Serious Vulnerability In Firefox 2.0.0.12

Oh, Not Now writes "Mozilla Firefox 2.0.0.12, mere hours old, is vulnerable by default to a directory traversal trick, via the view-source mechanism. Although mitigated by the NoScript plug-in, this is quite a serious bug — the default installation is vulnerable from the get-go."

Payload

[milsoRgen]

So my I understanding is that this vulnerability can be used to read the host computer, and...

Other issues can emerge also, this is only a short-hand proof of concept.

I'm just curious if this could be eventually exploited to actually alter data on the affected host?

Re:

[Schraegstrichpunkt]

Why bother? If a script can read stuff (e.g. your Firefox password list, your cookies file) from the host computer and send it back to a remote machine, you're screwed.

DIRECTORY TRAVERSAL?

[dominious]

Indeed,
From TFA: "We can trick Firefox itself in traversing directories back".
but then it says:
"we are able to read out all preferences set in Firefox, or just open or include about every file stored in the Mozilla program files directory"

Since TFA is not clear, I have tried it myself and I WAS NOT ABLE TO TRAVERSE a directory back with resource:///../
So the only files someone can read with this vuln are the files inside firefox directory which from what I can see are just default files and no cookies or passwords.

If anyone thinks any different please let me know.

Re:

[jrumney]

And view-source properly blocks file:// access.

Not if you type it in the URL bar. I can't seem to get the resource:/// hack to work from an http:/// [http] page though, so I'm not sure about whether file:/// gets through under the same circumstances.

NoScript

[bazald]

Why isn't NoScript just a mandatory extension at this point? It seems like it would be pretty unobtrusive with default settings at a slightly reduced paranoia level.

Re:NoScript

[milsoRgen]

Why isn't NoScript just a mandatory extension at this point?

I wouldn't be surprised if it becomes a part of the browser (or something like it), just as pop-up blockers of yore have been incorporated.

Re:NoScript

[mrsteveman1]

If it became part of the browser, 3 things would happen: Idiots would scream and cry about being forced to use it, it would integrate better making it more effective, and vulnerabilities like the one referenced here would be a non-issue for a much larger percentage of the user base.

Seriously, running every script a page stuffs into a browser should not be the default, and it should not take an extension to fix it.

Re:

[PReDiToR]

God save us all from creature feep.

While you're at it, why not put AdBlock Plus in there and FlashBlock and Greasemonkey and Fasterfox and GMail Notifier and ...

Some people don't want everything included in the distribution, some developers don't want to have to make all those things work with every release and compile they do of test builds.

AutoUpdate of things you choose to install works just fine, and the people who build the add-ons make sure they work without having to work for MozFoundation.

Re:NoScript

[ilikepi314]

Because most are not educated how to use it properly yet. It's terrific, but I know firsthand from trying to introduce it to people that they ignore it, realize many of their websites are broken, then I say "Well, you can allow certain websites you visit with this little button" -- they then promptly pick "Enable Globally" (or simply whitelist every single site they ever visit), and it has no effect.

So instead of teaching people security, it just teaches them "Security is annoying and breaks everything, what's teh point?" and they want to use it less.

Re:NoScript

[the_womble]

Exactly, the average users reaction would be: Internet Explorer (or "the normal internet" as I recently heard it called) works on this site, Firefox does not, so Firefox is broken.

The minority who can cope with those sort of settings can manage to install an extension.

Re:NoScript

[Firehed]

How would it work at a slightly reduced paranoia level? There are, I suppose, for options: block everything, block nothing, block off-site scripts, and only allow trusted scripts (somehow including a database of checksums of widely-deployed, known-safe scripts like Google Analytics' urchin, jquery, Amazon affiliate stuff, and... that's all that comes to mind). Foreign scripts aren't going to cause any damage unless the site itself is vulnerable to XSS attacks - malicious websites aren't likely to off-site the scripts. A database of the known acceptable scripts would be so minimal that it would defeat the point, especially as so few of them are of any benefit to the site visitor. Unless a built-in NoScript were to block specific functions in Javascript that could be used for malicious purposes (anything other than strict DOM manipulation, I suppose), it wouldn't do much good - and breaking half the JS on a site is probably going to be much worse than breaking everything.

Re:NoScript

[SJS]

... (somehow including a database of checksums of widely-deployed, known-safe scripts like Google Analytics' urchin, jquery, Amazon affiliate stuff, and... that's all that comes to mind)

Why is everyone in love with checksums?

Disk is cheap. The amount of scripting I should trust is small.

So cache the *actual* scripts... and then use those as keys into what scripts are actually run.

That is, when you first hit a website that tries to run a script, capture all of the script functions and fragments, and indicate to the user how many un-approved scripts are on this page. The user than has the option to say "Trust this set of scripts" (like noscript now), or "Let me look at these scripts."

And this is where the fun can begin.

The browser can present to me a list of script functions and fragments, each with a "allow", "deny", or "remap" option. Allow is just that -- allow that script function or fragment to be run as-is, temporarily or for that page, machine, or domain. Deny is just that -- deny that script function or fragment, again, for that page, machine, or domain.

