Serious Vulnerability In Firefox 2.0.0.12 355
Oh, Not Now writes "Mozilla Firefox 2.0.0.12, mere hours old, is vulnerable by default to a directory traversal trick, via the view-source mechanism. Although mitigated by the NoScript plug-in, this is quite a serious bug — the default installation is vulnerable from the get-go."
Payload (Score:3, Informative)
Re:Payload (Score:2)
DIRECTORY TRAVERSAL? (Score:5, Informative)
From TFA: "We can trick Firefox itself in traversing directories back".
but then it says:
"we are able to read out all preferences set in Firefox, or just open or include about every file stored in the Mozilla program files directory"
Since TFA is not clear, I have tried it myself and I WAS NOT ABLE TO TRAVERSE a directory back with resource:///../
So the only files someone can read with this vuln are the files inside firefox directory which from what I can see are just default files and no cookies or passwords.
If anyone thinks any different please let me know.
Re:Payload (Score:2)
Not if you type it in the URL bar. I can't seem to get the resource:/// hack to work from an http:/// [http] page though, so I'm not sure about whether file:/// gets through under the same circumstances.
NoScript (Score:5, Interesting)
Re:NoScript (Score:4, Interesting)
Re:NoScript (Score:5, Insightful)
Seriously, running every script a page stuffs into a browser should not be the default, and it should not take an extension to fix it.
Re:NoScript (Score:3, Insightful)
While you're at it, why not put AdBlock Plus in there and FlashBlock and Greasemonkey and Fasterfox and GMail Notifier and
Some people don't want everything included in the distribution, some developers don't want to have to make all those things work with every release and compile they do of test builds.
AutoUpdate of things you choose to install works just fine, and the people who build the add-ons make sure they work without having to work for MozFoundation.
Re:NoScript (Score:5, Insightful)
So instead of teaching people security, it just teaches them "Security is annoying and breaks everything, what's teh point?" and they want to use it less.
Re:NoScript (Score:5, Interesting)
The minority who can cope with those sort of settings can manage to install an extension.
Re:NoScript (Score:5, Insightful)
Re:NoScript (Score:5, Interesting)
Why is everyone in love with checksums?
Disk is cheap. The amount of scripting I should trust is small.
So cache the *actual* scripts... and then use those as keys into what scripts are actually run.
That is, when you first hit a website that tries to run a script, capture all of the script functions and fragments, and indicate to the user how many un-approved scripts are on this page. The user than has the option to say "Trust this set of scripts" (like noscript now), or "Let me look at these scripts."
And this is where the fun can begin.
The browser can present to me a list of script functions and fragments, each with a "allow", "deny", or "remap" option. Allow is just that -- allow that script function or fragment to be run as-is, temporarily or for that page, machine, or domain. Deny is just that -- deny that script function or fragment, again, for that page, machine, or domain.
For remap, however, I should get a little two-window/textarea display (top/bottom, left/right, don't care, should probably be the user's choice), one read-only (the key) and the other editable. I can then edit the second chunk of code as I please -- stupid client-side verification, gone, replaced with "return true;". Code that disables a feature, deletes information from the display, and so on and so forth... gone. The test for browser/os versions... gone. Bugs become fixable. (Sure, I might introduce bugs, but that's my own fault, and it's my browser anyway.)
Most folks wouldn't ever use "remap" in this way, but that's okay. The ability is there, just like most folks don't compile open-source programs from scratch. That's not the point... if they wanted to, they could.
The next step is to share remapping libraries, like people are sharing greasemonkey scripts now. I could get a call from my mother about how some website is broken to how she'd want to use it, and I can go look at the web-page, fix it, export my changes to some convenient archive, drop it on to my webpage, and then send the url to my mother, who can click on the archive, and have the browser ask "Do you want to install this?", click "Yes", and all is well in the world.
Sure, some websites will take steps to make every bit of client-side scripting unique for every connection. They'll obfuscate their code, randomize the variable names on a per-session basis, mess with the structure... and now you KNOW those websites are hostile and malicious and should be treated as such.
