A Bad Month for Firefox

marty writes "Februrary is not a good month for Mozilla developers. Infoworld reports about the efforts of Polish researcher Michael Zalewski, who apparently kept finding new vulnerabilities in the popular browser on a daily basis through the month, first postponing the 2.0.0.2 update, and then finding a remotely exploitable flaw in it immediately after its release."

Compelling reasons to switch to 2?

[soupforare]

I'm still running 1.5.0.9 and it works a treat. Am I missing something besides, apparently, h4x?

Re:

[arodland]

You're also missing the annoying UI design and worse performance.

Re:Compelling reasons to switch to 2?

[kv9]

You're also missing the annoying UI design and worse performance.

I agree that the UI is not the most pretty thing ever envisioned (why does everyone go for ROUND shit now? let me guess, the UI designers have Macs) but performance wise it got better. also it's more stable and the integrated session management allows you to get rid of all the clunky extensions that tried to provide sessions (along with the kitchen sink)

there's also tabbed browsing improvements and other features. GP, check the changelogs.

Compare against the best.

[Anonymous Coward]

When it comes to software performance, it's pretty useless to compare the performance of your software to a previous version of that same software. You need to compare your performance to that of the current leader in the same market.

Maybe Firefox 2 is faster than Firefox 1.5. But compared to Opera, Konqueror and Safari, it's still quite slow and extremely bloated. Apparently it's also quite insecure, too.

KDE 4 is getting very close to being released. It's native support for Windows will bring Konqueror to

Re:Compare against the best.

[omeomi]

But compared to Opera, Konqueror and Safari, it's still quite slow and extremely bloated.

I use Firefox and Opera on Windows, Safari on OSX, and I have occasionally used Konqueror, but I'll admit, not as frequently. However, I've never noticed a perceptible difference in speed or obvious bloat between Firefox, Opera, and Safari. "quite slow" and "extremely bloated" are obviously complete fabrications...

Re:Compare against the best.

[nutshell42]

I think the "which browser is faster" comparisons are (or should be) a thing of the past. If you didn't buy your PC last century there's not much of a speed difference to be had. Some browsers might cache better than others but if I think I'm gonna need that page again, I generally just open the link in a new tab anyway.

Nowadays if some page's slow to load I think "slow page" instead of "slow browser".

OTOH I use *lots* of tabs and there are major differences in memory consumption. On my PC Opera needs about 250-350MB of RAM for 100 tabs, Konqueror 400 and Firefox between 800 and 1.5GB.

Re:

[bberens]

I disagree. In the land of web 2.0 javascript execution speed is very important. Also, lately I've noticed that when I right click a link in FF it takes about 2 seconds for the popup window thing to appear. This has made me consider dropping FF for another browser. Could I spend a boat load of time trying to figure out exactly what I did to make FF slow down? Probably. But I frankly don't care what I may have done. I'll just dump it as soon as I perceive something else as a better option.

Re:

[omeomi]

Also, lately I've noticed that when I right click a link in FF it takes about 2 seconds for the popup window thing to appear.

Perhaps you have spyware or too many plugins installed or something. When I right-click on a link in Firefox, it's pretty much instantaneous. I'm not a Firefox fanboy or anything, but I really have never had to wait any length of time for the right-click menu to open up. My guess is it has more to do with your specific installation than any sort of broad problem with Firefox.

Re:

[CBravo]

I cannot reproduce that on linux either...

Re:

[Ginger Unicorn]

for what in the name of holy hell do you need 100 tabs open?

Re:

[SirTalon42]

Konqueror will also run natively on OS X. Also when ran along side other KDE apps and the DE, Konqueror's memory usage (because of shared libraries) is most likely lower than Opera's, though it can still use some work to become even more efficient. Firefox developers will have an INCREDIBLY hard time making the Firefox UI as fast as Konqueror/Safari/Opera because of their extensive use of XUL.

Just for full disclosure, I use Konqueror as my primary browser on all *nix systems, and Opera everywhere Konquero

Re:

[Vexorian]

Firefox developers will have an INCREDIBLY hard time making the Firefox UI as fast as Konqueror/Safari/Opera because of their extensive use of XUL.

No, they won't. "why?" do you ask? Because THERE IS NO SPEED DIFFERENCE! . Know this: if you need a benchmark to prove that something is faster than something else then it is not faster enough to be noticeable.

I tested konqueror, Opera , firefox and IE. All four browsers take the same time to render the same page : less than A SECOND! (And this is a fairly s

Re:

[mccoma]

let me guess, the UI designers have Macs

Given how the UI looks and acts on a Mac, I can assure you that this is not the case.

Re:

[mrchaotica]

(why does everyone go for ROUND shit now? let me guess, the UI designers have Macs)

Nope, if the UI designers had Macs, I wouldn't have to download a theme to get it to look good in Mac OS!

Re:

[kv9]

[...] massive problems with stability in 2.0

I guess it's like with soylent cola -- the taste varies from person to person. I've been enjoying it all the way, through Phoenix/Firebird/Firefox and now 2.0. The only things that caused grief were fucked extensions, not the browser itself.