For remap, however, I should get a little two-window/textarea display (top/bottom, left/right, don't care, should probably be the user's choice), one read-only (the key) and the other editable. I can then edit the second chunk of code as I please -- stupid client-side verification, gone, replaced with "return true;". Code that disables a feature, deletes information from the display, and so on and so forth... gone. The test for browser/os versions... gone. Bugs become fixable. (Sure, I might introduce bugs, but that's my own fault, and it's my browser anyway.)

Most folks wouldn't ever use "remap" in this way, but that's okay. The ability is there, just like most folks don't compile open-source programs from scratch. That's not the point... if they wanted to, they could.

The next step is to share remapping libraries, like people are sharing greasemonkey scripts now. I could get a call from my mother about how some website is broken to how she'd want to use it, and I can go look at the web-page, fix it, export my changes to some convenient archive, drop it on to my webpage, and then send the url to my mother, who can click on the archive, and have the browser ask "Do you want to install this?", click "Yes", and all is well in the world.

Sure, some websites will take steps to make every bit of client-side scripting unique for every connection. They'll obfuscate their code, randomize the variable names on a per-session basis, mess with the structure... and now you KNOW those websites are hostile and malicious and should be treated as such.

Don't bother with checksums, that doesn't put any power into the hands of the users. Track code, and allow for client-side replacement of code. Allow end-users to share their code-replacement libraries. We can kinda-sorta do that now with plugins and greasemonkey, but that's tricky and error-prone and tedious. Let the computer solve the problems that are tricky, or error-prone, and especially the problems that are tedious!

Amazing coincidence

[GlobalEcho]

The browser can present to me a list of script functions and fragments, each with a "allow", "deny", or "remap" option.

What an amazing coincidence! My grandmother, my boss and my brother's girlfriend were all wishing out loud for that very feature just yesterday! We'll all be secure in no time!

Re:NoScript

[93 Escort Wagon]

Why isn't NoScript just a mandatory extension at this point? It seems like it would be pretty unobtrusive with default settings at a slightly reduced paranoia level.

Well, to tech-savvy users this would be true; but unfortunately most users aren't even marginally tech savvy. It doesn't matter if NoScript puts up a clear, unambiguous giant flashing red sign that says "This site will have reduced functionality because we're blocking some scripts from running. Click here if you really want to run all these scripts" - based on past experience, most people will just be positively flummoxed and won't have the foggiest idea why some sites are now "broken".

The thing is, looking at it from the designer/developer end, most users seem to want the functionality Javascript provides. My job largely consists of designing "intranet" apps for a university department. With forms, the end users want the ability to click a button or link to add extra fields when necessary. They want web-based calculators that figure out totals and percentages automatically. They like little explanatory pop-up boxes that define terms for them if they don't already understand what it means. They prefer drop-down menus that change, based on choices made further up the form.

I realize that NoScript actually allows white-listing for situations like this (just like IE does for ActiveX, God bless 'em) - but I don't have much confidence that non-technical end users will understand, even with training. Making NoScript or a similar tool the default will end up meaning significantly more of my time being wasted dealing with support calls - after all, if the web's broken you don't call the desktop support people, you call the webmaster, right?

(BTW is Firefox 3.0b2 or b3 vulnerable?)

Re:

[pipatron]

So because you decide to use the browser as some sort of generic code execution engine and GUI for your own hacks instead of writing your programs to run as a real application like everyone else, people browsing the web should remain a target for javascript abuse, bloat and exploits.

I can't say I agree.

Re:NoScript

[93 Escort Wagon]

So because you decide to use the browser as some sort of generic code execution engine and GUI for your own hacks instead of writing your programs to run as a real application like everyone else, people browsing the web should remain a target for javascript abuse, bloat and exploits.

It's not 1994 anymore. People don't just work on their own discrete data sets living on their own desktop computer now. People use webapps because the information is often centralized in places such as MySQL databases, and numerous different people need read and/or write access to it for differing reasons depending on their job function.

The "real" applications (gotta love that required platform lock-in, btw) you talk about would still need access to that centralized data. So you pick your poison - do you provide direct access to that central data repository for a wide number of computers, or do you limit access just to connections from a web server (which is then open to that wide number of computers)? Personally I'd rather keep as much insulation as possible between that back-end data and the rest of the world.

Re:

[punissuer]

Have you noticed how often NoScript gets updated? I wouldn't quite call it unobtrusive, especially since NoScript likes to make your browser open a tab to the NoScript site after an update. Really, how hard is it to prevent execution of javascript that didn't come from a site that's been whitelisted? I now use AdBlock Plus instead.

Re:NoScript

[milsoRgen]

On a similar note, I would not mind integration of Adblock Plus.

Shhhhh! Once sites learn more and more people are blocking ads, they are going to move on to an even more insidious manner to deliver screaming, moving obnoxious hobbknobbery to our computers...

yahoo or mozilla

[erat123]

Maybe microsoft should have looked into mozilla instead of yahoo...

Time to see if Konqueror fixed the damn flash bug

[gambolt]

I've been using Iceweasl because the flash problems in Konquer were driving me nuts. You don't realize how much flash is on the web until it stops working.

Re:Time to see if Konqueror fixed the damn flash b

[solafide]

Where do you have to go that needs flash? I specifically use 64-bit Epiphany without flash so I don't have that load for the minor benefits. It's cheifly used for advertising, as far as I have observed, and video. For video, it's not that hard to fire up 32-bit firefox with flash when I do want to watch them. Why do you need flash so?

