Zero-Day Vulnerabilities In Firefox Extensions

An anonymous reader writes "Researchers have found several security holes in popular Firefox extensions that have an estimated total of 30 million downloads from AMO (the Addons Mozilla community site). Three 0-days were also released. Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension." The affected extensions are Sage version 1.4.3, InfoRSS 1.1.4.2, and Yoono 6.1.1 (and earlier versions). Clearly the problem is larger than just these three extensions.

Yep that's why I avoid extensions

[commodore64_love]

I don't trust them, plus they use more memory (I only have 1/2 gig), and they make the machine run slower. The only extensions I have are NoScript and ImageZoom and FlashVideoDownloader. I try to keep it to a minimum to avoid security problems, memory waste, and slowdown

Re:

[amazeofdeath]

I completely agree, and I have been talking against the extension model for a long time. They are one of the main reasons why I use Opera instead of FF, as then I have only one vendor to introduce vulnerabilities, and it's the vendor I need to trust in any case to use the browser. Opera's inbuilt functionalities fortunately enable me to do the things for which I'd need to use extensions on FF.

Re:

[Neil Hodges]

The ad blocking functionality is limited in Opera, though. While its image-blocking setup works just fine, you can only block scripts based on the URL of the page being viewed, not by the URLs of each of the scripts themselves.

That said, I do use Opera at work since it's more responsive than Firefox.

Re:

[clone53421]

Why? Then I have useless queries to 127.0.0.1 which stall and finally give me 404’s.

Better to filter it at the original HTML content, and simply not even request the parts I don’t want to download.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Antiocheian]

It is not always so. At the browser level ad blocking can remove iframes and make the make look cleaner without strange white blocks.

Also, regular expressions can identify in-house ads that can't be removed at the DNS level.

Re:

[PitaBred]

A filtering proxy is WELL beyond what most people can set up. My parents aren't going to use one. They will be able to set up Adblock, though.

Re:

[slimjim8094]

Mod parent down - that's a load of horseshit. DNS resolves hostnames, whether it's doubleclick.net or bankofamerica.cz. You break the Internet when that delibrately stops working - even just by yourself. And God help you if you run a webserver on your computer.

A filtering proxy is the way to go. That's what they're for, and a proxy is expected to modify the content.

Instead of ad-blocker extensions, use CSS

[jcdill]

I use the customized CSS from www.floppymoose.com to block ads in Firefox. Works like a charm! I've been using it for about 5 years, and there hasn't been a single security incident associated with this solution.

Re:

[gerardolm]

Oh, advertising on /.'s comments?

Partnership Program

The Ad Muncher partnership program allows you to refer people to an address like:

http://youraccountname.admuncher.com/ [admuncher.com]

and receive 20% of all purchases later made by those people. For more information please visit the partnership program website.

"foropera" is just his partner alias. Sad.

Re:

[commodore64_love]

You are correct that Opera's single vendor model is "safer" but the lack of extensions is a problem. If I see a youtube video I like, Opera has no way to grab it. Neither does it have an easy way to zoom-in on tiny photos. It's one of the reasons I've stayed with Firefox so I have the addon option if I need it.

Re:

[sconeu]

That's what the widget model is for. There are a couple of widgets for grabbing video.

Re:

[LordLimecat]

....Which seems to bring the whole extension problem right back into the equation, doesnt it? Is there some technical difference between "widget" and "extension" that makes one inherently less secure than the other?

Re:

[fbjon]

Yes there is a major difference, the widgets are essentially small dynamic webpages just like any other page. Quote [opera.com]:

Opera Widgets are cross-platform and cross-device applications made with Web technologies;

Thus, no problem.

Not the problem

[jDeepbeep]

I have been talking against the extension model for a long time.

The problem is not with the extension model. It is with the Firefox implementation of the extension model. If done properly, the browser would not be exposing an API to the plugin that is capable of doing naughty things, nor would it be exposing an API for a plugin to alter another plugin. You build a clear but limited line of communication on established browser events, but everything else is concealed from the plugin.

Adblock will save you memory

[Nicolas MONNET]

It will also protect you overall, considering the amount of crap you find in web ads, even on supposedly reputable networks.

Re:

[cmiller173]

As a web developer I used the Web Developer Toolbar, Firebug, and DOM Inspector extensions daily. I could not be as productive without them.

Use profiles

[140Mandak262Jamuna]

As web developer you use two profiles. One to launch FF with all these tool bars, but you dont surf the net in this instance. A separte default FF without all these extensions, just the basic NoScript alone will be used for surfing the net.