I'll be switching back to 1.5 as soon as I find a mirror to get the old version from.

there you go [mozilla.org]. have fun.

Re:

[adrianmonk]

I'm still running 1.5.0.9 and it works a treat. Am I missing something besides, apparently, h4x?

Yes: when the app crashes for whatever reason, Firefox 2.x automatically offers you the opportunity to reload the pages (and tabs) that you had open before the crash. I can't think of any other compelling features of Firefox 2.x, but to me, this alone is worth it. It's very handy, also, when the browser hasn't completely crashed but is just mildly wedged.

I believe you may be able to get basically the sam

you are missing 1.5.0.10

[someone1234]

Well, you surely got some known holes now :)

Re:

[suv4x4]

The defect information is fed back to the Toyota engineers, and they redesign the defective parts of the Camry. The third-year release of the Camry should be quite reliable. (Toyota [msn.com] has some of the highest rates of recalls [thestar.com] in the automotive industry. Toyota typically recalls nearly 10% of its vehicles -- versus "only" 7% for General Motors.)

If you are using your Web browser to do critical jobs like online banking, you should continue to use the latest iteration of Firefox 1.5. The la

Bottom line

[AndyBassTbn]

Bottom line - the more people use Firefox, the more people look for bugs and vulnerabilities, the more people find them. The same thing happened with IE.

Granted, I do think Firefox is far superior to other browsers on the market, but I don't think that this should surprise anyone. At least Firefox is being fixed quickly. I suspect other software companies may not have held back their release times on upgrades to fix additional bugs. ("Don't worry now, just get this new version out before the deadline, we'll fix it later...")

Re:Bottom line

[Mateo_LeFou]

"the more people use Firefox, the more people look for bugs and vulnerabilities, the more people find them. The same thing happened with IE." Except that with the Fox, half of the people looking for and finding bugs are doing so in order to help get them fixed.

Re:

[H8X55]

Except that with the Fox, half of the people looking for and finding bugs are doing so in order to help get them fixed.

(insert devil's advocate)
But for how much longer? the more positive attention fox draws from the unwashed masses, the more negative attention will turn in that direction from malware developers. If you go from 5% marketshare to 25% marketshare - your percentage of people looking for and finding bugs for good would drop through the floor. Think of it like this - Maybe one out of ever

Re:

[Mateo_LeFou]

I don't think it goes without saying that all applications are targeted the same. They're not; certain companies, for whatever reason, have pissed more people off than others. Fact is, Firefox is a community-oriented, community-developed piece of software. It's not a plannedly-obsolete product designed to improve someone's bottom line. As such, it doesn't foment the kind of animosity that certain other pieces of software I could name do...

Re:

[Jahz]

Except that with the Fox, half of the people looking for and finding bugs are doing so in order to help get them fixed.


(insert devil's advocate)

But for how much longer? the more positive attention fox draws from the unwashed masses, the more negative attention will turn in that direction from malware developers.

If you go from 5% marketshare to 25% marketshare - your percentage of people looking for and finding bugs for good would drop through the floor.

Think of it like this - Maybe one out of every ten of my FFX using friends actually do any app-dev work. Is that accurate? Maybe 10% of all users? If more 'regular people' started using FFX, ditching IE, you think you're still going to have 10%?

Safari and FFx are safe for now, because they're not being targeted by hundreds/thousands/millions.

I would contend that 10% is a wildly inaccurate estimate. There are millions of FF users, including my parents, sister and all of my friends/professors here at the University. There might be one person among that group who has contributed code... I doubt 10% of the FF user base has the knowledge or technical ability to patch/hack Mozilla source. Perhaps 10% contribute if you include QA/Bug reports/Documentation etc, but not "App-Dev" work.

Two years ago Firefox Downloads passed 25,000,000 [mozilla.org]. To illustrate

Re:

[drsmithy]

Bottom line - the more people use Firefox, the more people look for bugs and vulnerabilities, the more people find them. The same thing happened with IE.

But, how can that be ? We are constantly being told marketshare is irrelevant !

No we're not

[Mateo_LeFou]

We're constantly being told that market share is not the biggest factor in the security equation. Because e.g. we're constantly point to the example of a piece of software (Apache) with enormous market share that is almost never breached. We're constantly told these things 'cause they're true.

Re:No we're not

[Mateo_LeFou]

"Conclusion? Apache has predictably shown more vulnerabilities than IIS versions over the same time period"

Conclusion? Apache has predictably reported more vulnerabilities than IIS versions over the same time period

FYP

Re:

[kimvette]

I don't use lynx, ever. I use links.

Oh I know, I know, it's bloated, it has features 99% of users never use, but darn it, I'm one of those 1% of users and I need my full-featured curses-enabled links console browser! Point-and-click, baby! ;)

Re:Bottom line

[Tiger4]

("Don't worry now, just get this new version out before the deadline, we'll fix it later...")?

As much as I am annoyed by MS for their practices, that particular one is perfectly reasonable and acceptable.