Corporate sites

[Overzeetop]

There are quite a few corporate sites which incorporate flash to "enhance" their site, and there are some sites which won't even let you in unless you pass the flash-only home page. If you don't have flash, they don't want your business. (At least, that seem to be the opinion of the web IT staff, I haven't contacted corporate to see if they agree with that assessment). As for examples, Bath & Body Works used to be that way (I emailed them, they are no longer flash-limited...I don't believe those two things are linked, though). Rainforest Cafe is another. BBW didn't get my business back then, and Rainforest missed out on a dinner guest recently - I couldn't find their location, and couldn't use my mobile browser to get to their page. Will they care that they probably lost less than $100, of course not. But it certainly would have been nice if they wouldn't have had a "no flash, no service" sign out front.

Re:

[EtoilePB]

But it certainly would have been nice if they wouldn't have had a "no flash, no service" sign out front.

Yup. We all have Flash disabled and can't install it at work, because the overlord office in Europe doesn't understand that it's not just for YouTube. We're starting to have serious trouble using travel booking sites, hotel booking sites, and restaurant booking sites (all of which are legitimate and frequent uses of our PCs for our business) because of this. A HUGE percentage of them don't have a s

Re:

[gambolt]

Unfortunately, too many sites use it for navigation and crap like that. The wire image viewers for most major newspapers use it. Embedded media in various blogs, etc.

Re:

[Kjella]

Well, bug and bug. Short story for those that don't know: Macromedia released a new version (r115) that relied on some functionality currently only in Firefox, but not in typical versions of Konqueror or release versions of Opera. This broke all the distros, including all old supported distros because Macromedia doesn't let repositories host old versions. Last I checked the possible solution was a big backport. Development versions of Konqueror (for hardy heron in my case) and Opera 9.5 supports it, but thi

I sure hope it's only this version...

[WiglyWorm]

Hopefully the Firefox 3 beta is not affected by this, that's what I've been running since Beta 2 came out. Anyone know?

Re:I sure hope it's only this version...

[tetromino]

It looks like Firefox 3 Beta 2 is vulnerable. The proof of concept from the article works on FF3b2 on my machine (Linux i686).

Re:

[tetromino]

Guess what, the latest (2008-02-09) Minefield build is also vulnerable to the exploit proof of concept...

or just visit sites you trust

[hcmtnbiker]

That's right, back to the drawing board with this one. In the mean time you can either use another browser, or install the NoScript plugin to mitigate these issues.

Or you can take the first step like you always should, and not visit sites you don't trust. Vulnerabilities always exist, betting that the developers will find them before someone else can exploit them is not a smart thing to do. Visiting only sites you trust will keep you away from people who want to compromise your computer 99.99999999% of the time, it really is the best thing you can do it terms of browser security.

Re:or just visit sites you trust

[Beryllium Sphere(tm)]

>Visiting only sites you trust will keep you away from people who want to compromise your computer 99.99999999% of the time

Assuming that the sites you trust haven't been compromised, this still leaves out the serious problem of attack code inserted into advertising.

Re:or just visit sites you trust

[saleenS281]

If the sites you trust have been compromised, no script isn't really going to help now is it? People tend to whitelist sites they trust...

Re:or just visit sites you trust

[11223]

Or you can take the first step like you always should, and not visit sites you don't trust.

Ever use an open 802.11 access point? Ever been redirected to a legalese page before being allowed onto the internet? Now what if that page had the exploit in it? For added fun, imagine the hotspot isn't malicious but there's an attacker on the network using a rogue DHCP server to feed you a bogus set of DNS servers.

People assume that their web browser is a trusted execution environment. Vulnerabilities which affect the browser are worth caring about for that reason.

nifty trick

[Deanalator]

It makes me happy that this type of vulnerability is what we call serious these days. If you remember, just a couple of years ago microsoft was downplaying the WMF vulnerability. It was not considered "critical" because the target needed to manually visit a malicious website for the attacker to take over the target machine.

While this is a really neat find, and I am glad that it will be patched pretty soon, I don't think it is quite at the level of "sky falling" etc. From what I understand, an attacker that can execute javascript in your browser has the ability to read any file in the targets mozilla directory. This worst that I think an attacker could do would be to grab your stored password file. While this is definitely something to be concerned about, the headline had me pretty worried :-)

Re:nifty trick

[Anonymous Coward]

Actually they can't even get your stored passwords. They can only get files in "C:\Program Files\Mozilla Firefox\" which consists of nothing related to stored data, except for the greprefs folder, which isn't even YOUR preferences. From the looks of it, it's what a default Firefox profile gets stuck with. So, this is a pretty lame exploit, definately not serious, you can't access outside of the Mozilla Firefox directory from the looks of things.

saved passwords

[robo_mojo]

Does anyone still think that it's a good idea to permanently store your passwords in your browser?

Re:

[DigitAl56K]

Yes, although only in conjunction with something like Firefox's master password to encrypt them.

This brings up my greatest grip with Firefox: If you visit any site that you have stored a password for and you have a master password set, the damn thing pops open a request for any page that contains a password field. Take Slashdot or Digg, for example. If I'm browsing either of these sites almost every page I open requests a master password. You can turn off form auto-fill in about:config (not very end-user fr

Re:

[j.sanchez1]

Do you have a better way to store all your passwords?