Don't bother with checksums, that doesn't put any power into the hands of the users. Track code, and allow for client-side replacement of code. Allow end-users to share their code-replacement libraries. We can kinda-sorta do that now with plugins and greasemonkey, but that's tricky and error-prone and tedious. Let the computer solve the problems that are tricky, or error-prone, and especially the problems that are tedious!
Amazing coincidence (Score:5, Funny)
Re:NoScript (Score:5, Insightful)
The thing is, looking at it from the designer/developer end, most users seem to want the functionality Javascript provides. My job largely consists of designing "intranet" apps for a university department. With forms, the end users want the ability to click a button or link to add extra fields when necessary. They want web-based calculators that figure out totals and percentages automatically. They like little explanatory pop-up boxes that define terms for them if they don't already understand what it means. They prefer drop-down menus that change, based on choices made further up the form.
I realize that NoScript actually allows white-listing for situations like this (just like IE does for ActiveX, God bless 'em) - but I don't have much confidence that non-technical end users will understand, even with training. Making NoScript or a similar tool the default will end up meaning significantly more of my time being wasted dealing with support calls - after all, if the web's broken you don't call the desktop support people, you call the webmaster, right?
(BTW is Firefox 3.0b2 or b3 vulnerable?)
Re:NoScript (Score:2, Insightful)
So because you decide to use the browser as some sort of generic code execution engine and GUI for your own hacks instead of writing your programs to run as a real application like everyone else, people browsing the web should remain a target for javascript abuse, bloat and exploits.
I can't say I agree.
Re:NoScript (Score:5, Insightful)
So because you decide to use the browser as some sort of generic code execution engine and GUI for your own hacks instead of writing your programs to run as a real application like everyone else, people browsing the web should remain a target for javascript abuse, bloat and exploits.
The "real" applications (gotta love that required platform lock-in, btw) you talk about would still need access to that centralized data. So you pick your poison - do you provide direct access to that central data repository for a wide number of computers, or do you limit access just to connections from a web server (which is then open to that wide number of computers)? Personally I'd rather keep as much insulation as possible between that back-end data and the rest of the world.
Re:NoScript (Score:2, Interesting)
Re:NoScript (Score:5, Funny)
yahoo or mozilla (Score:2, Interesting)
Time to see if Konqueror fixed the damn flash bug (Score:2)
Re:Time to see if Konqueror fixed the damn flash b (Score:2)
Corporate sites (Score:4, Insightful)
Re:Corporate sites (Score:2)
Yup. We all have Flash disabled and can't install it at work, because the overlord office in Europe doesn't understand that it's not just for YouTube. We're starting to have serious trouble using travel booking sites, hotel booking sites, and restaurant booking sites (all of which are legitimate and frequent uses of our PCs for our business) because of this. A HUGE percentage of them don't have a single no-flash page left. Many of them don't even generate a "you need Flash to view this site" message; they just come up blank. Or the page frame (borders, margin -- whatever) will come up but you can't get to any content.
It's driving me nuts. Part of the reason I spend so much time on Slashdot is because around here, there's still Actual Text that I can just plain damn read.
Re:Time to see if Konqueror fixed the damn flash b (Score:2)
Re:Time to see if Konqueror fixed the damn flash b (Score:2)
I sure hope it's only this version... (Score:2, Interesting)
Re:I sure hope it's only this version... (Score:4, Informative)
Re:I sure hope it's only this version... (Score:2)
or just visit sites you trust (Score:4, Insightful)
Re:or just visit sites you trust (Score:5, Informative)
Assuming that the sites you trust haven't been compromised, this still leaves out the serious problem of attack code inserted into advertising.
Re:or just visit sites you trust (Score:4, Insightful)
Re:or just visit sites you trust (Score:5, Interesting)
Ever use an open 802.11 access point? Ever been redirected to a legalese page before being allowed onto the internet? Now what if that page had the exploit in it? For added fun, imagine the hotspot isn't malicious but there's an attacker on the network using a rogue DHCP server to feed you a bogus set of DNS servers.
