Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Security Netscape The Internet

Netscape Releases Security Update 159

Posted by Zonk from the at-least-they're-prompt dept.
daria42 writes "Less than 24 hours after releasing Netscape 8, Netscape has released a security patch bringing the browser up to version 8.0.1. The patch address security vulnerabilities in version 1.0.3 of the Firefox code on which Netscape is based. The update comes amid online criticism from Firefox developers that the browser was insecure."
This discussion has been archived. No new comments can be posted.

Netscape Releases Security Update More

Netscape Releases Security Update

Comments Filter:

  • No thanks (Score:2, Funny)

    by Anonymous Coward

    i prefer to get my browser from the organ grinder [getfirefox.com], not the monkey [netscape.com]

  • software and bridges (Score:4, Insightful)

    by Virtual Karma ( 862416 ) on Friday May 20, 2005 @11:45AM (#12589997) Homepage
    Don't you think it is wiser to wait 24 hours longer (or maybe a week or so) and then release a quality product rather than issue patches. Imagine if civil engineers started doing the same with buildings and bridges.
    • Unlike buildings and bridges, no one is going to die if Netscape releases a quick-fix patch.

      That's the luxury software developers have that civil engineers don't. Its not exactly possible to go back and fix a mistake you made while building a multi-million dollar bridge.

      Netscape can release patches constantly if they want. That is, unless they want to prevent their customers from becoming confused and annoyed, at which point they can stop using their product.

      • That's the luxury software developers have that civil engineers don't. Its not exactly possible to go back and fix a mistake you made while building a multi-million dollar bridge.

        That's what you think. New structures are found to be unsound all the time, which usually requires that the structure be patched in some form or another.

        Take the case of the London Millennium Bridge [wikipedia.org] which suffered from Resonant vibration (a common problem with suspension bridges). It wasn't planned for because it was assumed that such vibrations couldn't happen from mere pedestrian traffic. The solution was to retrofit 37 fluid-viscous dampers and 52 tuned mass dampeners.

        In short, don't think that engineering is that much different from software. They're quite similar, to the point of being frightening.
        • Now that is pathetic. With the famous Tacoma Narrows Bridge bringing to life the issues of resonance and designing to eliminate such a test case they had decades of lead time to make sure their bridge is protected.
        • Yes, they're both very similar, as both engineers and developers are taken out into a field and shot once they turn 40.
          • Did you miss the memo? They've lowered the age on developers to 5 years of service or promotion to senior developer position, whichever comes first. (No, I'm not annoyed by idiot hiring practices that are driving companies into the ground, not at all.)
      • That's the luxury software developers have that civil engineers don't. Its not exactly possible to go back and fix a mistake you made while building a multi-million dollar bridge.

        Funny you mention that. In engineering terms, software is like 'unlimited-strenght building material'. If done right, it never wears out, can be used as frequently/as long as you like, and never fails, no matter how much pressure you put on it (as long as the underlying hardware can take it).

        Engineers can only dream of such a

        • Engineers can only dream of such a material to build bridges from. But strangely, software fails waaayyyy more often than bridges. It looks like (in general) bridge builders take their job far more serious than software developers.

          Yes, because bridge building is exactly the same level of complexity as software development.

      • That's the luxury software developers have that civil engineers don't. Its not exactly possible to go back and fix a mistake you made while building a multi-million dollar bridge.

        Or maybe they could [slashdot.org].

    • Think about the work that goes into putting out a release, you have to burn CD's etc, package them, ship them, etc. You don't do this the day of the release, you do it weeks/months before.
      • Good point. But when "security" is part of your marketing spiel, it would seem to me that repackaging CD-ROMs would be a reasonable amount of crow to eat.
        • ok so lets say they used 1.0.4, changed the lauch date to june 20 or something.. then on june 19 a bug is found in 1.0.4.. do they throw out all the 1.0.4 work and start with 1.0.5? it could never end!
          • It could, but when you're dealing with critical flaws then I don't think that you can be too careful. Especially - again - when your marketing is based on security.

            But of course, this wouldn't be as much of an issue if their update mechanism used some sort of incremental patching and an update didn't require a total reinstall.
    • Imagine if civil engineers started doing the same with buildings and bridges.

      "Started"? Where do you live? I get an opportunity to see our local civil engineers filling (patching) the same potholes once a week! These aren't small bumps in the road, either. Some of them are big enough to fit a 1/4 tonne pickup (sometimes I wonder if one actually fell in and they paved over it).