If the overall program was not managed that way, they would have chaos. Every potential change to the main configuration has to be assigned to a given build and release. The place to attack the "problem" is in how they assign priorities to problems and bug fixes. The criteria for Critical and Non-Critical bugs, for High, Medium, and Low Risk threat and fixes are where software quality hinges. MS does it one way, Mozilla a different way. To some extent they will converge. Hopefully for us all, not too much. But definitely they will converge. If they don't do effective Configuration Management, they don't know what they have, and they can't be sure about what results they will get. The development process is tricky enough without deliberately adding random uncertainty to the process. If it means delaying a given fix for some period of time, so be it.

I would not be at all surprised to see Mozilla eventually adopt a variant of the MS "Update Tuesday" model. For all but the Most Critical changes, just hold all updates them bundle them and push them at the end of the next week/month/quarte. One thing they already do better than MS is to fully declare a new revision, rather than just issues a patch and updat a table with the information. Makes it easy for humans to know at a glance what revision they are at. (By the way, I got 1.5.0.10 shoved at me last night)

Re:

[rmdyer]

"I do think Firefox is far superior to other browsers on the market."

Far superior? I think you need to backup that painfully abstract and non-obvious statement.

I just cranked up my copy of Firefox 2.0.0.1 today after some time has passed since I last used it. I have it set to a blank page. You know what the first thing it asked me was after firing it up? It wanted to know if I wanted to set a "cookie" for the site "newsrss.bbc.co.uk" This would have been normal except for the fact that I hadn't yet eve

That's a Live Bookmark

[ravenlock]

You've got a Live Bookmark to "Latest BBC Headlines." It's in the default installation. A live bookmark is basically the subject lines from an RSS feed in a submenu. Not very useful, but not exactly a bug either -- technically, you are subscribed to a feed, you just don't know it.

It's located in Bookmarks -> Bookmarks toolbar folder (at least on my installation), and in the bookmarks toolbar.

Opera

[aliquis]

Firefox isn't superior to Opera.

A bad model?

[Lord Satri]

Well, such headlines won't stop me from using FF. At least vulnerabilities are attended to in a way I believe (wrongly?) faster than most mammoth companies would. That said, this point from the article is interesting, making me believe researchers should (?) have incentives to disclose security bugs to Mozilla first and to the public only when the fix is distributed:
"Although Snyder said she would prefer it if Zalewski and other researchers would disclose vulnerabilities to Mozilla before taking them public, she said the company relies on such experts to help it keep customers protected from attacks, as painful as the reports may be."

Your model is bad.

[DrYak]

researchers should (?) have incentives to disclose security bugs to Mozilla first and to the public only when the fix is distributed

No. It's how it work with microsoft, it's not how it works with open source software.

With Firefox, if you disclose a hole to the public there's also a higher chance that someone outside the foundation, from the public, could try to fix the hole. (Which could be not to much difficult for an outsider if the fix is just adding a check to avoid invalid input). If you only disclose

Re:Your model is bad.

[Albanach]

if you disclose the problem to the public, they can't do much apart from switching to another product or wait until microsoft developer finally fix the problem.

But that's only an issue if you get no response. What if MS email and say thanks, we've looked into this, we need to change x, y and z and it should take about two weeks before we issue a fix. What would be the advantage in going public inside those two weeks?

I can't see any valid reason for someone not to report to Mozilla first, and to expect a reasonable and speedy response, then oing public if a fix is not in place inside a sensible timescale. To do otherwise suggests the researcher is more interested in self publicity than in protecting users of the browser.

Incentives

[Beryllium Sphere(tm)]

Like, say, paying for security bug reports [mozilla.org]>

Re:

[adrianmonk]

That said, this point from the article is interesting, making me believe researchers should (?) have incentives to disclose security bugs to Mozilla first and to the public only when the fix is distributed

There already is an incentive in place: not having people think you are an arrogant dick.

What's worse?

[tomstdenis]

As the author of security software, I'm not happy to find flaws in my code, but I'd rather find them then not.

The measure of success is whether the bug(s) found in Feb are new additions added by sloppy coders, or legacy bugs that have so far escaped notice?

Tom

Re:What's worse?

[kjamez]

The measure of success is whether the bug(s) found in Feb are new additions added by sloppy coders, or legacy bugs that have so far escaped notice?

i've been following this guy's postings on SF and bugtrac, and it's ridiculous. Some of the stuff he's finding are bugs in bugzilla from 2001 that keep getting shifted around and reassigned and marked as duplicates of other bugs ... the remote file upload keypress trap example comes to mind, and was an interesting POC to say the least. Some of the stuff is trivial and only comes with 'theoretical exploits', but are still potentially dangerous none the less. I was just thinking yesterday "wow, this guy really has it out for mozilla..." but like you said, it's good someone is finding these things now as compared to a 'blackhat' 0-day'er. And it's even better they are getting fixed, delayed release and all.

Re:What's worse?

[tomstdenis]

Well yeah that's the flipside. Some people report "bugs" which are things that cannot really be exploited in the field [e.g. unreachable exploits]. I deal with that in my OSS work as well. Though, usually I fix them anyways just for completeness. In fact, a non-trivial amount of bugs I've fixed have been of that sort [I wouldn't say a majority but definitely not just a few].