People assume that their web browser is a trusted execution environment. Vulnerabilities which affect the browser are worth caring about for that reason.
nifty trick (Score:5, Informative)
While this is a really neat find, and I am glad that it will be patched pretty soon, I don't think it is quite at the level of "sky falling" etc. From what I understand, an attacker that can execute javascript in your browser has the ability to read any file in the targets mozilla directory. This worst that I think an attacker could do would be to grab your stored password file. While this is definitely something to be concerned about, the headline had me pretty worried
Re:nifty trick (Score:4, Informative)
saved passwords (Score:4, Insightful)
Re:saved passwords (Score:2)
This brings up my greatest grip with Firefox: If you visit any site that you have stored a password for and you have a master password set, the damn thing pops open a request for any page that contains a password field. Take Slashdot or Digg, for example. If I'm browsing either of these sites almost every page I open requests a master password. You can turn off form auto-fill in about:config (not very end-user friendly), but then Firefox seems to have no method at all for causing the stored passwords to be filled in the page, unless I'm missing something. All in all, Firefox has some issues when it comes to password storage.
Do you have a better way to store all your passwords?
Re:saved passwords (Score:2)
Try Secure Login [mozilla.org].
Re:saved passwords (Score:4, Funny)
Re:saved passwords (Score:2)
At least that's how it worked last time I checked (but that was some time ago).
You should probably leave at least one Firefox window open all the time until you're done for the day, to avoid ending the session and then starting a new session, giving you a new prompt. But if you leave your computer and other people can access it, you should probably close all Firefox windows, so other people don't use your Firefox session to log in on your accounts.
Of course you should never let Firefox remember important logins like your bank.
What all.js contains (Score:2, Informative)
huh? (Score:5, Informative)
Re:huh? (Score:3, Insightful)
Re:huh? (Score:2)
It depends. Is the vulnerability in the view-source: method, or have the developers just not bothered to protect resource:/// since, as you say, it is all standard stuff that people can get by downloading firefox themselves? The way the exploit code has been posted, it is difficult to tell, because you need a javascript file that consists of lots of calls to a single function so you can override that function to print out the parameters instead.
How is this a serious security problem? (Score:3, Informative)
Scare mongering (Score:5, Informative)
Firefox is open source; anyone who wants to view view-source:resource:///greprefs/all.js can just as easily load http://mxr.mozilla.org/mozilla1.8/source/modules/libpref/src/init/all.js?raw=1 [mozilla.org] it has the same content.
all.js is *not* user data, it's *public* app data. Your preferences are stored in prefs.js which are not exposed by greprefs.
Update the title... NOW. (Score:5, Insightful)
You should still upgrade. You are already vulnerable to this "attack" without it, but you can at least gain some new fixes for other issues.
You know, we're trying to promote open source software. To scream that firefox has a "serious vulnerability" when it in fact doesn't is IT treason.
Doesn't matter what browser you run (Score:2)
Is there a NoScript for IE 7 and Opera?
Re:Doesn't matter what browser you run (Score:2)
For IE7, I have no idea. I doubt it. In Opera, it's built in.
(... BUT in Opera, enabling scripts for a specific site requires navigating through various sub-menus and five to eight mouse-clicks. And if the site uses cross-site scripting, as do most video sites for example, it could take anywhere up to a couple of minutes to investigate which sites you need to enable scripting for.)
How come? (Score:2, Insightful)
Re:How come? (Score:2)
Re:How come? (Score:2)
Re:How come? (Score:3, Funny)
Re:How come? (Score:2)
I use Firefox btw.
list of files that can be read (win32) (Score:2, Interesting)
or not
Possibly another bug? (Score:2)
I've got Firefox as my default browser on XP, and after the upgrade to 2.0.0.12, all of a sudden IE showed up as my browser at the top of my Start menu. When I went into the control panel to "set program access and defaults", Firefox doesn't even show up as an option. WTF?
It's still installed, as it's in the programs folder, and it runs fine....also doesn't as me if I need to set it as default, so it still is, but Windows has completely lost the fact that it's a browser.
Anybody else have this happen?
Re:Possibly another bug? (Score:2)
As far as Windows was concerned, IE was the only browser on the computer, but http:/// [http] URLs were to be opened by firefox.exe, which isn't a browser, just-so-we're-clear-on-that-point-thankyou.
Bizarre.
Anyway, I fixed it by setting IE to be default browser, then starting Firefox, at which point it asked me "Do you want me to be default browser?"
Clicked yes, and it's back in my start menu.