    • To be fair, buildings and bridges aren't quite as susceptible to little kids launching attacks from their basement thousands of miles away...
    • They probably did wait a short time...Firefox 1.0.3 wasn't finalized and released in a day...

      What is cool, though, is that the bug was found AND fixed in Firefox in less than a week and Netscape also updated a few (three?) days later (or one day after the release, depending on how you want to look at it). Ever see Microsoft do that?
    • Imagine if civil engineers started doing the same with buildings and bridges.

      Imagine if software developers were held to the same standards as engineers.

      I get tired people comparing software development to real engineering when developers refuse to follow the same rigorous standards that engineering disciplines have to follow. There are some software engineers out there, but most of the people with that title are simply software developers. Not that every piece of software needs to be engineered, b

      • why shouldn't they be? software controls LOTS of financial/medical/industrial stuff that really has to be up to snuff. what if the computerized arm thats operating on your eye freaks and shoves its arm through your skull?
    • The reason that companies release their software then patch later, is so that they gain a competitive advantage in the market.

      For instance, Microsoft releases a new version of Office that has a few holes that need patched. Microsoft decides though that it would be cost beneficial to release the version now. This way people get the new fun features of Office NOW and Microsoft becomes the largest marketshare holder of a new feature.

      It's much more beneficial for a company to release a new version quickl

  • Netscape ? (Score:1, Funny)

    by Anonymous Coward
    huh ? Netscape ?

    What's Netscape ?

  • Netscape's Original 8.0 Release (Score:5, Informative)

    by Anonymous Coward on Friday May 20, 2005 @11:45AM (#12590005)
    ZDNet Australia [zdnet.com.au] has a scathing report [zdnet.com.au] on problems with Netscape's original 8.0 release, which shipped with known critical security bugs. ZDNet notes that several key Mozilla devs have lashed out at Netscape, including Firefox lead developer Ben Goodger [mozillazine.org], who posted a live exploit [mozillazine.org] of the known vulnerability. Gervase Markham [mozillazine.org], another Mozilla employee found Netscape's claim that Firefox 1.0.4 is "outdated" ridiculous [mozillazine.org]. Ali Ebrahim [ebrahim.org], another contributor commented that Netscape's claim of "more security choices" is based on a false premise [ebrahim.org]. To their credit, Netscape has since released Netscape 8.0.1, based on Firefox 1.0.4 which plugs the most severe known issues, though the question still remains as to why they released 8.0 in the first place if it contained such severe security issues.
    • Its is not only that it contains such severe security issues but that they are KNOWN as have been fixed!

      This is what the software industry and versioning is becoming, just ship crappy software first and then provide patches, god, as someone said in other post imagine of other that was an accepted behaviour for other professions???

      Patient: Doctor, my appeniccitis operation was not ok, I think my bowel is going out in this hole... can you please add a patch to fix my body?
      Doctor: Oh, sorry I am affraid I

  • Why didn't they wait? (Score:5, Insightful)

    by drsmack1 ( 698392 ) * on Friday May 20, 2005 @11:46AM (#12590028)
    I did not understand why it was based on 1.03 anyway; were they completely unaware of what was going on at the firefox project?
    • Wouldn't be surprised, I mean they were completely unaware of how they lost so much browser marketshare, or if they did know, they didn't do anything to gain it back.
    • What were they supposed to do? They have to do a code-freeze sometime. If they would have waited until 1.0.4 was out, then we would all be screaming that they should have waited until 1.0.5 was out. You know that another security bug will be found in Firefox again. They can't just keep holding off releasing a product because of security exploits that haven't been discovered yet.
      • Obviously it didn't take them long to apply the security patches from 1.0.3. Would it really have been that difficult to just wait another day and release the version we now call 8.0.1 as the initial release of 8.0.0?

        If they would have waited until 1.0.4 was out, then we would all be screaming that they should have waited until 1.0.5 was out.
        Who would anyone be doing that? There's currently no known security problems with 1.0.4, so why would anyone care about waiting until 1.0.5?

        You know that anothe
        • while i agree with you that they should have waited, i don't think the 24-hour timeline is really correct. if it takes (for example) 3 days for them to take the final browser build, do regression testing on it, and print it to CDs and then release them, than the developers may have been working all of those 3 days (plus the 24 hours) making this patch that they just released. firefox 1.0.4 wasn't released 24 hours ago, so it probably took most of the time from when it was released until now to integrate t

  • I don't get it. (Score:2, Insightful)

    by Nytewynd ( 829901 )
    What is the deal with Netscape 8? It sounds like they basically downloaded the source code for Firefox, recompiled it, and then distributed it as something new.

