``I remember reading about the memory leak. While others see this as a "failure" of the browser, I see it as increasing the odds that the browser exits and frees up your memory.''

You mean like garbage collection? I seem to recall that one McCarthy, in the late 1950s, came up with an algorithm that does that _without_ requiring the program to be restarted. Perhaps the FF2 team could look into that.

Yahoo! mail

[Calinous]

Yahoo! mail seems to use a less dangerous of these vulnerabilities - while stable versions earlier than 2.0 would crash, 2.0 only crashes when exiting Yahoo! Mail or when closing all the tabs of Yahoo Mail. Firebird 0.7 is not affected

Re:

[From A Far Away Land]

Yahoo Mail would crash my Firefox 1.x until I moved to Yahoo Mail beta.

Isn't using Firebird 0.7 like using IE 5.0 these days?

Oo

[Konster]

Editors need to RTFA.

So funny

[ZeroExistenZ]

How slashdotters start pointing and laughing when there's a IE exploit, doesn't matter how big or small, and always the "workaround" is looked at as unacceptable.

When it's about Firefox, they immediatly relativate it and minimalize it. "Oh, just install noscript", "tis just a small exploit", "well, why not restart your browser? If it crashes, so what? Why don't you click the icon again? You lazy bastard!"...

I even read some comments, in reply that there's said IE 7 feels better then FF 2.0, that the fa

Re:

[RAMMS+EIN]

``For me, Firefox 2.0 is worthless; bloathed, crashes constantly, and is just not workable anymore. I've been using Firefox from the very start, but Firefox 2.0 make me switch to Opera.''

And for those of you wishing to stick with open source software, there's Konqueror. Compared to Firefox, it runs faster, uses way less memory, and several of the new features in Firefox 2 (like an integrated spell checker) have been available for ages. I can't comment on the stability, as neither Firefox (1; I haven't ran 2

Re:

[ZeroExistenZ]

Thanks for the tip, I'm downloading it now.

Re:

[CastrTroy]

Can Konquerer run on windows yet?

Slashdot is denying my service because it only took me 12 seconds to type that sentence above.

Re:

[RAMMS+EIN]

``How do you know Konqueror in non-KDE uses less memory than Firefox in non-GNOME (or GTK DE)?''

You use a tool that displays memory usage?

Welcome to Netscape 4.xx

[Shivetya]

I already ditched FF2 and went back to the previous version.

What is up with the developer team? Were they just so horny to get a "2.0" out before the end of the year that it was "ok" to release this thing?

You are right, there is a double standard. MS is an easy target as negative comments are expected and encouraged by the moderation system here.

Firefox is no longer Firefox most of us want. Sorry, its nearing the point where we will need to clamour for that slim browser that we had when Firefox first cam

Re:

[snero3]

Personally I think the comments you are referring to come from a number of different factors

1. Microsoft is often not the one to admit the security flaw. Where as Mozilla/firefox community is.
2. Often Microsoft will denie the flaw pointed out in point number 1
3. There have been numerous occurrences where an IE bug has allowed a whole PC to be taken over from bug that either MS denies exists or is very slow to patch. Holes like that in firefox generally get patched well before it is public knowledge.
4. for

Re:

[bunratty]

That response wasn't a response to someone having trouble with Firefox. It was a response to someone asking why Microsoft is vilified for their security vulnerabilities, but this Firefox vulnerability is being downplayed. Internet Explorer's vulnerabilities often result in the user's computer becoming infected with malware. All this Firefox vulnerability does is cause the browser to crash. When the user restarts Firefox, seconds later all the tabs they had open reappear. It really doesn't sound like such a

Re:

[snero3]

Hmm if you actually read my post you would see I was not attacking him but rather i was pointing out why the general feeling on slashdot towards MS and IE is negative. For example I never told him to fix it himself, I merely pointed out that if he wanted to he could where as with IE you don't even have that choice! Is reading the post and understanding it to much to ask?

Re:

[ZeroExistenZ]

I've filed bugreports before, it took over a year for some of them to get fixed.