Normally, I'd blame Windows for this type of thing, as they're typically SWBs (Stupid Windows Bugs). But this happened at the exact same time I upgraded to 2.0.0.12, so I figure it's got to be related, somehow. Of course, it could be something to do with the odd combination of extensions I've got installed.....
Firefox is too large to be secure (Score:5, Interesting)
Any non-trivial program contains bugs and vulnerabilities proportional to its size, and the relationship between size and inherent problem-count is probably a lot worse than linear. This is true for all programs and all systems, but it is especially true for monolithic ones, and to a very large extent the main body of modern browsers is quite monolithic. Even the plugins load into the same address space in most cases, although there are exceptions to this in the browser world.
The present situation is not good, and everyone is familiar with the consequences of it: the web browser is by far the most crash-prone of all applications present in our operating systems today.
Is there a solution to this on the horizon? Not at present, because developers in all the most popular programming languages almost always implement monolithic systems (because the languages encourage it and the courses teach it), and are highly adverse to extreme modularization. Again, there are exceptions, but they are rare.
We are living in a bit of a Dark Age in this area currently, and I don't forsee any change within the next five years at least.
This bug is less important than it seems (Score:5, Informative)
If you take a look at what this is doing, there's much less to it than meets the eye.
The way the page works is that it is able to load the file all.js in the greprefs directory inside your firefox installation. However, it is not *reading* this file and making it available to the javascript interpreter, it is *executing* the file. The file is a big list of browser preferences, each set with a call to a function with the signature pref(name, value). There is no code in there other than calls to pref. What the page does is define its own pref(name, value) which gets called, and the names and values are therefore available to the javascript interpreter.
So:
I would additionally point out that the view-source: part of the URI appears to be unnecessary, since at least for me (Ubuntu FF 2.0.0.12) the "exploit" worked just fine without it.
Godwin's Law for Slashdot (Score:3, Informative)
Slashdot needs an implementation of Godwin's Law that shuts down a thread the first time Microsoft is mentioned and the topic is something that involves neither Microsoft nor any of its products.
Thankfully, that would have put this thread out of our misery almost immediately, with no one any less informed as a result.
Damned it all (Score:5, Insightful)
Oh, well, just one more unlocked door in the grass hut I call a computer.
Re:Damned it all (Score:5, Informative)
Re:Damned it all (Score:2, Informative)
Not exactly.... (Score:5, Informative)
Depends.
Firefox extensions (Like the oh-so-important NoScript [noscript.net] and AdBlock Plus [slashdot.org], or the must-have for every
On the other hand, web-browser plugins (like Adobe Macromedia Flash, Sun Java, etc.) are binary code in dynamically linked libraries (DLL or SO depending on what's standart on your OS). That's why there are really serious portability problems with closed source companies providing plugins compiled only for a handful of operating system (often without 64bits support).
There are two strategies :
- most of the time open-source projects use very light libraries which obtain the parameters from firefox and launch a player in a separate process that get its output embedded inside the page display (mplayer's plugin just luanch a sepparate mplayer session, gnash' plugin runs gtk-gnash to open the flash movie, webgcjplugin compiles and runs the java applet using gcj, moz-plugger is an universal embedder, etc...)
- whereas most of the proprietary project try to cram everything inside a huge DLL that runs inside firefox' own process (macromedia flash, acrobat reader {BTW who does still use that piece of junk}, etc.)
The Javascript extensions play some role because the javascript engine of current Firefox isn't very fast (Hopefully the integration of Tamarin VM in some future version will help). If a user has way too many of them, the firefox experience can become slow. But most of the time quite, the extensions are event-driven : they usually add entries in the main menu and the javascripts are only executed when the user clicks the entry.
The other problems comes with memory leaks.
- Javascript extensions, because they are only ran on demand and because of the garbage collector, aren't subject to many leaks. But anyway really badly written code can actually degrade firefox performance and eat up memory.
- Dynamically linked web browser plugins are a completely different animal : because they run inside the browser process (at least, not the open-source one which only launch an external process) if they leak memory, the whole firefox process will get its memory usage up and will only free the memory when the whole program is exited. Also, firefox isn't heavily multi-threaded and if some plugins freezes the whole program gets unresponsive (I've had some awful experience with acrobat and older versions of flash). Similarly crashes inside a dynamically linked library will bring down the whole process that called the function, and any exploit discovered inside flash can be used against firefox itself.