Try Secure Login [mozilla.org].

Re:saved passwords

[Nazlfrag]

There's this thing called carbon-based memory I use from time to time. Efficient, portable, unfortunately it is easily broken by Johnny Walker and co.

Re:

[QuickFox]

almost every page I open requests a master password.

The first time you get this prompt, regardless whether you want to log in on that particular site or not, enter the master password. Once you've done that, the prompt won't pop up again during that session with Firefox. From that point on, all sites with a login will be filled out, but not submitted unless you click the login button on the web page.

At least that's how it worked last time I checked (but that was some time ago).

You should probably leave at least one Firefox window open all the time until you

What all.js contains

[nonpareility]

The file they're reading from in TFA (all.js) contains a portion of the default Firefox preferences, not your current settings. There may be other ways to exploit this problem, and web pages definitely shouldn't be allowed to read any file from your computer, but the proof of concept isn't as bad as they say it is. The majority of your personal information is in your profile directory (under Application Data on Windows), not the program directory.

huh?

[jelle]

Doesn't look like a vulerability to me. So it can read files in /usr/lib/firefox, but those are just the standard files from the firefox package. User configuration and stored passwords etc are not stored there... It still can't get to $HOME/.mozilla...

Re:

[Shippy]

It's still a vulnerability. It's allowing something that shouldn't be allowed. Does that mean people will take advantage of it and exploit it a lot? Not necessarily, but it's still a vulnerability.

Re:

[jrumney]

It depends. Is the vulnerability in the view-source: method, or have the developers just not bothered to protect resource:/// since, as you say, it is all standard stuff that people can get by downloading firefox themselves? The way the exploit code has been posted, it is difficult to tell, because you need a javascript file that consists of lots of calls to a single function so you can override that function to print out the parameters instead.

How is this a serious security problem?

[Anonymous Coward]

I'm confused, how is this a serious security problem? All it allows is reading files from the Firefox application directory, which isn't exactly sensitive data, since you can get the exact same files from just downloading Firefox from Mozilla's website. Your prefs, passwords, etc. are stored in your Firefox profile, which lives outside the Firefox application directory, so they *are not* accessible via this trick.

Scare mongering

[Anonymous Coward]

gre is constant data. This report is FUD.

Firefox is open source; anyone who wants to view view-source:resource:///greprefs/all.js can just as easily load http://mxr.mozilla.org/mozilla1.8/source/modules/libpref/src/init/all.js?raw=1 [mozilla.org] it has the same content.

all.js is *not* user data, it's *public* app data. Your preferences are stored in prefs.js which are not exposed by greprefs.

Update the title... NOW.

[Anonymous Coward]

Seriously, this title should be changed now (get rid of "Serious"), and a "!serious" tag added. The author of the article is an asshole who just waited for this release to fear monger and gain some attention. This bug exists in previous versions, this is not a new issue. The fact is, 2.0.0.12 fixes issues from previous issues, and does NOT introduce this "new" bug.

You should still upgrade. You are already vulnerable to this "attack" without it, but you can at least gain some new fixes for other issues.

You know, we're trying to promote open source software. To scream that firefox has a "serious vulnerability" when it in fact doesn't is IT treason.

Doesn't matter what browser you run

[LingNoi]

Doesn't matter what browser you run, if you let anyone execute whatever code they want on your own machine via your browser it's the equivalent of running that trojan.exe you just downloaded from Messenger.

Is there a NoScript for IE 7 and Opera?

Re:

[Petrushka]

Is there a NoScript for IE 7 and Opera?

For IE7, I have no idea. I doubt it. In Opera, it's built in.

(... BUT in Opera, enabling scripts for a specific site requires navigating through various sub-menus and five to eight mouse-clicks. And if the site uses cross-site scripting, as do most video sites for example, it could take anywhere up to a couple of minutes to investigate which sites you need to enable scripting for.)

How come?

[dreamchaser]

How come when there's a security hole in an MS product it gets the 'haha' tag, but if it's an OSS project it doesn't?

Re:

[shird]

Because one is by MS and the other by OSS. Slashdot users prefer OSS over MS so they laugh when there is a hole in a MS product, but are embarrassed by a hole in an OSS project.

Re:

[db32]

I see the haha tag. Are you just upset that it didn't get the haha tag fast enough? Anyways, I don't think any vulnerability itself deserves 'haha' so much as the company that waves its hands and says "there is no bug here" or creates very bizarre ways of bug counting to get the numbers tell there story. On any given security issue if IE and Mozilla both had an identical issue and they were both identified at the same time, how long do you think it would take before Mozilla patched compared to IE?

Re:

[jamesh]

If we could tag posts, yours would be tagged 'youmustbenewhere'.