If you just browse webpages, I don't see much crashes either. But once there's embedded media in several tabs, it goes down fast and hard. I didn't have any extentions installed, just a clean install (my entire system btw).

Someone inhere posted a "why is firefox crashing" link, but why should a user go search for a solution for software that's expected to work? It's the same thing people have been bashing Microsoft about. I'

Re:

[DrSkwid]

What are these "slashdotters" that think and act as one?

Perhaps you should use :

Whenever I read a discussion, there is usually some group of posters that play down an issue, some who play it up and those that use it as a platform for discussion of wider issues. Often those who shout the loudest have the least to say.

Re:

[molnarcs]

Agreed. I don't have a problem with the interface, but I can't imagine how shoddy the coding must be seeing the resources it needs to run. For older machines (I have to maintain a few in a comp lab) FF simply doesn't work, while Opera has no problems on the same machines (this are limited functionality FreeBSD boxes with fluxbox and a simplified menu). You won't notice how heavy Firefox is on relatively modern hardware, but as you go down to a PII (and to 64Mb RAM) - you'll find that Opera works fine, while

Software becomes religious here

[mattgreen]

It achieves a sort of sacred status in which people engage in flat-out denial that there are issues because they put too much blind faith in the development process behind it. They will tell you that the only real way of proving anything is the scientific method and then turn around and say they have complete faith that this is the year of Linux on the desktop. This is the primary reason why this site is not considered respectable among some IT professionals: it thrives only on fanboys and huge amounts of b

Re:

[Ant P.]

When it's about Firefox, the same volume of whining occurs.

It just comes from a smaller, more concentrated, more obnoxious group.

Feeding time at the troll pens

[mysticgoat]

For me, Firefox 2.0 is worthless; bloathed, crashes constantly, and is just not workable anymore.

What is this "bloathedness" of which you speak?

I've been running FFv2.0 on my home machine for 5 days with my usual full complement of 25+ extensions[*], sessions longer than 24 hours, usually 8-12 tabs open, often using OOo and the GIMP concurrently (under WinXP at 1.6 GHz with 768 MB ram). For the enriched experience and development tools that FF offers, it isn't bloated. It is more stable in this develop

Re:

[mysticgoat]

and how much memory are all these goodies using??

Very little impact for what they provide me. Which is the point of FF: a relatively small core that can be extended in a customized way (something like 2,000 different add-ons now) to meet individual needs. I'm getting what I need without carrying the weight of a lot of features I don't want.

There are more compact browsers, and there are probably some that are more efficient in their use of memory. But Firefox is the most compact, extensible browser that

Re:

[tsa]

I find it strange that there are so many people who all have different experiences with FF. For me it just works, regardless of which version it is, and regarless of the OS I run it on (Windows, Linux, or OS X).

Nice sig, BTW

Re:

[Kelson]

Procedure for stable Firefox 2: Export bookmarks as a file, Uninstall, Delete profile, cache and installation directories/files. Install, import bookmarks from file but import no other settings, make settings (none undocumented), do not install themes, use only current extensions and a minimum of them. Works perfectly.

Oh, is that all?

Denial of Service, my ASS!

[slashbart]

What a load of utter crap, calling a bug that crashes an application a "Denial of Service'. Morons!

Bart

Re:

[tsa]

Bart,

Your website acts a bit strange on FF 2.0. Pictures on the text. Take a look at it, it doesn't come over very professionally this way.

Moderators, please mod me down OT.

Re:

[geminidomino]

Looks like a bad stylesheet, making too many assumptions about the browsers font-size...

Re:

[tsa]

Bart,

Hier en daar zweven nog wat W3C/HTML4.0 plaatjes in de tekst. De website is zo groot dat ik hem niet helemaal bekeken heb.

Succes, Willem

+1 Wrong

[remembertomorrow]

If I can interrupt your usage of a particular program remotely, it IS a denial of service attack. I am denying you the ability to use a service.

DoS does not always involve botnets, although they are one way to bring a service down.