I strongly suspect that most of the memory leaks reported by users are actually due to browser-plugins, because I haven't experienced any leaks even if a use several extensions, whereas I don't run closed proprietary browser plugins at all (mplayer and gnash only !) because of the awful experience with acrobat and flash.
Re:* Stops download of newest Firefox * (Score:5, Interesting)
Re:* Stops download of newest Firefox * (Score:5, Insightful)
There are enough malware targeted specifically at Firefox - I've seen them in action. The good thing with Firefox is that it gets patched pretty quickly, by the time an exploit has been written, hopefully we'll all have 2.0.13 installed.
Still, that's no excuse. It saddens me to say that the quality of Firefox (2.x.x branch) is steadily declining. It's slow, eating too many resources, and it crashes - on some sites it just constantly crashes. If it weren't for all the extensions, I'd dump it in a heartbeat and move to Opera.
Re:text mode browsers that Just Work (Score:3, Insightful)
I'm not sure what you're trying to say here -- I suspect you're yet another "designer" who resents the fact that you're fabuloso designs are irritating the hell out of a large chunk of the populus -- but you're logic is totally whacked. Why blame the author of some text for the decisions made by other people in the organization?
Consider the way the world looks when I use Firefox. I go to read a column by Robert Fisk in the Independant, and a bar appears at the edge of the screen telling me that the execution of some script has been blocked. I habitually use custom colors with light text on black -- my opinion is this minimizes eye-strain, by the way: computer screens are not paper and should not try to mimic paper -- and the various little graphics they've squeezed in on the page are glaringly bright in comparison, because they presume I'm using a white background. Then I come to the dread Flashing GIG advertisement, and it's once again time to right click and use Adblock to make it go away.
Do you see what I'm getting at? Lynx (or w3m) is not without it's annoyances, but using Firefox is not without it's annoyances either: I need to constantly fuss with it to fight the faddish nonsense that the web is always infested with.
What's so crazy about using a text-mode browser if what you want to do is read some text?
Re:* Stops download of newest Firefox * (Score:3, Informative)
I also don't think this is related to extensions. I'm not using anything unusual (popup alt attribute, tabbrowser prefs, flashblock, web developer).
Re:* Stops download of newest Firefox * (Score:3, Insightful)
To facilitate the discussions we should be having here on
But I agree that a post in response would better serve the discussion.
Re:* Stops download of newest Firefox * (Score:5, Informative)
Re:* Stops download of newest Firefox * (Score:3, Insightful)
Re:* Stops download of newest Firefox * (Score:5, Insightful)
Re:* Stops download of newest Firefox * (Score:5, Interesting)
Re:* Stops download of newest Firefox * (Score:2)
Find bug.
Wait until the newest release cames out.
Profit - Worldwide attention for Mr. 0x0000000.
What a hero.
Re:* Stops download of newest Firefox * (Score:3, Interesting)
Re:* Stops download of newest Firefox * (Score:5, Insightful)
I cannot work out from the article whether older versions of Firefox are vulnerable or not.
If its an unfixed bug from previous versions you should continue to download.
Which would you rather:
have 20 known vulns in the wild (stay as you are),
have 1 known vuln wild (latest update).
Until we can be certain though, just click pause
Re:* Stops download of newest Firefox * (Score:5, Informative)
To quote the link itself, where it is written in large bold print right above what was quoted (emphasis mine):
FIXED in Firefox 2.0.0.12
Re:* Stops download of newest Firefox * (Score:2, Informative)
Re:* Stops download of newest Firefox * (Score:3, Interesting)
Re:* Stops download of newest Firefox * (Score:2)
Memory Usage / No Script (Score:2)
I've been using Noscript for a while now, and personally it hasn't really effected my peak memory usage for better or worse. I also have constant access to CPU/Memory usage percentages through my G-15 keyboard's display, so I tend keep an eye on that more than most people.
Re:Memory Usage / No Script (Score:2)
On my box it's currently taking around 450MB. I usually kill it when it gets to around 700MB. Maybe it's because I use GMail and Yahoo! Mail open all the time?