Re:

[dreamchaser]

Oh it doesn't piss me off. I was just making a point that you helped me make :)

I use Firefox btw.

list of files that can be read (win32)

[Anonymous Coward]

lol, serious stuff 300: file:///C:/Program%20Files/Mozilla%20Firefox/ 200: filename content-length last-modified file-type 201: .autoreg 0 Mon,%2005%20Nov%202007%2016:16:28%20GMT FILE 201: AccessibleMarshal.dll 13952 Fri,%2008%20Feb%202008%2019:42:30%20GMT FILE 201: LICENSE 30869 Thu,%2026%20Jul%202007%2002:39:20%20GMT FILE 201: README.txt 177 Thu,%2026%20Jul%202007%2002:39:20%20GMT FILE 201: browserconfig.properties 232 Thu,%2026%20Jul%202007%2002:39:26%20GMT FILE 201: chrome 0 Fri,%2008%20Feb%202008%2019

Possibly another bug?

[cbiltcliffe]

Something else weird that happened to me when I upgraded:

I've got Firefox as my default browser on XP, and after the upgrade to 2.0.0.12, all of a sudden IE showed up as my browser at the top of my Start menu. When I went into the control panel to "set program access and defaults", Firefox doesn't even show up as an option. WTF?
It's still installed, as it's in the programs folder, and it runs fine....also doesn't as me if I need to set it as default, so it still is, but Windows has completely lost the fac

Re:

[cbiltcliffe]

What happened to me was that Firefox was the default browser, but IE was showing at the top of my start menu in the "Default Browser" location. Firefox didn't show up in the Program Defaults thing in the control panel, so I couldn't change it back. It also didn't show up in the spot you suggested. I had already checked there.
As far as Windows was concerned, IE was the only browser on the computer, but http:/// [http] URLs were to be opened by firefox.exe, which isn't a browser, just-so-we're-clear-on-that-point

Firefox is too large to be secure

[Morgaine]

This isn't a problem just with Firefox, but with all full browsers today (the various midget text-mode ones excluded).

Any non-trivial program contains bugs and vulnerabilities proportional to its size, and the relationship between size and inherent problem-count is probably a lot worse than linear. This is true for all programs and all systems, but it is especially true for monolithic ones, and to a very large extent the main body of modern browsers is quite monolithic. Even the plugins load into the same address space in most cases, although there are exceptions to this in the browser world.

The present situation is not good, and everyone is familiar with the consequences of it: the web browser is by far the most crash-prone of all applications present in our operating systems today.

Is there a solution to this on the horizon? Not at present, because developers in all the most popular programming languages almost always implement monolithic systems (because the languages encourage it and the courses teach it), and are highly adverse to extreme modularization. Again, there are exceptions, but they are rare.

We are living in a bit of a Dark Age in this area currently, and I don't forsee any change within the next five years at least.

This bug is less important than it seems

[enodo]

If you take a look at what this is doing, there's much less to it than meets the eye.

The way the page works is that it is able to load the file all.js in the greprefs directory inside your firefox installation. However, it is not *reading* this file and making it available to the javascript interpreter, it is *executing* the file. The file is a big list of browser preferences, each set with a call to a function with the signature pref(name, value). There is no code in there other than calls to pref. What the page does is define its own pref(name, value) which gets called, and the names and values are therefore available to the javascript interpreter.

So:

1. It has to know exactly what is in the file, and it has to be able to overwrite a function or functions so that some sort of privileged data becomes available to it. It has to be able to do this without the page throwing errors or halting execution. (That was easy with all.js, because the only thing in there was calls to pref. In other files I doubt it would be so easy.)
2. As demonstrated, it can only read data that's inside the directory of the default install, not your home directory or anywhere else. As others have pointed out, it's not clear that there's ever anything really privileged in there for it to get. (The settings gotten in the exploit demonstrated are not very interesting.)

I would additionally point out that the view-source: part of the URI appears to be unnecessary, since at least for me (Ubuntu FF 2.0.0.12) the "exploit" worked just fine without it.

Godwin's Law for Slashdot

[thethibs]

Slashdot needs an implementation of Godwin's Law that shuts down a thread the first time Microsoft is mentioned and the topic is something that involves neither Microsoft nor any of its products.

Thankfully, that would have put this thread out of our misery almost immediately, with no one any less informed as a result.

Damned it all

[Overzeetop]

Just before I opened this session, I had upgraded.

Oh, well, just one more unlocked door in the grass hut I call a computer.

Re:Damned it all

[Nazlfrag]

http://noscript.net/getit [noscript.net].

Re:

[xSauronx]

ive been using noscript for months... great plugin, and one i wont go without.

Not exactly....

[DrYak]

Aren't Firefox plugins just Javascript?

Depends.

Firefox extensions (Like the oh-so-important NoScript [noscript.net] and AdBlock Plus [slashdot.org], or the must-have for every /.er Resurect pages [mozilla.org]) are all written in Javascript. That's what makes them portable (installable in Windows IA32 or AMD64, or Linux {whatever CPU you compiled it for}).

On the other hand, web-browser plugins (like Adobe Macromedia Flash, Sun Java, etc.) are binary code in dynamically linked libraries (DLL or SO depending on what's standart on your OS). That's why there are really serious portability problems with closed source companies providing plugins compiled only for a handful of operating system (often without 64bits support).
There are two strategies :
- most of the time open-source projects use very light libraries which obtain the parameters from firefox and launch a player in a separate process that get its output embedded inside the page display (mplayer's plugin just luanch a sepparate mplayer session, gnash' plugin runs gtk-gnash to open the flash movie, webgcjplugin compiles and runs the java applet using gcj, moz-plugger is an universal embedder, etc...)
- whereas most of the proprietary project try to cram everything inside a huge DLL that runs inside firefox' own process (macromedia flash, acrobat reader {BTW who does still use that piece of junk}, etc.)