    First, why isn't Firefox going after Netscape and second, why would anyone start using Netscape when Firefox knows their own code better and fixes it faster?

    I think I might get the Firefox code myself and create a browser called LOL-I'm-Really-Just-Firefox. It will be huge.

    • Re:I don't get it. (Score:4, Informative)

      by Jarnis ( 266190 ) on Friday May 20, 2005 @11:52AM (#12590115)
      As long as you abide by the license of the code, you can do that. Open source and all that...

    • Re:I don't get it. (Score:2, Informative)

      by Soybean47 ( 885009 )
      First, why isn't Firefox going after Netscape

      Firefox is open source.

      and second, why would anyone start using Netscape when Firefox knows their own code better and fixes it faster?

      Now, you've got me there. Uh...brand recognition? Maybe?
    • IIRC The Mozila code base came about originally because Netscape made their browser code open source. For several years Netscape supported Mozilla.org (providing staff and resources).
      We should be glad that Netscape continue to use the Mozilla code base - it helps to provide another credible alternative to IE for instance.
      • It's NOT going to be easy to look credible when the first 'selling point' is security and they let out this major release with KNOWN security issues in it. I'm certain that the MS IE guys will be having a good laugh today and who can blame them ?

        I've already downloaded the full installer but having read about the new features, I've deleted it and will stick with Firefox for now. I just don't see the point in using Netscape.
    • They have bloated it quiet a bit, it takes at least twice as long to load as Firefox, also it monitors your browser usage unless you uncheck a hidden box in the installation. Plus there's the added benefit of supporting IE so it's even less secure.
      • The box was hidden? Was right there for me...

        Don't know about the speed (no way I'm putting that on my normal use box), and the IE option looks good assuming you make the selection at install-time to always use Gecko (and switch manually to IE only).
    • It sounds like they basically downloaded the source code for Firefox, recompiled it, and then distributed it as something new.

      Firefox is Open Source, so this action is perfectly fine. And if you remember, the Mozilla team got the original code for Firefox (the Gecko Engine) from...yes, Netscape!
      • And if you remember, the Mozilla team got the original code for Firefox (the Gecko Engine) from...yes, Netscape!

        That's not entirely correct, actually. According to this [wikipedia.org] Wikipedia entry, "the initial Communicator open source release did not even build cleanly, much less run." Because of that, the Mozilla developers eventually decided to write Gecko from scratch.
        • The Mozilla Foundation was formed in July 2003 around when Mozilla 1.4 was released. Until then Mozilla (which included Gecko) was owned and operated by Netscape. So yes, the Gecko code was provided (or at least sponsored) by Netscape).

          Also, Firefox (formerly Firebird formerly Phoenix) was started in late 2002 when Mozilla was still part of Netscape.
    • prolly cause it's mozilla and not firefox... and...maybe because netscape helps pay the bills. that's why they don't "go after netscape".

    • Re:I don't get it. (Score:5, Informative)

      by justforaday ( 560408 ) on Friday May 20, 2005 @12:03PM (#12590288)
      The big deal with Netscape 8 is that it offers the choice of using the IE or Firefox/Gecko rendering engine on different pages. For instance, you can have it set to display /. using the Gecko engine, while using the IE engine to render your company's intranet page (you know, the one that requires that you use IE for "full functionality"). The main reason for it, however, is for the brand recognition that AOL gets out of it. Of course, the dual-rendering ability will only complicate matters for Joe Sixtooth.
      • Personally, I think the "dual rendering" support is a very bad thing. First of all, it's an insult to the Firefox developers, and second, if it were to gain acceptance, it would just encourage people to make bad website code that only works in IE. If a lot of people were to start using this, website developers would just be able to ignore Mozilla, since they'd figure "Oh well, if it doesn't work they can switch to IE rendering mode." IMO this Netscape release is a very bad thing and should be avoided. I
      • The big deal with Netscape 8 is that it offers the choice of using the IE or Firefox/Gecko rendering engine on different pages.

        The fundamental security flaws that are inherent in the Microsoft HTML Control can't be fixed by a wrapper, because they're in the HTML control itself, not the IE "shell". So you're no safer using the "IE Engine" inside Netscape than just using IE.