Re:Memory Usage / No Script (Score:2, Informative)
On my box it's currently taking around 450MB. I usually kill it when it gets to around 700MB. Maybe it's because I use GMail and Yahoo! Mail open all the time?
Madness.
Mine's sitting at 68MB as I type this.
No tweaking of any sort. Just now hit 70MB
Run NoScript, too.
Re:Memory Usage / No Script (Score:3, Informative)
Well, I do have over 30 tabs open across 5 windows, and I leave it open 24/7.
Re:Memory Usage / No Script (Score:3, Interesting)
How many windows / tabs do you tend to have open, and how often do you restart the browser? Also, what OS?
Here's the output of ps on my 64-bit Ubuntu 7.04 box, running Ubuntu's Firefox package:
im14u2c 2527 6.1 11.2 987640 454116 ? Sl Feb07 176:30 /usr/lib/firefox/firefox-bin
The first number suggests Firefox is taking nearly 1GB, but 512MB of that is just the X mapping my video card, I think. The second number shows it clearly taking around 450M.
--JoeRe:* Stops download of newest Firefox * (Score:2)
Somehow, I just don't see FF getting any better in the near future.
Re:* Stops download of newest Firefox * (Score:5, Informative)
What you're describing has nothing to do with Firefox. Even if Firefox frees it's memory, that freed memory doesn't get reflected in the Task Manager until the program is minimized or you wait long enough...
More info: http://www.garagegames.com/blogs/4517/11311 [garagegames.com]
"The Windows OS employs something like a memory cache for each actively running program. This cache may grow as the needs of a particular program require using magical algorithms Microsoft developers have produced for determining the optimal size for that program. For instance a program over the course of it's life time may require 20 megs of memory but occasionally needs to load data requiring allocations of up to 10 additional megs which is released seconds after it is loaded and processed. The Windows OS may determine then, that the memory cache for this program must increase from the base 20 megs to 25 megs instead. Looking at the Windows Task Manager then, you may see that this program is now using 25 megs of memory, even though currently, it may only be using 20 megs.
That is, the Windows Task Manager is reporting the memory cache allotment and not the memory allocated and used by the program. This is not the same as a memory leak. The program has little to no control over the memory cache allotment the OS has given it."
Re:* Stops download of newest Firefox * (Score:3, Informative)
Linux implements a global working set. This means that when the OS decides that it wants to remove a page from its working set (i.e. swap it to disk), it pulls that page out of all the processes that are using it (since the page might be shared), writes it to disk and marks the page as free.
Windows NT implements a per-process working set. A page is moved out of the working set of a particular process, and when it's been removed from all processes (in case it was shared), it goes into the standby cache, a sort of limbo where the page exists both in memory and disk and can't be written to (this makes it possible for the page to be moved completely to disk or back into use without further disk access). Each process has a soft minimum and maximum working set that the memory manager tries to keep a process within. Memory heavy processes have their max working set automatically expanded. Task Manager reports a process's current working set under the heading of mem usage. More pages allocated to the process may in fact be in memory in the standby list, but they won't show up in this count. Memory cached by the OS (e.g. standby cache, file cache, write cache) is not counted in the working set of any process, even if only one process is really using it. They show up as "System cache" in the performance tab, and some caches are double counted as "Available" because they can be discarded without disk access. When a process calls NtFreeVirtualMemory (the syscall for freeing private memory pages), the OS does not keep it in the process's working set. The working set is always equal or smaller than the sum of shared and private memory allocated to the process. If a process were to free all its private memory, and somehow unload all its modules and free its stack, the working set would go down to zero. A program has full control over what memory is allocated to it. It can't fully control how much of that memory is actually resident in RAM, though, and that's what is reported by Task Manager.
When you minimize a window, the Win32 subsystem sets the process's maximum working set to the system minimum, effectively moving most of its private pages into standby. Those pages will only come back into the working set as they're accessed-- it may take a long time for the working set to get has high as it was previously, and possibly never for memory leaks or unused caches. Firefox definitely implements some hefty caches.
In short: yes Windows implements a memory cache, but not for pages that have been freed.