As I understand it, that's one of the major reasons that Firefox can get bogged down.

The Javascript extensions play some role because the javascript engine of current Firefox isn't very fast (Hopefully the integration of Tamarin VM in some future version will help). If a user has way too many of them, the firefox experience can become slow. But most of the time quite, the extensions are event-driven : they usually add entries in the main menu and the javascripts are only executed when the user clicks the entry.

The other problems comes with memory leaks.
- Javascript extensions, because they are only ran on demand and because of the garbage collector, aren't subject to many leaks. But anyway really badly written code can actually degrade firefox performance and eat up memory.
- Dynamically linked web browser plugins are a completely different animal : because they run inside the browser process (at least, not the open-source one which only launch an external process) if they leak memory, the whole firefox process will get its memory usage up and will only free the memory when the whole program is exited. Also, firefox isn't heavily multi-threaded and if some plugins freezes the whole program gets unresponsive (I've had some awful experience with acrobat and older versions of flash). Similarly crashes inside a dynamically linked library will bring down the whole process that called the function, and any exploit discovered inside flash can be used against firefox itself.

I strongly suspect that most of the memory leaks reported by users are actually due to browser-plugins, because I haven't experienced any leaks even if a use several extensions, whereas I don't run closed proprietary browser plugins at all (mplayer and gnash only !) because of the awful experience with acrobat and flash.

Re:* Stops download of newest Firefox *

[webmaster404]

Also, one thing that I have noticed about OSS bugs is that those severe enough to cause execution of code, there are very very few utilities to easily attack systems unlike their MS counterparts. Most OSS flaws are rarely exploited in the wild. The only thing that annoys me about them is that someone will surely come up to me on Monday stating how bad Firefox is because of this while blissfully ignoring all the flaws that Windows/IE has had for years.

Re:* Stops download of newest Firefox *

[gaspyy]

Let me get this straight: do you honestly think that something being Open Source will magically protect you? I was going to mod you but there's no "-1 Naive".

There are enough malware targeted specifically at Firefox - I've seen them in action. The good thing with Firefox is that it gets patched pretty quickly, by the time an exploit has been written, hopefully we'll all have 2.0.13 installed.

Still, that's no excuse. It saddens me to say that the quality of Firefox (2.x.x branch) is steadily declining. It's slow, eating too many resources, and it crashes - on some sites it just constantly crashes. If it weren't for all the extensions, I'd dump it in a heartbeat and move to Opera.

Re:

[doom]

So, you demolish the good design of the good sites, so you can avoid the bad design on the bad sites? Why don't you just skip the poorly designed sites entirely and stick to the good ones?

I'm not sure what you're trying to say here -- I suspect you're yet another "designer" who resents the fact that you're fabuloso designs are irritating the hell out of a large chunk of the populus -- but you're logic is totally whacked. Why blame the author of some text for the decisions made by other people in the org

Re:

[julesh]

It's slow,

It's as fast as any browser I've used.

You probably haven't tried using it on any machine older than about 2 years old. Firefox is quite unresponsive, particularly on javascript-intensive sites, compared to many other browsers, including Internet Explorer. Very long pages with lots of links cause it real trouble. Try this page [legislation.gov.uk]. On my system (2.66GHz Celeron D, 1GB RAM) there's a ~10 seconds pause after the page loads before I can scroll or switch tabs, and ~3 seconds between clicking on one of the links and the new page starting to load. I

Re:

[scooter.higher]

Yes, but I feel that "-1: Disagree" is wrong.

To facilitate the discussions we should be having here on /. it should be "+1: Disagree" so that we can respectfully disagree with each other and elevate the discussion so that more people can weigh in on the topic.

But I agree that a post in response would better serve the discussion.

Re:* Stops download of newest Firefox *

[De Lemming]

As far as I understand, versions before 2.0.0.12 are also vulnerable...

Re:

[sundarvenkata]

But but.....don't many eyeballs watch the mozilla codebase?

Re:* Stops download of newest Firefox *

[bunratty]

Sure, and some of those eyeballs wait until just after the release of a new version to announce they know of a security vulnerability just to draw attention to themselves. Open source does help security bugs to be found, but it doesn't magically keep the finders from blabbing to all hackers worldwide exactly what the problem is and how to exploit it.

Re:* Stops download of newest Firefox *

[Achromatic1978]

So, it's their fault, right? Funny, just reading their page alone mentioned how they'd already made mention of how this affects more than just extensions, but Mozilla ("What leaks? Show us a single leak!") developers shrugged, blamed extensions, and released, without fixing the core problem.

Re:

[TransEurope]

Exactly the same what i thought.

Find bug.
Wait until the newest release cames out.
Profit - Worldwide attention for Mr. 0x0000000.

What a hero.

Re:

[Compholio]

who really cares, I am gonna use firefox, not to many hackers are that good at getting into Linux Machines, and if I wasn't gonna use FireFox then I would use Opera. Cheers!