Re:

[plague3106]

Doesn't IE8 have all that built in now (F12 key)?

Re:

[clone53421]

...says the troll from his mother’s basement. If you actually had a job you’d be more in a situation to criticize someone who does.

Re:

[clone53421]

A “minimum”, to me, would really be:

    Adblock Plus
    Download Statusbar
    Video DownloadHelper
    IE Tab
    Screengrab
    Tab Mix Plus

I don’t know how much bloat I’m adding by having them, but they all provide functionality that I really prefer not to do without. The only one that I’d be willing to waive is Screengrab, but it’s damn handy to have.

Re:

[LordLimecat]

>> Tab Mix Plus Thats probably adding most of the bloat. Would be nice if they didnt duplicate functionality with so many built in firefox features (tab undo, restore session, etc)

Re:

[Hurricane78]

Memory waste? You mean like NoScript, which out of principle can’t work?
(NoScript blocks JavaScript, except for those sites where you enabled it because you needed it. Which happen to be exactly the sites that XSS attackers target! And don’t try to argue that you just don’t go to those sites. Because following that logic, you would have to stop receiving any data packet from the net. Because someone could crack the TCP/IP stack, the HTTP module, the HTML and CSS parser, the image loader, e

Re:

[clone53421]

BULLSHIT.

Just to save anyone else the trouble...

That page claims to require 400 MB of memory in Firefox 3.5, supposedly due to memory leaks. Opening that page, and that page alone, in a clean Firefox session took only 50 MB of memory... compared to 47 MB to display about:blank.

GTFO with your FUD.

Re:

[Carewolf]

That page claims to require 400 MB of memory in Firefox 3.5, supposedly due to memory leaks. Opening that page, and that page alone, in a clean Firefox session took only 50 MB of memory... compared to 47 MB to display about:blank.
GTFO with your FUD.

Check again. Try looking at how much memory firefox is allocating and not how much of it the operating system is currently keeping in memory. Most operating systems are smarter then the applications and flush any excess stupidity to the swap-file, so the ineffici

Re:

[clone53421]

That page specifically said that it was RAM, by the way, not virtual memory size. “400 MB of RAM”. Virtual memory / swap size has nothing to do with it. Thus, your comment is completely incorrect and irrelevant. Yet you claim I’m the one who is wrong... *rolleyes*

Measuring the RAM usage makes sense, anyway. If it’s only just finished loading, and it’s still being displayed on the screen, there’s no reason to expect it to be swapped out so soon.

Even so, I checked it again,

Re:

[clone53421]

P.S.

If you really want to bring Firefox to its knees, just save this short bit of test code as a .html file and open it.

Hell, don’t be picky – test it in all your favourite browsers and operating systems. Report back with results. I have no idea how well Chrome would handle it, for instance.

I do know that Firefox has ballooned to 367 MB of virtual memory usage and stands at over 20 minutes of CPU time (no idea where those figures stood before I opened the page, but meh... I’m guessing the

Re:

[clone53421]

BTW, it clocked out at ~22 minutes of CPU with 420 MB of VM. Running the test by clicking the button only takes on the order of a few seconds, unlike generating the page to begin with, so don’t be worried about it taking forever if you want to see what that does. Not a whole lot... just changes the title on all the link elements. I originally wanted to see whether it was quicker to copy elements.length to a normal variable once rather than referring to it every time in the loop condition.

Re:

[Pieroxy]

(note: I don't own a Mac and run IE almost exclusively)

*Booooom*

Re:

[Pieroxy]

There was a time when you couldn't get more than half a gig on a machine. Maybe he's using one of these dinosaurs.

Re:

[reub2000]

I'm betting that he has at least one free slot.

I have to say, I am depressed...

[hesaigo999ca]

: (
FF is my favorite web browser because they always made sure to be more secure then IE. I guess when it comes to add-ons and extensions, its always a crap shoot, but I always thought FF was better at handling security for extensions then IE, I guess
I will have to go back to using linx now because I trust nothing else...
Life will be boring

Re:I have to say, I am depressed...

[farlukar]

I will have to go back to using linx now because I trust nothing else...

If you're that paranoid — use a virtual machine to browse the web and rollback to a trusted, clean snapshot a few times a day.

Re:

[NoYob]

I will have to go back to using linx now because I trust nothing else...

If you're that paranoid — use a virtual machine to browse the web and rollback to a trusted, clean snapshot a few times a day.

Yeah, but how do I know that the snapshot is clean? Or for that matter how do I know that my virtual machine hasn't been compromised?