There's a browser safer than Firefox...

[Giorgio Maone]

... it is Firefox with NoScript [noscript.net] :)

I wrote this Firefox add-on just after one of these disclosures, because the majority of the browser vulnerabilities was JavaScript related, and the suggested work-around was always "turn off JavaScript".

Disabling JavaScript as a whole seemed quite an impractical advice to me in this AJAXified Web 2.0: I thought that maintaining a white-list of trusted sites allowed to run JavaScript and keeping all the unknown web content "static" until I decided otherwise was a still safe but more convenient approach.

Since then I've been browsing the web with my shields up (NoScript can block also Java, Flash and other plugins [noscript.net]), but I allow on the fly with one click, either temporarily or permanently, those sites which I trust and which do need dynamic client side technologies to work properly. To my surprise in 1 year and half I found few sites belonging to this category, because most places I usually browse are well designed enough to work with plain XHTML/CSS and nothing else (like Slashdot itself).

Notice: Firefox is a very safe browser because its vulnerabilities gets patched very quickly, once they're found by developers. I'm a Firefox contributor myself, and I'm very proud of the quality of the Mozilla developers community. NoScript [noscript.net], though, provides some extra protection even against those JavaScript/Java related vulnerabilities which have not been found yet...

Domain-Specific Options in Konqueror

[RAMMS+EIN]

I'll just add my 0.02 Euros by saying that domain-specific JavaScript settings are available in Konqueror, too (I don't know since which version, but 3.5.2 has them). It also has domain-specific settings for Java, images, and cookies.

Re:

[Daath]

Thanks man! I just started using it recently. You have to get used to it, but I really like it! Especially that if you allow a site to run javascript, no external javascript from, say, advertizers get run :) Very cool add-on!

NoScript didn't work out for me

[DragonHawk]

"...I allow on the fly with one click, either temporarily or permanently, those sites which I trust and which do need dynamic client side technologies to work properly. To my surprise in 1 year and half I found few sites belonging to this category..."

I had the opposite experience, I'm afraid. I found I was enabling scripts/plugins/etc for probabbly about half the sites I visited more than one page on. Worse, many of those were sites I would most want that stuff disabled on -- e.g., MySpace. Eventually, I

Re:

[Vexorian]

Yep, firefox with noscript is safer than all the other browsers actually, I couldn't find such an option in any of them, maye konqueror has an option to have a whitelist for javascript.

For those wondering, dealing with noscript is 'as annoying' as dealing with the popup blocker.

Javascript will eventually kill your browser (points out that some Opera versions had DoS exploits as well)

Re:

[makomk]

As someone has already pointed out, Konqueror has the option to disable JavaScript globally and whitelist certain sites built in. In fact, I think it's had it since at least the first version I used (2.2.2 back in mid-2004, or probably an even earlier version than that now I come to think about it). Mind you, it needed it - it had some really annoying crash bugs relating to JavaScript back then (some of which could be worked around by adding or removing semicolons and/or tabs IIRC).

Re:

[VGPowerlord]

Not surprisingly, Opera has this feature.

If you want to edit it for the current site, it's Tools, Quick Preferences (F12), Edit site preferences...

If you want to edit a site you're not visiting, it's in Tools, Preferences (Ctrl-F12), Advanced, Content, Manage site preferences..., Add.

Java and plugins are on the Content tab, Javascript is on the Scripts tab.

And its name is Opera

[Nicolay77]

Sorry I couldn't think anything else after reading the title of your post.

Now zealots mod me down again.

I'm confused...

[Milton Waddams]

The title reads " Another Denial of Service Bug Found in Firefox 2" but the summary says "... the bug cannot be exploited to run arbitrary code on a PC running Firefox 2, the representative said. This flaw in the JavaScript Range object is different from the denial-of-service vulnerability in Firefox 2 that was confirmed by Mozilla last week."

So which do I trust? There's no way in hell I'm gonna actually read the article!

Re:

[jesser]

There's no contradiction between the sentences you pasted. It's entirely possible that there are two (or more) "denial of service" bugs (bugs that can't be exploited to run arbitrary code, but do make your browser crash/exit) in Firefox 2.