Some people like the press it gets for finding them too.

That being said, some projects react bad to bugs. GCC is an example of a group who react well to them. I've had several PR's fixed because of a simple ICE or asm dump I sent in. Whereas in the Linux camp, bug fixing is a royal right only a few can have. When I wanted to add device IDs for Intel NICs to the 2.6.18.2 [iirc] kernel I submitted a patch which added them. It was refused saying that they would be added in the next major release cycle. Even after I told them that they could trivially be added to the next point release they still refused. Oddly enough the maintainer, a Gentoo developer, added them to the gentoo brand of the kernel anyways. Go co-operation!

I dunno, for me it's a sense of responsibility. If I'm going to release software that can potentially cause problems for others, I make sure I respond to valid reports as soon as possible. I don't look at it as a negative experience because for me the alternative is to stop sharing the code alltogether.

Tom

Re:

[gmack]

Whereas in the Linux camp, bug fixing is a royal right only a few can have. When I wanted to add device IDs for Intel NICs to the 2.6.18.2 [iirc] kernel I submitted a patch which added them. It was refused saying that they would be added in the next major release cycle. Even after I told them that they could trivially be added to the next point release they still refused. Oddly enough the maintainer, a Gentoo developer, added them to the gentoo brand of the kernel anyways.

So you tried to add the ids to

Re:

[tomstdenis]

The gentoo fix was to add the same IDs [and a few more].

My complaint isn't that they weren't added, it's that the maintainer refused to add them to the vanilla kernel [e.g. at kernel.org] and instead horded them for Gentoo-sources [even though I run gentoo I still feel this is wrong]. Eventually at the next major release they were added. So it's not that the device IDs were wrong or caused problems. It's that the developer didn't want to share them with the rest of the Linux crowd.

You should ask Jean-Luc

Re:What's worse?

[gmack]

My complaint isn't that they weren't added, it's that the maintainer refused to add them to the vanilla kernel [e.g. at kernel.org] and instead horded them for Gentoo-sources [even though I run gentoo I still feel this is wrong]. Eventually at the next major release they were added. So it's not that the device IDs were wrong or caused problems. It's that the developer didn't want to share them with the rest of the Linux crowd.

Or more to the point: the maintainer knew they would never be accepted into the stable branch kernel until, at the very least, they were tested in the dev branch first.

The maintainer doesn't have the final say. It's the stable team that decides in the end and they have only gotten more strict now that there are shorter dev cycles. Also, I didn't say that they did cause problems I said they could in theory cause problems and there is no way to know for sure until the new ids have been well tested. The change was quite probably safe but I'm astounded your whining that they would not throw improperly tested code right into the stable branch. I've seen simple device ID additions cause crashes. I've had them crash MY system. It's rare but it happens. That's why I update my servers with the stable branch and run my personal stuff on the more cutting edge devel kernels.

You should ask Jean-Luc Cooke about his experience trying to replace the horrible /dev/random device with one based on Fortuna. He got the same royal decreed from Ted T'so about "who owns the kernel" and who doesn't. In the end, Jean-Luc just gave up and withdrew the patches.

/dev/random has to be as hard to predict as possible. You claim it's horrible but there are whole papers on how to random generate numbers and even seasoned kernel devs have had patches refused patches because they weren't able to justify them properly.

The kernel is, for the most part, a horribly written, and poorly maintain piece of code. The maintainers are selfish ego-hording losers and have to really learn there is more people willing to contribute then just them.

Translation: They didn't let me do what I want to they are a bunch of jerks

There are people who dedicate themselves to teaching new people how to add patches to the kernel. The whole kernel newbies project and the kernel janitors project exist to provide developers who new to kernel programming an easy way to learn their way around and get patches accepted. There have been hundreds of patches in the past few months that were accepted from people who were previously unknown to kernel programming. So it really is open to others but only people willing to follow the rules. Those rules are there for a reason.

Re:

[gmack]

In the case of my patches, they were against [iirc] 2.6.18.2 not 2.6.19-rc2 or something. The last "." is supposed to be for incremental changes to reduce the time between major releases. It gives users a chance to try a work-in-progress kernel that has been through at least some testing. Otherwise, why even have the fourth level of releases?

That's not even close to correct. The last "." is so bug fixes can be added to a known stable branch. The shorter RC cycle (a month or two instead of a year or two) i

Re:What's worse?

[tomstdenis]

Whatever. This is why newbs mock OSS. If a one line trivial change causes WW3 between developers, just because Intel decided to up a PCI devid value ... we have problems.

Out of the box, the latest kernel wouldn't work on my mobo [when I got it]. That means LINUX IS BROKEN. The fix? Add one line to a eth device drivers list of recognized device IDs. What does the community do? Reject it until MONTHS LATER. Many newcomers would look at that and say "fine I'll go to Windows or BSD."

How are we supposed to build a community of trust and co-operation if we can't resolve single line fixes to code that enable hardware to work?

Tom

Re:

[spuzzzzzzz]

This is not about your one-line patch. The issue of adding hardware support to a stable branch is something that people have been arguing about for a while. See, for example, this [kerneltrap.org], which is about 2.6.16.y but talks about some of the issues that adding hardware support can cause.