        So this is no different than just using IE for the pages that need IE, except that people who think they're being safer using Netscape
        • it seems like it'd be a lot easier just to switch rendering engines when you hit a bad page than to copy the link, open another application, paste the link into it, etc. plus, this way you can maintain one set of bookmarks one browser history, and one cache. i'm trying to think if this is a good thing for us web developers. is this an easy way to quickly test a page in two different environments, or is it a third environment that has quirks that the two engines don't have natively?
          • I think there is a firefox plugin that copies the link, opens another application, and pastes it for you.

            https://addons.mozilla.org/extensions/moreinfo.php ?id=35&application=firefox [mozilla.org]
          • it seems like it'd be a lot easier just to switch rendering engines when you hit a bad page than to copy the link, open another application, paste the link into it, etc.

            It seems like it would have been a lot easier to add an "open in internet explorer" menu/contextual menu/accelerator key, and a lot less likely to lead to people getting confused about whether they're in a "safe" (relatively) browser or not.
        • This is a good idea because it means for the many sites which do not display correctly in Mozilla/Firefox/Netscape they can still be accessed via Netscape and presumably still have all the excellent features of the code such as tabbed browsing and like available to them.

          Regardless of who you feel is at fault for the reasons a certain page will not display correctly in any other browser than IE, considering the user would need to use IE to access the page in any case, this is a very convenient feature now av

          • This is a good idea because it means for the many sites which do not display correctly in Mozilla/Firefox/Netscape they can still be accessed via Netscape and presumably still have all the excellent features of the code such as tabbed browsing and like available to them.

            The most important feature of Netscape is that it doesn't support ActiveX and most of Active Scripting. That is an advantage, even if it makes the page appear incomplete. No, a user is better off having the site display incorrectly than ta
      • Oh boy, Netscape now has to watch both sides of the flaming candle stick, less they get burned with additional vulnerability (from EITHER side).
    • Take it as a challenge and go with that (create your own browser). In fact, if you manage to complete the browser, I promise I'll even pay suport for it. Heh? :-)
    • First, why isn't Firefox going after Netscape

      You don't get the whole "Open Source" thing, do you?
      • I do understand Open Source. I guess I just don't know exactly how the licensing works. I imagine at some point Netscape will want to make some money with their product. I'm sure things are spelled out in all of the License Agreements, but I was too uninterested to read all of that stuff.

        If they are openly admiting that their code is nearly an exact duplicate of Firefox, it might limit them in the future. If they designed their own browser instead, they would be free to do whatever they wanted. I al
        • I guess I just don't know exactly how the licensing works.

          There are very few open source projects that limit commercial redistribution of the software. Oh, there's a broad range of licenses, from the "you can do it as long as you don't sue us if it breaks" modified BSD license, through to "you can do it as long as you make the result open source" GPL, but products like the dual-licensed Ghostscript or the no-commercial-use Kermit have become fairly rare.

          That's a pretty important thing to understand about

  • 3 != 44 (Score:2, Informative)

    by dereference ( 875531 )
    There were only 3 bugs fixed in 8.0.1, not 44! See the Release Notes [netscape.com] for yourself.

  • Show offs! (Score:5, Funny)

    by khendron ( 225184 ) on Friday May 20, 2005 @11:48AM (#12590050) Homepage
    Netscape just wanted to show off how they can produce patches faster than Microsoft and Firefox.

    The promo goes like this: "Miscrosoft leaves holes unpatches for weeks, maybe months. Firefox sometimes takes a few days. But *we* can produce a patch in less than 24 hours! Na na!"
    • The next logical demonstration of patch spreed would be to release a project with a note saying it was patched a few minutes before release...
      As far as browser security- Are we talking security for the masses or for the (somewhat)informed? I for one can't imagine needing a browser with "anti phish" technology or whatever they call it, just like I couldn't imagine a need for a car security system that works when you leave your keys in your car with the windows down in a bad neighborhood...
      The best security
  • And for most of NS8's official first day, anyone not using NS8 were redirected to this "alert" page [netscape.com], even users of Mozilla Firefox 1.0.4! "Your current browser is outdated," my tail.

    It's so Not A Good Thing(TM) that a commercial product needs a security upgrade on the first day of going official.

  • The patch address security vulnerabilities in version 1.0.3 of the Firefox code on which Netscape is based.

    Was this vulnerabilty already known and patched in Firefox? And if so, why the heck did they release a program that had a known security hole with a known fix?