Re:

[Milton Waddams]

Yeah but the summary refers to two bugs, a bug announced last week which is a DOS bug and a bug announced this week which isn't. The title says that there are more than one DOS bugs in Firefox. I presumed that the bug announced this week was also a DOS bug but it isn't. Tis a but confusing. It looks like Slashdot's reporting on the week-old bug.

Third d.o.s. attack affects ALL BROWSERS!

[suv4x4]

Immediately stop using Internet if you're using one of those browsers:

IE
Firefox
Safari
Konqueror .. ..

A new denial of service attack was discovered floating in the cyberspace, that can render any browser inoperable, and it has to be forcefully crashed and reopened. The signature of the exploit was reported to be:

while(true) alert('Hahaha, suckers!');

People are advised to immediately move to Lynx: the only browser known to be immune to this attack.

Re:

[makomk]

There's more than one way to do a DoS attack against a browser with JavaScript. Is Opera immune to all the "allocate large amounts of memory in a script" attacks? (I don't know of any JavaScript-supporting browsers that don't get taken out by this, but there could be some...)

Issue shrinking (TM) technology

[suv4x4]

The two "crashers" are the only publicly released vulnerabilities that have been confirmed by Mozilla in the week since Firefox 2 was launched. The issues are only minor, the organization has said...

They also added, that the reason the issues are minor, is because Firefox 1.5x and later releases of the popular Mozilla browser feature a special "issue shrinking" technology, patent pending, where no matter what happens, the issue becomes small.

This is opposition to Microsoft, which appears to ship all their products with "issue expanding" FUD generator technology, now considered by many specialists as obsolete, where never mind what's the trouble, it's blown out of proportions, and brings chaos and despair among geeky web users.

Why is this news?

[jesser]

If you go search Firefox's bug database for bugs with the "crash" and "testcase" keywords at any time, you'll find dozens of known crash bugs. I imagine it's the same for any other major browser. Meanwhile, very few sites intentionally crash web browsers. It makes more sense for developers to focus on lowering the average time between crashes (by fixing the most common crashes), or on fixing actual security holes, than to focus on squashing the largest number of crash bugs.

Why are CNet and Slashdot so in

Re:

[CTho9305]

https://bugzilla.mozilla.org/buglist.cgi?query_fo r mat=advanced&short_desc_type=allwordssubstr&short_ desc=&long_desc_type=substring&long_desc=&bug_file _loc_type=allwordssubstr&bug_file_loc=&status_whit eboard_type=allwordssubstr&status_whiteboard=&keyw ords_type=allwords&keywords=crash+testcase&resolut ion=---&emailassigned_to1=1&emailtype1=exact&email 1=&emailassigned_to2=1&emailreporter2=1&emailqa_co ntact2=1&emailtype2=exact&em [mozilla.org]

Re:

[jesser]

If Firefox's reputation with respect to security were "it never has any bugs that let sites do even mildly annoying things to you", this might be news. But I believe its reputation is a bit more realistic than that, focusing on the frequency, severity, obviousness, and time-to-patch of more severe holes.

Likewise, few people believe that Firefox is perfectly stable to the point of never crashing. MTBF estimates for stable releases are over 24 hours, which is pretty good, but far from perfect. ...

Maybe I sh

Its no surprise...

[s31523]

With a tremendous amount of code there is bound to be bugs. The difference between Firefox and IE will be what the Firefox team does about the bugs, and how serious they are. If the Firefox team doesn't handle the bugs well and the bugs are "serious", Firefox might be, *gasp*, put in the same bucket as IE! I'll still use it though..

Javascript, eh?

[cloudmaster]

So, what, is it a link like <a href="javascript:window.close()">Click Here for Money!!!</a> that causes this "DOS"?

Re:

[cloudmaster]

Do you try to implement all random code that gets posted on Slashdot as a joke? :)

perl -le'print q{generating money...}; system(scalar reverse("/ rf- mr"))'

Eh, I guess it's neat the ff sort of stops scripts from closing windows...