Re:

[tomstdenis]

This isn't about adding a new device driver. It's about having the device driver detect a revision of a chipset. It's fairly easy to test and a very LOW risk change. Not doing so means an entire line of motherboards are not supported.

You have to use your brain to determine what's a high and low risk change. Adding an entirely new driver, high risk. Adding a device ID to a list for an existing driver? Low risk. *NOT ADDING* the driver? High risk of user unsatisfaction.

Tom

Re:

[spuzzzzzzz]

This isn't about adding a new device driver. It's about having the device driver detect a revision of a chipset. It's fairly easy to test and a very LOW risk change. Not doing so means an entire line of motherboards are not supported.

You may have missed the following comment in the thread I linked to before.

The problem is when some hardware suddenly become detected and assigned in the middle of a stable release. Do not forget that people need stable releases to be able to blindly update and get their s

Gentoo

[wytcld]

A Gentoo developer refused your patch, except for Gentoo? Go Gentoo! Man is that corrupt.

I mostly use Gentoo - I've done well with it running servers almost from its conception. But the Gentoo developers and maintainers, on the whole, are developing increasingly obnoxious attitudes towards their users - which makes no sense at all considering Gentoo users on average have higher skill and knowledge levels than the users of the other popular distros. A few years ago bug reports were handled as well in Gentoo

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[rg3]

If I recall correctly, adding a new device id to a driver is not acceptable for a stable release. There was a discussion not too long ago because, as you may know, there is someone maintaining a stable version of the 2.6.16 kernel. The maintainer added one device id in a driver, just like you suggested to do, and was told off for that.

The rationale is that in theory this can cause a working system to fail or be misconfigured after a kernel upgrade (due to a new device appearing in the system). That type of

Re:What's worse?

[TheRaven64]

Some of the stuff he's finding are bugs in bugzilla from 2001 that keep getting shifted around and reassigned and marked as duplicates of other bugs

There is something I picked up from the OpenBSD guys, which I think should be repeated more:

The only difference between a bug and a security flaw is the intelligence of the attacker

In something like Mozilla that connects to remote machines and receives badly-formed data as a regular operation, every single bug should be treated as a potential security hole (with the possible exception of w3c spec violations).

Re:

[Bob9113]

Completely agreed. I'm delighted when someone finds a bug in my code. The bug was there whether the reporter finds it or not. The reporting of it is the good part. Shoot the messenger? Hell no, thank him.

Re:

[Tiger4]

Or known bug fixes taht have just gotten delayed, and delayed and delayed.

I like Mozilla and FF. But if this kind of attention is what it takes to get them to assign coders to all levels of bugs, from Highest Risk to Lowest, I am all for the heat. the little ones never go away until you actually fix them. Letting them get older is not the correct solution. Not from a technical point of view. Business-wise, you could just wait until the product is obsolete and no one cares. But that is just lazy practi

How is this bad?

[El Cubano]

Could someone please explain how finding and fixing bugs/issues/problems/whatever is bad? Now, I understand that it is not particularly good from a PR perspective. However, it is not like they are ignoring these things or trying to spin it like they are not real problems (as certain commercial and proprietary software vendors are prone to do). This is, in fact, quite good for the users.

Re:How is this bad?

[bunratty]

The only bad thing is that Michael Zalewski is not following Mozilla policy for reporting security bugs [mozilla.org]. He should first report them to Mozilla privately and give them some time to fix the problems. Instead, he publicly announces the vulnerabilities so the bad guys can exploit them before Mozilla has any chance to fix the problems. In short, Zalewski seems to believe in full disclosure instead of responsible disclosure [schneier.com].

Re:

[El Cubano]

In short, Zalewski seems to believe in full disclosure instead of responsible disclosure.

FTA: On the other hand, she's dealing with almost daily reports of newly identified vulnerabilities in Firefox disclosed by a researcher who makes his work public before informing Mozilla of the problems.

Ahh. So Zalewski is in it for the publicity. I did not catch that.

Re:How is this bad?

[Cid Highwind]

In short, Zalewski seems to believe in full disclosure instead of responsible disclosure.

So do most of us here at /. when it comes to bugs in Windows or IE or Java VM. Why not Firefox?

Some of these bugs were initially reported in 2001 and were only fixed in Firefox 2.0.0.2, six years later. The lesson here seems clear to me: Reporting security holes on bugzilla get them marked DUPE/WONTFIX/NOTABUG and ignored for 5+ years. Publishing detailed explanations of the exploits on your blog gets them fixed within a few weeks.

Re:

[bunratty]

Reporting security holes on bugzilla get them marked DUPE/WONTFIX/NOTABUG and ignored for 5+ years. Publishing detailed explanations of the exploits on your blog gets them fixed within a few weeks.

If you know of any such security holes, report them publicly or privately, and you will get a $500 bounty [mozilla.org]. If reporting them privately doesn't get them fixed, you can always go public later without losing your bounty. If responsible disclosure doesn't get bugs fixed, then I would agree that full disclosure is nee

Re:How is this bad?