Yeah, plus (according to TFA) all they can do is traverse the install folder. Said hacker can have fun looking at all the plugins and blank password database in my ~/.mozilla/firefox/ folder all they want.

Re:* Stops download of newest Firefox *

[LiquidCoooled]

Why stop downloading it?
I cannot work out from the article whether older versions of Firefox are vulnerable or not.
If its an unfixed bug from previous versions you should continue to download.
Which would you rather:
have 20 known vulns in the wild (stay as you are),
have 1 known vuln wild (latest update).

Until we can be certain though, just click pause ;)

Re:* Stops download of newest Firefox *

[Rakishi]

Parent is an idiot or a troll, not informative.

To quote the link itself, where it is written in large bold print right above what was quoted (emphasis mine):
FIXED in Firefox 2.0.0.12

Re:

[More_Cowbell]

You don't run NoScript? Personally I'm using 3.0 beta2 (the few bugs are totally worth the better memory management, IMO), but I would never dream of running any version without NoScript.

Re:

[croddy]

Oh, you make a good point. I always wondered what people were talking about when they went on and on about Firefox consuming tons of memory because I would look at mine and it would never look even remotely like what people were describing. Of course, it all makes sense now -- less crappy unnecessary javascript running, fewer memory leaks. I can't imagine web browsing without manually whitelisting scripts either.

Re:

[bunratty]

No, limiting the memory Firefox uses could cause sites to fail to work properly, especially on computers with very little RAM. The thing about the huge memory consumption is that very few users see it, and those that do cannot explain how others can see it so no one can investigate what the problem is or how to fix it.

Memory Usage / No Script

[milsoRgen]

It uses a lot of memory at times for me personally, but well within reason. 200mb max (4-6+ hour session) with 2gigs RAM. Not wholly unreasonable. I seem to recall, tho certainly can't say definitively, never seeing it top 80mb on another box I have with 512mb.

I've been using Noscript for a while now, and personally it hasn't really effected my peak memory usage for better or worse. I also have constant access to CPU/Memory usage percentages through my G-15 keyboard's display, so I tend keep an eye on that

Re:

[Mr Z]

On my box it's currently taking around 450MB. I usually kill it when it gets to around 700MB. Maybe it's because I use GMail and Yahoo! Mail open all the time?

Re:

[Symbolis]

On my box it's currently taking around 450MB. I usually kill it when it gets to around 700MB. Maybe it's because I use GMail and Yahoo! Mail open all the time?

Madness.

Mine's sitting at 68MB as I type this.

No tweaking of any sort. Just now hit 70MB

Run NoScript, too.

Re:

[Mr Z]

Well, I do have over 30 tabs open across 5 windows, and I leave it open 24/7.

Re:

[Mr Z]

How many windows / tabs do you tend to have open, and how often do you restart the browser? Also, what OS?

Here's the output of ps on my 64-bit Ubuntu 7.04 box, running Ubuntu's Firefox package:

im14u2c 2527 6.1 11.2 987640 454116 ? Sl Feb07 176:30 /usr/lib/firefox/firefox-bin

The first number suggests Firefox is taking nearly 1GB, but 512MB of that is just the X mapping my video card, I think. The second number shows it clearly taking around 450M.

--Joe

Re:

[Nullav]

the few bugs are totally worth the better memory management, IMO

Statements like this were exactly why I decided to switch to FF3 a month ago. Personally, I saw no improvement in regards to memory leaks; I'd end up with it clinging on to 200-300MB or so after an hour or two of normal activity (a dozen Wikipedia articles, a YouTube link or two, and perhaps messing around with one of those addictive sand games). Making it trim on minimize (something it should do by default) helped somewhat, but then it would

Re:* Stops download of newest Firefox *

[omeomi]

Making it trim on minimize (something it should do by default) helped somewhat

What you're describing has nothing to do with Firefox. Even if Firefox frees it's memory, that freed memory doesn't get reflected in the Task Manager until the program is minimized or you wait long enough...

More info: http://www.garagegames.com/blogs/4517/11311 [garagegames.com]

"The Windows OS employs something like a memory cache for each actively running program. This cache may grow as the needs of a particular program require using magical algorithms Microsoft developers have produced for determining the optimal size for that program. For instance a program over the course of it's life time may require 20 megs of memory but occasionally needs to load data requiring allocations of up to 10 additional megs which is released seconds after it is loaded and processed. The Windows OS may determine then, that the memory cache for this program must increase from the base 20 megs to 25 megs instead. Looking at the Windows Task Manager then, you may see that this program is now using 25 megs of memory, even though currently, it may only be using 20 megs.

That is, the Windows Task Manager is reporting the memory cache allotment and not the memory allocated and used by the program. This is not the same as a memory leak. The program has little to no control over the memory cache allotment the OS has given it."

Re:

[Foolhardy]

Modern CPUs implement virtual memory, which means that any given page of memory (the smallest unit of allocation, per the CPU hardware) may not be directly accessible. The OS can decide to move a page to disk to make room for other things, or implement a memory-mapped file. When that page is accessed, it causes a page fault, which the OS silently fixes by moving the page back into memory. The memory currently accessible without causing a page fault and OS intervention is the working set. The amount of memor

Re:

[Eskarel]

NoScript isn't the solution to the problem. Javascript has a lot of good uses and is vitally important to the development of pretty much any page that isn't either just a flat file, or using way too much even less secure flash. Flat HTML pages are fine for certain applications, and server side technologies have their place, but if you want a responsive, interactive web page, then you need javascript.