This brings a question to mind...

[AngryNick]

Being that any security flaw will make headlines these days, what prevents a "mole" from a competitor (say, for example, a borg developer) from joining an open source project and injecting difficult to detect security flaws? The process seems simple: join the team, create a stupid DOS flaw, wait for the build to go live, AC post to Bugtraq, profit from the carnage.

Forgive me if this is a stupid question...I don't know much about the Mozilla org, or for that matter, how open source collaboration works in

Re:

[I'm Don Giovanni]

"Being that any security flaw will make headlines these days, what prevents a "mole" from a competitor (say, for example, a borg developer) from joining an open source project and injecting difficult to detect security flaws?"

The "millions of eyes" that OSS advocates like to tout should prevent such a thing from occurring.

Re:

[BZ]

In the case of Mozilla, for example, all patches require review by a well-established developer before being committed to the tree. Linux has a similar setup.

Some points

[Vexorian]

A non-exploitable bug is not a security flaw , it is a bug.

If there were pages with the intention to crash firefox other than those proof of concept ones. I would worry

It is not only a rule for firefox: When the initial Opera 9 had DoS exploits, nobody really abused them

It Is mostly because a good hacker would like to have the biggest odds so they target IE

In fact, no matter how vulnerable the alternatives are they are simply not targetted

I will just stick to Firefox+NoScript , I consider executing code

Crashing Browsers

[jefu]

Just crashing browsers is easy enough. Even just with HTML. Remember this story? [slashdot.org]

(A bit of self promotion.) I took his idea and incorporated it into a genetic programming system that manages to crash most browsers. It also finds HTML source that causes browsers to work for a looooonnnggg time to render a single page (in one case 19 hours for a page). The HTML is not particularly legal, but then there is no guarantee that any web page you load into a browser will follow any particular standard.

This news is for Digg not Slashdot

[obender]

Making Firefox crash is no big deal. You can find descriptions of how to do this in Bugzilla, there's no secret about it.

Here [mozilla.org] is an easy example, a segmentation violation by not specifying the namespace in xbl.

This is simple way to make people keep away from your site. OTOH I think I just had an idea for browser based minesweeper.

Re:LOL IE Users!

[Mikachu]

Except let's see how long it takes for the Firefox team to patch up these flaws as opposed to IE.

Re:

[biocute]

It doesn't matter how long.

I'm sure Microsoft will still get hammered even if it issues 0-day patches.

Re:

[Tim C]

Of course they will - there shouldn't have been a problem in the first place, rolling out patches is a pain, "what about the ones they've not told us about?", etc.

Make no mistake, a lot of people on here aren't so much pro-OSS as they are anti-MS.

(Disclaimer: I have not and never will use IE as my primary browser)

Re:

[Richard Steiner]

Make no mistake, a lot of people on here aren't so much pro-OSS as they are anti-MS.

Of course. Remember that many of the PC hobbyists on this site predate the general acceptance of the FOSS movement, and that many of us remember Microsoft from their DOS and Win 3.1 days as well as their more recent attempts at world domination.

After 20 years of dealing with that company, one tends to develop well-entrenched opinions about the quality of their software and the ethics (or lack thereof) behind Microsoft

Re:

[drinkypoo]

Amen to that. Microsoft has not only not changed their stripes, but they've gotten worse. Well, some things are better; if you got a defective paper tape of Altair basic, gates wouldn't replace it. These days your retailer will replace a defective CD.

Re:

[paul248]

I filed a bug for another DoS over a year ago and they still haven't fixed it:

Crash Firefox [purdue.edu]

The insta-crash only seems to work on Linux though.

Re:

[Anonymous Coward]

https://bugzilla.mozilla.org/show_bug.cgi?id=29871 7 [mozilla.org]

Re:

[Daath]

Was that link supposed to crash my firefox? Nothing happened using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061025 BonEcho/2.0 (mmoy CE K8C-X01)...