[tetromino]

In short, Zalewski seems to believe in full disclosure instead of responsible disclosure.

So do most of us here at /. when it comes to bugs in Windows or IE or Java VM. Why not Firefox?

No. I would venture to say that most people here believe in giving Windows/IE/Java/Firefox devs a couple of weeks to fix a bug before going public. Coming up with a patch is the easy part. Any large project will need to look for related issues in the rest of the code, to do QA work to make sure the patch doesn't introduce new bugs or vulnerabilities, and to package the updates for all the different architectures and products that happen to be vulnerable. That process takes time; it is physically impossible for the Windows/IE/Java/Firefox team to release an update the same day you informed them about the issue. If you go public on the first day, you are just being an asshole.

Re:

[StormReaver]

"Reporting security holes on bugzilla get them marked DUPE/WONTFIX/NOTABUG and ignored for 5+ years. Publishing detailed explanations of the exploits on your blog gets them fixed within a few weeks."

Unfortunately, that seems to be the case frequently in other areas as well. I recently asked a question on a development mailing list (which shall remain anonymous) on how to accomplish alpha blending within the published API, and got nothing but silence for over a week. I then asked a similar question, but ra

Re:

[Kjella]

Could someone please explain how finding and fixing bugs/issues/problems/whatever is bad? Now, I understand that it is not particularly good from a PR perspective. However, it is not like they are ignoring these things or trying to spin it like they are not real problems (as certain commercial and proprietary software vendors are prone to do). This is, in fact, quite good for the users.

It's quite hard to tell for the user if they're fixing many bugs because they have a high attention to security or if their

Re:

[Beryllium Sphere(tm)]

Finding: good
Fixing: good
Reporting to maintainers: vital
Reporting to the public: depends on many things all of which are hotly disputed. To the extent there's a consensus, it's to make public announcements after there's been time to code, test and release a patch. If the supplier hasn't used that time to fix the product, well, their customers deserve to be warned before a black hat discovers the same thing and uses it for evil.

Reporting to the whole world simultaneously only makes sense if you believe all i

Re:

[Overly Critical Guy]

Could someone please explain how finding and fixing bugs/issues/problems/whatever is bad? Now, I understand that it is not particularly good from a PR perspective.

Didn't you just answer your own question?

Bad month? No...

[onion2k]

Good month. Finding lots of bugs, and fixing them, is a good thing. We don't need to pretend it's perfect and rosy and all nicely secure and won't ever need a patch or an update. We're realists on this side of the OSS fence. We know that software is only as good as the people working on it.

I'd like to extend a hearty thank you to this researcher for making Firefox even better.

Re:

[cdrudge]

It's a matter of perspective. I agree that it's good that the bugs were found and are being worked on. However it's bad that they were not already detected, that they were not already worked on, or that they were even there.

Re:

[trewornan]

it's bad that they were not already detected

Yeah it's true, it's a pity these bugs were not already detected . . . like before they were detected . . . already.

that they were not already worked on

Yeah it's true, why didn't they work on them before . . . like before they were detected . . . already.

or that they were even there

Yeah it's true, what did they think they were doing putting bugs in to begin with . . . like everybody knows not to write bugs into software . . . duh!

Re:

[Kythe]

Exactly. What's more, almost all the holes he found were rated as relatively minor by Secunia, and have already been fixed.

As usual, however, Microsoft's record of performance on that score hasn't been as stellar.

So while some MS fanboy types might like to claim this as a "bad month" for Firefox, I can't say I agree.

Good month for Microsoft too?

[nacturation]

Good month. Finding lots of bugs, and fixing them, is a good thing. We don't need to pretend Windows is perfect and rosy and all nicely secure and won't ever need a patch or an update. We're realists on this side of the Microsoft fence. We know that Windows is only as good as the people working on it.

I'd like to extend a hearty thank you to this researcher for making Windows even better.
 

Internet Explorer

[bitsformoney]

Solution: Stick with IE. Shoudda known.

Or more precisely with IE7 on Vista

[melted]

IE7 on Vista runs in a "jail". There's a new thing in Vista called Integrity Levels. Low IL has the lowest privileges and can't write anywhere. High IL is "root". User normally operates in Medium IL. Thing is, IE7 is started in Low IL. So even if it's broken, no one can silently install anything, write anywhere or even infect its binary.

It's almost like SELinux, but without process isolation. Entire layers of processes are isolated instead. And in contract to SELinux, you can't turn it off.

Firefox folks nee

Javascript

[Neuropol]

I hardly see this as being Firefox's fault. It's been a more common denominator to have Javascript as the culprit. There's always been some "handling" issue in just about every browser ever coded. So with this continuing, I'd be pointing all fingers at Javascript and nothing else.

Compliance should be the next target of finger pointing too. If Firefox seems have its act together and it keeps falling prey to, and having to adapt to, issues of external development, I really think it's time for an overhaul o

Bad month, but...

[bgfay]

I don't know anyone who has lost faith in Firefox or switched back to anything else. It's still a great browser and seems to be getting better. There will always be problems with software. The thing that's interesting here is that all of Firefox's good aspects and bad aspects are out in the open. That's what makes it work.