They could have put a chip in my brain that makes my think that I'm browsing securely but in fact I'm not!

And who are you to be posting these things to make us feel like we can be secure? The sig of yours is French, no? But your user name looks Arabic. You could be a French secret agent with an Arabic code name - or, an Islamic Jihadist, hiding in France acting like a frien

Re:

[unix1]

They could have put a chip in my brain that makes my think that I'm browsing securely but in fact I'm not!

So, you have hardwired your brain into your computer and are using it as a Firefox extension? This makes my head spin.

Re:

[owlstead]

Better yet, create a special user or two, one for anonymous browsing and one for your security relevant tasks (banking etc). The first one should be automatically reset after use (I use an Ubuntu guest account for that), the other one should have an encrypted home folder. At least make sure your browser is up to date if you use farlukar's scheme.

Re:

[Hurricane78]

As it that would help if you’re paranoid.

You haven’t read about the Russian cracks where they got out of the virtual machine, by attacking it itself, and then wrapped a very thin VM around the entire outside OS, right between it and the metal.

In (Ex-)Soviet Russia, program virtualizes YOU!

Re:

[hesaigo999ca]

Already done my friend, you are telling me nothing new...but for the endless clients i have installed
their machines for them (like my grandma) and cant use that app (too hard)...i always felt some level of security adding FF to their installs so they could have a bit more confidence surfing the web.

Re:

[icepick72]

Yes, if they're that paranoid then do due diligence and stuff Firefox into that same virtual machine that IE is running inside for the same reason - then put Google Chrome on your PC computer.

Re:

[clone53421]

You can’t possibly be serious...

Re:

[commodore64_love]

Linux is boring? Sacrilege! You get to read all those obscure docs and get into flamewars with developers. How is that not fun? ;-)

Which reminds me, what Linux needs is something like what I had on my old Amiga PC: A graphical way of interacting with the CLI so I don't have to remember all those obscure commands like "sudo -s -t /whatever"

   

Re:

[jd]

There's really no excuse for Firefox to allow at least some of the more common security flaws - or at least allowing those flaws to cause problems.

First, sandboxing of extensions should limit what problems can be caused.

Second, a lot of errors are caused by the overflowing of buffers - a problem that could be limited by the use of stretchy buffers or bounds-checking malloc implementations. Or not allowing direct access to the heap.

Third, Firefox (and indeed all programs) should run on the principle of least

Re:

[clone53421]

First, sandboxing of extensions should limit what problems can be caused.

While also limiting what functionality can be created.

Damned Activex Controls!

[Anonymous Coward]

This is why Microsoft should turn off Activex Controls altogether.........oh wait........

Lobo?

[jhol13]

There really needs to be Java (or other "managed" language based) based browser (like Lobo). Unfortunately Lobo is not (yet?) ready for prime time.

Re:

[Meneth]

Garbage collection does not protect against most security breaches.

Re:

[owlstead]

Garbage collection does not protect against *any* security breaches. It may even introduce a few security issues (e.g. files not closed since the destructor is not called in time). The lack of pointer arithmetic and addition of bounds checking, on the other hand, certainly does protect against many security breaches. It also enables a better component based design where one component cannot change the behavior of other components. E.g. in Lobo it seems that there is an API that enables plugins. If this API

Re:

[owlstead]

I'm very much in favor of that. I would even like to help building a Java based browser (e.g. with a OSGi based plug-in system). But the thing is that these extensions use all kinds of technologies, but not C/C++ (as far as I could see). So if the browser was managed code you would have the same issues. Managed code helps against many bugs, but not against all.

Related link with more info on LWN

[owlstead]

A quick Google search found this interesting article [lwn.net] from August of this year.

Go NoScript!

[L4t3r4lu5]

I read the article ( ! ) and saw NoScript mentioned; It seems that this can be exploited to whitelist sites within NoScript if FF has other addons installed. Scary stuff.

Re:

[clone53421]

Wow, this is a big [citation needed], and if it’s true, were they suitably bitch-slapped for it?

Re:

[geekboy642]

Citation: http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/ [hackademix.net]

And there was as much bitch-slapping as ever occurs when any OSS developer does something blindingly stupid. The Internet's huddled masses screamed incoherently at them for a few days, and they realized that they weren't going to get away with it. Many, myself included, vowed to never again let Giorgio Maone's code run on any machine under our control.