Browsers have to ensure that their javascript interpreters are secure, and that they have ways to block, or m

Re:

[smittyoneeach]

Furthermore, there is a freely-available fix, which I pulled down and installed easily, has a look-ma-no-manual-needed interface, and a convenient means to tip the developers for a job well done.
Mad Propz.

Re:

[BasharTeg]

You gotta love Firefox apologists. They can turn a complete failure on behalf of Firefox development and release engineering into a discussion about how Microsoft is horrible and IE fails.

You're living in the past. Everyone knows IE6 was horrible. I'm running IE7 under protected mode. If you're going to talk shit, at least talk shit about current software. People who spend their time talking about how Windows 98 crashed a lot, IE5 and 6 were really insecure, and IIS 5 was the fastest way for a computer

Re:

[Anonymous Coward]

>Microsoft products are getting better. Deal with it. Quit living in the past.

So are realplayer's products, but you don't see anyone telling anyone to install them.

Re:

[LordLucless]

While I have to develop for it, I'm going to bitch about it. IE6 is still alive and well, and making up a significant proportion of site hits. It's still a piece of crap, and I still have to take it into consideration when I'm developing. Granted, the flaws I care about are rendering rather than security, but complaining about IE6 is most definitely not "living in the past".

Re:

[DMoylan]

> Everyone knows IE6 was horrible. I'm running IE7 under protected mode. If you're going to talk shit, at least talk shit about current software.

well in their defence more people still use ie6. so they are talking about current software.

http://www.w3schools.com/browsers/browsers_stats.asp [w3schools.com]

at my job it is split about 90% ie6 v 10% ie7 for internet explorer users. thankfully the number of ie users is dropping as more switch to firefox. ie7 has speeded up that switch as many hate the interface.

but to be o

Re:Fixed is hours!

[zsau]

As someone who uses Linux because I was able to customise it to be exactly compatible with the way I think, and so I'm unable to run Internet Explorer or IIS, I have to say you make an excellent point.

To everyone else: Do you remember before the browser wars, when Netscape was the big, bloated dominant player and Internet Explorer was the fast and light competitor which needed to prove itself (even if it did so by cheating)? Do you remember the time between the wars, when Internet Explorer was buggy and insecure? Now we are in the second browser wars and Internet Explorer is trying to compete. And it's a good thing. The Mozilla foundation cannot afford to sit on their laurels or Firefox will be the also-ran that the Mozilla suite is. Never hold yourself to someone else's standards: Be the very best you can be, and it'll always be better.

And be grateful for it — we on Linux pretty much have no choice but Firefox (or Firefox-based browsers) if we want a vaguely native, somewhat integrated system (well, there's Konqueror if you use KDE but it's not up to the same level as Firefox and Internet Explorer). There's no competition, no choice, and no reason for Mozilla to focus their development effort over on this side of the fence. And we suffer for it, with form widgets that don't look right and menus that don't work properly.

Re:

[jonabbey]

I'm a Firefox user on both Windows and Linux, but I think you unfairly downplay Konquerer. Konquerer has benefited from its common source base with Safari, and actually does better in some ways (Acid 2 test?) than Firefox 2.x does.

Props to the Konquerer team, I say.

Re:

[value_added]

When we're running Windows 7, Internet Explorer 8.0 in Protected Mode, and IIS 7.0 on Windows Server 2008, fools like you are still going to be apologizing for every bug in by bringing up bugs from Microsoft products 5+ years ago.

So ... you're dismissing the long and tiresome history of Microsoft's security record by stating that the next version of Windows, IE, etc. will be the most secure version ever?

Normally I don't use inflammatory terms like "apologist", but in this case, I think the characterisation

Re:Who cares? Use Opera

[FudRucker]

Opera is closed source so you have no idea what vulnerabilities are in it...

Re:

[Kjella]

Neither do you with Firefox, if you count both known and unknown vunerabilities. Sure, I know yesterday there was X bugs and today X-1 bugs (unless they've added some new ones) but since I have no idea what X is, it hardly matters. Even if we knew, it's be hard to say if it's because they've got few bugs or aren't looking for them or tagging them as such. In the end you look at their track record and see how many public and serious expoits there are, if it's a swiss cheese that keeps getting hacked it's cra

Re:

[Nazlfrag]

Well it appears they are attacking an MS box, by the Program Files part of the filename string. I doubt this would do much on a *nix box with proper access permissions set up. So yes, this is indirectly MSs' fault if theirs is the only platform vulnerable, which is likely.

Re:

[nmb3000]

Well it appears they are attacking an MS box, by the Program Files part of the filename string. I doubt this would do much on a *nix box with proper access permissions set up.

Well then, let's see!

C:\>cacls "Program Files"
C:\Program Files
BUILTIN\Users:R
BUILTIN\Administrators:F

root@box:/# ls -l
drwxr-xr-x 2 root root 4096 Mar 19 2007 bin
drwxr-xr-x 69 root root 8192 Dec 4 11:40 etc
drwxr-xr-x 11 root root 80 Mar 19 2007 usr

Hmm, look pretty simil