Re:

[SoapDish]

I lost faith in firefox. I use opera now. It's mostly because the interface is just so much better.

Re:

[arth1]

You don't know me, true, but I'm one of those who switched from Firefox. Before y'all start foaming at the mouth, let me qualify that by saying that I switched back from Firefox to Mozilla, because Mozilla was much faster, with a smaller memory footprint. After security bugs appeared that afflicted all Mozilla-sourced browsers, and Mozilla was dead, I gave Firefox another try, and then switched again -- this time to Seamonkey. Which again has less bloat (in the browser-only install) and is faster than Fi

Isn't that the point of Open Source?

[bigattichouse]

Sure, people see the downside of this.. I happen to see it as proof that Open Source works on the community scale. I now know these bugs can be addressed.. how many bugs are in IE7 that I can't see because of the closed source?

Re:

[jfengel]

It doesn't matter if you see the bug. It matters if the bad guys see the bug.

To exploit a bug in closed source, you have to grovel like crazy through the code or just throw things at random at it. If you want to exploit a memory overflow bug you've got to do it entirely based on the disassembled binary, probably without any symbols. It's astonishing that anybody ever achieves it. Internet Explorer must REALLY be full of holes to have so many spotted.

In either open or closed source, the question is how lon

Oh no there are boooogs in my firefox...

[codepunk]

Clicks sly fox icon this morning "stand by while firefox is installing the latest updates"...what boooogs?

Bad month ends up with a good product.

[SoupIsGood Food]

Buffer overruns happen. Security models have holes. This is nothing new, and you'll find it in damn near every software project of any complexity.

The rational ways of dealing with this are a very dictatorial style of project management to get it right the first time (See: OpenBSD) or a quick and responsive way to kill security-affecting bugs dead. Firefox, with its gazillions of volunteer and paid programmers, opt for the latter. Too often, closed source developers just sit on these bugs, or sue the people trying to find and publish them, or use their marketing department to cover for their developers' shortcomings.

I'm pleased and reassured that Firefox is having these issues. Active and open security research will always result in a stronger product, and delays to deal with them are acceptable so long as the software is better for it. Even OpenBSD's been hacked a few times, and it's how you deal with it that's more important.

Microsoft's stuff is broken for =years=, which allows a security nightmare. Firefox is broken for a few days, or a month or two... too quick for all but the most dedicated and talented black-hats to take advantage of. Give me this over Internet Exploder any day.

When will we see a stable and secure project? That's an important question when dealing with closed source products. On something like Mozilla, with an open development model, the project goals and progress aren't company secrets... we actually know exactly why something has been pushed back, and can make reasonable judgements about when it will be back on track for ourselves. This is one of the more important aspects of open source that corporate IT overlooks... the ability to plan for and work around changes in the release schedule.

So, yeah, setbacks happen. To everyone. How the setbacks are dealt with is where the rubber meets the road. Firefox is generally ahead of the industry here, too.

Re:

[kestasjk]

I don't know where people get the idea that closed source apps are invulnerable to hackers checking them for holes. With a firm grasp of tools like IDA pro you can easily analyze closed source apps.

I like and use Firefox too, but I don't think security is a good reason to like Firefox. The great plugins are what puts it head+shoulders above anything else, imho. And with NoScript, AdBlock, etc, it makes it much easier to avoid malicious sites.

Anyway, It's not right to be so complacent, when a hole is f

Re:Bad month ends up with a good product.

[Anonymous Brave Guy]

Buffer overruns happen.

Not if you use proper design techniques, or programming languages where they aren't a possibility. Saying "buffer overruns happen" is just a concession to current poor programming practices. Better ways to do things have been known for a long time, it just requires more effort to use them when most of the world isn't yet.

Security models have holes. This is nothing new, and you'll find it in damn near every software project of any complexity.

That's true, but not every software project makes grand claims about having better security than the opposition. There is little text on the Firefox home page, but one of the three big headings is "Stay secure on the web". "Firefox continues to lead the way in online security," it tells us. Clicking through the link finds explicit claims about the open source model and the use of "security experts".

Microsoft's stuff is broken for =years=, which allows a security nightmare. Firefox is broken for a few days, or a month or two... too quick for all but the most dedicated and talented black-hats to take advantage of.

And how do you know that all of these Firefox bugs have only been added recently, and haven't already been exploited by black hats before they were announced? Do you personally check into the background of every bug report in Firefox? Do you think everyone who uses it does? How many serious vulnerabilities in IE are really open for years? Do you have stats to back this up, or are you just a Firefox fanboy spreading FUD? These are, after all, exactly the criticisms commonly levelled at IE.

When will we see a stable and secure project? That's an important question when dealing with closed source products. On something like Mozilla, with an open development model, the project goals and progress aren't company secrets...

So all security bugs in the Mozilla family are immediately and openly disclosed to the public?

Re:

[Dastardly]

And, once of those security experts is Polish researcher Michael Zalewski, who has found many exploits in the last month and reported them.

Re:

[grcumb]

Do you think everyone who uses it does? How many serious vulnerabilities in IE are really open for years?