Re:

[clone53421]

Wow, yeah, he sounds pretty butthurt in that blog entry. *rolleyes*

At least the sites that tell you to disable AdBlock or you won’t be able to access their content are up-front and honest about it, and ultimately leave the decision in the visitor’s hands whether to enable their ads or just never visit again.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[clone53421]

Meh. I really don’t blame it on Mozilla... addons are supposed to have pretty broad privileges. It’s up to you to decide whether you trust the publisher of the addon enough to install their stuff. The same would go for any application.

And I’m sure you’ve noticed that several other people provided citations for the claim, so no worries – saved you the trouble.

Re:

[icebraining]

Of course it's true, all extension objects are accessible by other extensions. Only web page scripts are sandboxed. Which is nice, because it allows me to control NoScript through Vimperator scripts.

Re:

[clone53421]

Basically, yeah. Addons are supposed to have this sort of privilege, it’s just up to the publisher to use it responsibly. Mozilla tries to enforce certain rules about how the addons should play nice, but they can’t catch everything.

Re:

[clone53421]

It was posted at 18:18 on a Friday evening. I don’t always check Slashdot on the weekends.

It's about trust

[TheCoders]

The problem is not necessarily with Firefox's security model - Firefox never claimed that plugins were secure. The problem is with perception. Users need to be aware that installing a plugin is tantamount to installing an application. You wouldn't willy-nilly install any old software on your computer. (Well, some people would, but hopefully not too many who frequent Slashdot.) You should take the same caution when installing a plugin.

The problem is that there is a perception that since Firefox is trusted then its plugins should be trusted. Especially those that are listed in Firefox's official plugin repository. Maybe some more verification is necessary before admitting these plugins, and definitely some more user education is required.

Re:It's about trust

[jadin]

I'm in the 'supposed to know crowd' and I had this misconception for a long time. If I failed so quickly in this aspect, what hope is there for "ma and pa" and the rest of the fam'? Which makes the question simply -

What is easier to fix? Firefox's security model or most of the world's perception?

Re:

[slimjim8094]

Well, probably the world's perception - adding a small warning would probably be pretty easy, and effective. The whole point and flexibility of Firefox is the fact that an add-on, which is mostly Javascript, can essentially rewrite the browser, as the browser is basically written in Javascript (as I understand).

That's the reason they don't call them plugins or "browser helper objects". They're not subordinate and can arbitrarily replace bits of the browser. The browser can't sandbox it or check it, you need

Re:

[wd5gnr]

I think the fact that extensions appear on the Mozilla add on site could give some users the impression that they are "trusted" in some way. By default, FF won't install except from there (and maybe one or two other sites). But as far as I know, there's no real check. I mean I'm sure if you put up a extension that wiped your hard drive, enough people would complain and comment that it would get yanked. But something more subtle, maybe not.

Yawn...

[Jaysyn]

This will get fixed in Firefox shortly & then it will be even more secure. What's the problem?

Either way, I'm so hooked on the 20 or so extensions that I use, that I'd never go back to anything else. IE is the pits. Chrome's speed just isn't a that big of a deal. Opera is ok, but the users are worse than Mac snobs.

color me unsurprised

[RiotingPacifist]

I've always tried to keep a check on my addons for exactly this reason, the more code your running the more chance there is an exploitable bug in there somewhere. While steps can be taken to prevent an exploited addon doing damage, i don't think much can be done to prevent a buggy addon doing exactly what it sets out to do but wrongly.

The good news is that because all the functionality comes from addons they can be disabled and only affect users that want these features, so bob wanting to use his browser as

Privilege separation

[BlueParrot]

It's lovely and fussy and all things nice. A world facing app like a web-browser should make use of it.

Really with the performance of current desktop computers and even netbooks there's no good reason not to stick
potentially vulnerable parts of your browser in a separate process and block it from accessing anything it does not
absolutely need to deal with.

For what it's worth...

[SanityInAnarchy]

A world facing app like a web-browser should make use of it.

Chrome does. Yes, for its extensions.

If Microsoft

[SnarfQuest]

If Microsoft spent as much time on their own software, as they do trying to belittle others, then they might be able to fix some of the gaping holes in Windows. But, I guess it's better politics to throw mud, than to clean up your own messes.

0-day?

[Tanaric]

This is the second story recently that tosses the term "0-day" around when "new" would suffice. Yes, 0-day sounds cool, and yes, it's a helpful description in, say, the warez scene (do we still call it that?), but in articles about bugs/exploits it just makes you sound stupid.

Re:

[CountZer0]

True. A zero-day vulnerability is one that is found the same date the program is released. So unless these extensions are all brand new, these are not 0-day incidents.