Re:* Stops download of newest Firefox * (Score:2)
Browsers have to ensure that their javascript interpreters are secure, and that they have ways to block, or make harmless most malicious attacks. If we just say "oh that's not important because people can just block scripts with noscript, then we don't get any further and we further stunt the growth of web technologies.
Re:* Stops download of newest Firefox * (Score:2)
Mad Propz.
Re:Fixed is hours! (Score:3, Insightful)
You're living in the past. Everyone knows IE6 was horrible. I'm running IE7 under protected mode. If you're going to talk shit, at least talk shit about current software. People who spend their time talking about how Windows 98 crashed a lot, IE5 and 6 were really insecure, and IIS 5 was the fastest way for a computer to get hacked on the net, are really starting to sound tired and sad. When we're running Windows 7, Internet Explorer 8.0 in Protected Mode, and IIS 7.0 on Windows Server 2008, fools like you are still going to be apologizing for every bug in by bringing up bugs from Microsoft products 5+ years ago.
And even if IE6 was the most horrible browser ever and they waited for "moths if not years" for patches, how does that make this Firefox vulnerability any better? If IE6 is so bad, why is it your example for trying to minimize this Firefox vulnerability?
Microsoft products are getting better. Deal with it. Quit living in the past.
Re:Fixed is hours! (Score:2, Funny)
So are realplayer's products, but you don't see anyone telling anyone to install them.
Re:Fixed is hours! (Score:2)
Re:Fixed is hours! (Score:3, Informative)
well in their defence more people still use ie6. so they are talking about current software.
http://www.w3schools.com/browsers/browsers_stats.asp [w3schools.com]
at my job it is split about 90% ie6 v 10% ie7 for internet explorer users. thankfully the number of ie users is dropping as more switch to firefox. ie7 has speeded up that switch as many hate the interface.
but to be on topic firefox has a serious bug. i expect it will be patched in a day or so. firefox is good at that.
> Microsoft products are getting better.
only because they have serious competition from firefox, apache etc.
> Deal with it. Quit living in the past.
i don't live in the past i use linux and mac osx.
Re:Fixed is hours! (Score:4, Insightful)
To everyone else: Do you remember before the browser wars, when Netscape was the big, bloated dominant player and Internet Explorer was the fast and light competitor which needed to prove itself (even if it did so by cheating)? Do you remember the time between the wars, when Internet Explorer was buggy and insecure? Now we are in the second browser wars and Internet Explorer is trying to compete. And it's a good thing. The Mozilla foundation cannot afford to sit on their laurels or Firefox will be the also-ran that the Mozilla suite is. Never hold yourself to someone else's standards: Be the very best you can be, and it'll always be better.
And be grateful for it — we on Linux pretty much have no choice but Firefox (or Firefox-based browsers) if we want a vaguely native, somewhat integrated system (well, there's Konqueror if you use KDE but it's not up to the same level as Firefox and Internet Explorer). There's no competition, no choice, and no reason for Mozilla to focus their development effort over on this side of the fence. And we suffer for it, with form widgets that don't look right and menus that don't work properly.
Re:Fixed is hours! (Score:2)
I'm a Firefox user on both Windows and Linux, but I think you unfairly downplay Konquerer. Konquerer has benefited from its common source base with Safari, and actually does better in some ways (Acid 2 test?) than Firefox 2.x does.
Props to the Konquerer team, I say.
Re:Fixed is hours! (Score:2)
So
Normally I don't use inflammatory terms like "apologist", but in this case, I think the characterisation is appropriate. If there's anything tiresome in the matter, it's not those who take the opportunity to point out the history, but those who repeatedly insist that doing so is somehow unfair, undeserved, or worse, somehow not relevant.
Re:Who cares? Use Opera (Score:4, Informative)
Re:Who cares? Use Opera (Score:2)
Re:It must be Microsoft's fault (Score:2)
Re:It must be Microsoft's fault (Score:3, Informative)
Well then, let's see!
Hmm, look pretty similar to me. Maybe that because it makes no sense if normal users cannot read and execute applications and their associated data? Program Files on Windows being readable by everyone has nothing to do with what is a Firefox vulnerability.
On the other hand I guess you're right. No "Program Files" directory on the Linux machine, it must be safe!