  • In other news... (Score:4, Funny)

    by kniLnamiJ-neB ( 754894 ) on Friday May 20, 2005 @11:51AM (#12590098)
    Netscape released a statement saying that people who downloaded the browser labeled 8.0 actually got a mis-labeled copy of 7.9.9.9.9. The new version 8.1 will actually be 8.0 and the following patches labeled 8.1.1, 8.1.2, and 8.1.2.1, which will be released daily starting tomorrow, will be relabeled as 8.0.1, 8.1.0, and 8.1.2, respectively. ***NO CARRIER***

    We apologize for the above post. Those who were responsible for sacking those who were just sacked, have been sacked.
    • 7.9, 8.0, 8.1, 8.1.1, alpha,beta, stable,concept car, prototype, production model; It's all the same. Some one makes an executive decision as to what to label a moving target and call it a product. Then you have patches, field repairs, build changes, recalls, retro kits, etc. to fix that executive decision. The two choices are have it now with bugs or wait till hell freezes over for a bugless software app or a trouble free bridge or car.
  • Proof positive AOL/Netscape != Microsoft:

    If this were Microsoft:
    We'd wait several months while they verified the problem, then a few weeks while they fixed it, a few weeks for them to pretent to test the fix, then wait up to 4 weeks more for the next patch day.

  • Huh? (Score:2, Interesting)

    by bsquizzato ( 413710 )
    Why did Mozilla release Netscape 8, based on Firefox 1.0.3, AFTER they had released the fix? (1.0.4) Why wouldn't they just wait an extra day? Now there will be vulnerable Netscape 8's floating around if people aren't consciencious enough to check for updates daily.
  • Just been to Netscape's website and no Linux version available. Some web site will work only with IE or netscape. I still prefer Netscape over IE anyday.
    • Some web site will work only with IE or netscape.
      If you find a site like that, email the admins and let them know this is the 21st century. There are more than two browsers on the market, and they're losing at least 10% of their visitors if the site doesn't work in Gecko (Firefox), Presto (Opera), and WebCore (Safari) browsers.
    • Some web site will work only with IE or netscape.

      I use FireFox. I will not use IE. If a site does not work with Firefox(not too many sites are still like this) I will not use that site. That means no advertising revenue and no retail sales from me.

      I admit I have to use IE for 3 webapps at work. One of these is developed and maintained by my group and we are currently in the process of making it browser neutral. Everything else I will use with Firefox. The difference is I am paying for using other sites (

  • Rather embarassing (Score:3, Insightful)

    by Phil246 ( 803464 ) on Friday May 20, 2005 @12:53PM (#12590978)
    Regardless of the reasons why - For a software company to release a patch for a product they released 24 hours ago is , to say the least embarassing.
    I would imagine there are quite a few red faces around netscape today
  • Internet Explorer rinses and uses paper towels in the bathroom.
    Netscape washes thoroughly and uses the automatic air dryer.
    Firefox doesn't piss on its hands.

  • Really a patch or complete download? (Score:3, Interesting)

    by klui ( 457783 ) on Friday May 20, 2005 @01:51PM (#12591735)
    I'm really curious if this is indeed an incremental patch or Mozilla's idea of one--namely a complete download of the product.
  • It's patetic what Netscape turned into.
    The website is some kind of news/portal site, with nothing interesting just bullshit like "How to Handle an Angry Woman" or "Top searches: American Idol", and hidden between all that "All New Netscape Browser 8.0", it is a shame (not to mention it's firefox with other GUI).
    I think it's time for Netscape to dissappear and leave their browser as the legend it was years ago not the piece of crap it's today.

  • Automatic updates (Score:2, Informative)

    by POWRSURG ( 755318 )
    I installed Netscape 8 the day it came out for testing purposes. I saw this story, went to Netscape with their default skin and found they had nothing similiar to the Firefox's red ! to alert me that updates were necessary. I went to Tools->Advanced->Software Update and found Automatically Download and install updates was checked by default, so I checked my UA string to find it was still Netscape 8.0. Went back to Software Update and ran Check Now and it did not find any updates. Switched to their oth
  • I just briefly used Netscape 8, so I'll write up my impressions.

    The interface is very cluttered with "potentially" useful information, like movie theater show times, weather, news, etc. If you prefer Yahoo's front page portal to the simplicity of Google's front page, this browser is made for you. Otherwise, stick with Firefox.

    The browser renders all "unknown" sites as Firefox, which was annoying to me because the only purpose for me trying this out was to test out some IE-only web pages. Luckily, it took
  • Reminds me of my favorite slashdot poll of all time: "Netscape 6 is out. Do you care?" The resounding winner was "no," as I recall.

    Well I can't find it in the poll archives. I was pretty sure it was a slashdot poll. Funny anyway.

    RP

Slashdot Top Deals

The optimum committee has no members. -- Norman Augustine

Close