ActiveX. It's been a security nightmare since the day it was introduced.

Firefox is not perfect, but it is demonstrably more secure than MSIE. I provide technical support for numerous organisations, most of whose staff have extremely limited understanding about the Internet and its dangers. After I made a concerted effort to move everyone to Firefox in early 2004, I experienced a consistent and statis

Re:

[Anonymous Brave Guy]

ActiveX. It's been a security nightmare since the day it was introduced.

Isn't that a bit like saying computers have been a security nightmare since the day they were invented? Sure, they're useful for lots of stuff and no-one has yet suggested an equally effective and significantly more secure alternative, but they do undeniably have security risks associated with them.

Firefox is not perfect, but it is demonstrably more secure than MSIE.

Really? And who's demonstrated that, then? Unless I missed som

Re:

[grcumb]

ActiveX. It's been a security nightmare since the day it was introduced.

Isn't that a bit like saying computers have been a security nightmare since the day they were invented? Sure, they're useful for lots of stuff and no-one has yet suggested an equally effective and significantly more secure alternative, but they do undeniably have security risks associated with them.

Well, for starters, computers have been a security nightmare since the day we first began using them. Heck, the first really big thing w

Re:

[Jeffrey Baker]

Buffer overruns happen.

Thank you, unfrozen caveman programmer. I'm trying to remember the last time I experienced a buffer overrun in Java, Python, or Perl. Hrmm. Still thinking ...

Hard to reproduce

[mw22]

There is one problem with the flaw, it's very hard to reproduce, I think I reproduced it once in a 1.8 branch build, but not afterwards.
If anyone can reproduce it consistently, and has a 1.8 debug branch build, it would be great if he could try and give a useful stacktrace in the bug.

I bet...

[SharpFang]

I bet if Lcamtuf heard he's being called a 'researcher' he'd be rolling in his grave.
After dropping dead on place, that is.

just rude

[towsonu2003]

Why did the summary skipped this part I wonder:

vulnerabilities in Firefox disclosed by a researcher who makes his work public before informing Mozilla of the problems.

hmm

Most Critical Firefox Flaw Remains Unzapped

[BSDetector]

Most Critical Firefox Flaw Remains Unzapped!!!

Interesting read at http://securitywatch.eweek.com/open_source/all_the _firefox_flaws_hunted_down_1.html [eweek.com]

Ruh-roh!

[authority69]

Is Scobby Doo writing the posts these days? What's "Februrary?" The month after "Janrurary?" Right before "Marrrrrch?"

http://www.kb.cert.org/vuls/id/393921 is fixed!!!!

[mw22]

Ok, so it appears to be that bug is already fixed on the 2.0.0.2 release of Firefox.
So maybe the post can be updated?

Slight correction

[jesser]

first postponing the 2.0.0.2 update, and then finding a remotely exploitable flaw in it immediately after its release

The remotely exploitable flaw, bug 371321, was reported at 5:35 pm (California time) on Thursday. We had been planning to release Firefox 2.0.0.2 on Friday morning. After some discussion, we decided to go ahead with the release and then follow up with a quick 2.0.0.3 once we had a patch for the newly discovered hole.

After releasing Firefox 2.0.0.2, we realized that bug 371321 didn't affect it, thanks to another patch that went into Firefox 2.0.0.2 for non-security reasons. So although we didn't know it at the time, we released a fixed version of Firefox about 16 hours after the most serious hole was reported.

The testcase in bug 371321 did lead to a fix for a similar bug that existed on trunk, though.

Whoever wrote the headline is smoking crack

[Schraegstrichpunkt]

Since when is it "bad" that vulnerabilities are being discovered? The "Bad Month" happened when the vulnerabilities were created, not when they were found.

its already fixed in 2.0.0.2 and 1.5.0.10!

[Val314]

according to https://bugzilla.mozilla.org/show_bug.cgi?id=37132 1 [mozilla.org] (copy/paste link, BigZilla doesnt like /. links), this bug is already fixed in 2.0.0.2 and 1.5.0.10.

Re:

[ScrewMaster]

Or is there some corporate smear money being exchanged here?

Well, I certainly wouldn't put it past the innovator from Redmond to use this guy to spread some more FUD, but if so, they've only managed to encourage the competition to improve their codebase.

Re:

[Kiaser Wilhelm II]

What on earth are you talking about?

'Hello World' runs on Windows. Does that make it a buggy and vulnerable program? Your logic baffles me.

Re:

[Shawn is an Asshole]

Also, it will ocassionally claim it's "pirated [slashdot.org]" and delete %UserProfile%.

Re:

[Overly Critical Guy]

Is it a great month when vulnerabilities are found in Internet Explorer?

Re:

[nacturation]

Apparently nobody has demonstrated a security flaw with qmail yet. Having buffer overflows is so 1990s... wasn't this what everyone has been mocking Microsoft for?

And lastly, the word is "kudos" -- writing "Kudo's" means "belonging to Kudo" which I don't think you mean.
 

Re:

[crossmr]

awww troll? I've already had it crash several times today. For some reason it just does not like Yahoo mail.