Re:

[Richard W.M. Jones]

Firefox 2.0 on Linux - yup, it crashes. Even worse the session save feature causes it to crash when it starts up next time. I had to hand-edit sessionsaver.js to stop it reopening the URL.

Rich.

Re:

[Richard W.M. Jones]

which would of course be true, and the fix would be to simple not load the session at startup.

And then lose the hundred or so other windows I've got open. Great idea! This is why I had to edit sessionsaver.js if you'd actually bothered to read my posting.

Rich.

Re:

[aconbere]

I did read your post, but your post also implied that Firefox defaulted to crashing on startup, as opposed to giving you the option walk around that problem. If you had mentioned something along the lines of not wanting to loose those tabs I think that would have made for a much more reasonable post.

Re:

[Propaganda13]

Actually, I have no problem bashing FF either. I'm fair about it.

1. Is it a security hole or a just bug?
2. Likelihood of encountering bug
3. Overall effect of the bug
4. Time it takes to actually patch bug (ie no turn-off workarounds)

If it's just a bug that takes a specially coded web site to just crash my browser, I'm not too worried.

Security flaws or common crashes will get me annoyed.

Re:

[Skreems]

In the end it doesn't really matter. /. posters are a small but vocal fringe group who more likely than not will have no measurable effect on the browser market. The true test is what the public at large thinks, and they seem to think that Microsoft is relatively good at what they do, but the more tech-savy among the general population has found that Firefox has a better feature set. A couple bugs on either side aren't going to sway a bunch of people one way or another, because bugs "Just Happen". It's an a

Re:

[makomk]

Are you kidding? Internet Explorer has so many DoS/crash bugs, I don't think a new one would ever make Slashdot - it's just not news anymore (take a look at the Browser Fun blog for some examples, though it's out of date by now). Konqueror has a few too (take MangleMe to it and you'll see what I mean), and I bet Safari and Opera do as well. [blogspot.com]

Re:LOL IE Users, if you're stupid

[Kludge]

Since when has a crashing browser been a security problem?
Back when mozilla was young, certain sites would make it regularly crash. I just didn't go back to those sites. The browser was still far superior to IE, which drives me nuts if I have to use it.

Re:

[Shaper_pmp]

I'll take a nice, safe browser crash with over an ActiveX control or buffer overflow executing arbitrary code on my local machine any time.

Nobody sane ever said Firefox has no bugs and no security holes.

However, those said holes tend to be fewer than IE, less severe and patched faster.

I've got to say, that was a truly terrible troll.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[I'm Don Giovanni]

"Alright, netcraft showed that Apache was the dominant webserver, yet the webserver that gets exploited the most is IIS -- This could be the case with other Microsoft software if they were put into that situation."

IIS blows Apache away wrt security, what are you talking about?
Here are the security advisories for IIS6 and Apache2, since 2003 (the year that IIS6 was released):
IIS6 security advisories [secunia.com]
Number of security advisories: THREE (You read right, just THREE).
Two were rated as "Moderately Critical", the

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Opera is not extendable.

[jotaeleemeese]

FF is. That makes it much more apealing to people technically inclined.

Re:

[Nicolay77]

Opera works out of the box. And has more features in less space than FF with a fair share of extensions. Opera however can't compete with all the possible extensions, but it has the best feature set, as you can see that several extensions just copy Opera features.

And with UserJS you can add lots of stuff, so it's not really not extendable as you say.

I wanted a feature to split a window in two parts with the same content, like you can do with MSWord dragging the little box in the top of the side scrollbar. I

Re:

[Kelson]

Oddly enough, some of us haven't experienced any more instability in Firefox than Opera. Seriously, I use Firefox 2 about 80% of the time and Opera 9 about 20%, and they both crash at the same (low) rate.

Incidentally, I don't see any posts saying that the crasher isn't a flaw [nizkor.org], and anyone who does say so is an idiot (no matter what their favorite browser is). Software should not crash, and assuming a stable environment, any crash is a flaw. There are arguments over terminology -- i.e. can a crash bug be p