Google Chrome

[The MAZZTer]

It's looking like Chrome will have "locked down", minimal privileges extensions. At least, in theory. An extension can request only the privileges it requires (manipulate tabs, manipulate windows, access specific wildcarded urls) and the user is notified of what the extension will be able to access when it is installed.

Unfortunately this price seems to be that extensions are far more limited in Chrome than they are in Firefox since that have limited access to the UI and such. For example, you can do a pa

New version

[dernotte]

Hi, I'm the author of infoRSS, and this version 1.1.4.x is an 1 year and 1/2 old version. Since then, the security layer has been well improved thanks to an assessment from an Australian security company. With the latest version (1.2.2) they were not able to find a security issue with it.

Re:

[clone53421]

Good to know. Yoono also appears to have released a new version. Sage is still at the version that is reported to have the insecurity (1.4.3).

Re:

[RJFerret]

Sage is still at the version that is reported to have the insecurity (1.4.3).

I just checked, thankfully I'm still using the 1.4.2 version of Sage, so no worries here!

Re:

[clone53421]

Actually, “and earlier versions” applied to all three extensions, not just Yoono. Am I about to get whooshed?

Re:

[Lord Lode]

What does it mean anyway? That you're infected in zero days?

Re:

[taoye]

Apparently, yes. To paraphrase Wikipedia, it means that the attack occurs on the 0th day that the vendor is aware of the problem... which is a significant because it means the vendor has not even had a chance to respond to the vulnerability before it is exploited. Notwithstanding the fact that they could have prevented it, but that's another matter.

Re:

[Fast Thick Pants]

Supposed you watched the Firefox commits when they do a security update (or reverse-engineered an IE patch) and discovered how to exploit a fixed vulnerability 2 days after the update. You could call that a 2-day vulnerability, and the small number of days means that a lot of people haven't patched yet.

So a zero-day vulnerability means that nobody's gotten a chance to patch yet, because the security hole is discovered before a patch is available.

Re:

[clone53421]

Geez, I wonder where you could find that sort of information... [lmgtfy.com]

The term derives from the age of the exploit. When a vendor becomes aware of a security hole, there is a race to close it before attackers discover it or the vulnerability becomes public. A “zero day” attack occurs on or before the first or “zeroth” day of vendor awareness, meaning the vendor has not had any opportunity to disseminate a security fix to users of the software.

Re:

[thePowerOfGrayskull]

Can we please stop raising the subject of "zero day" every time someone mentions it in a summary? All that follows are countless* replies arguing the meaning of what "zero day" is.

*hyperbole may have been applied here.

Re:

[RiotingPacifist]

Isn't the point that they have been seen now, if those holes where in closed binary addons (like coolaris preview) then they would never have been seen.

Re:

[tthomas48]

Um... posting things on slashdot about exploits? The many eyes doesn't mean all security bugs will be fixed before software ships. It means that over time the open nature will mean that the bugs can be found and closed easier.

Re:

[MozeeToby]

But, if the 'many eyes' were being honest with themselves, they should have cried foul at the insecure way extentions are handled before exploits were even known. It really isn't acceptible to give any random extention that much control over your software IMO.

Re:

[LordLimecat]

IIRC extensions are XPI files, which can be unzipped in to their component parts, and the source viewed.

Re:

[clone53421]

The real trouble is that this is the way it’s designed, and it needs to stay this way.

Just like the real trouble with running arbitrary .exe files you download off the net is that .exe files are trusted a whole lot more than arbitrary files you download off the net ought to be.

Re:

[SanityInAnarchy]

The real trouble is that most extensions are in javascript and javascript is not a language that emphasises security.

I don't really know of many languages that "emphasize security" -- indeed, Javascript is more sandboxed by default than most languages I know.

The fact that there is no way to perform a "use strict;" (as in Perl) is for starters a way to get access to all the other global variables in other scripts.

And the solution to this is obvious -- if you want to isolate scripts, isolate them at the runtime level, as you do for separate tabs/pages.

also gives access to all the possible extensions that are installed... Because of the lack of strictness in javascript as a language, if a global variable XYZ is in one script, it can be manipulated by any other script as well... Fundamentally it is a problem with Javascript and not with the Mozilla API.

Sorry, but that looks to me very much like a fatal flaw in the API. A strict language may allow you to compensate somewhat, but there is no reason a global variable needs to by default be accessible from every script.

allows you to do a lot of things.

So did older

Re:

[Basje]

Or use a clean firefox without extensions.

Of course, without extensions there isn't much that sets firefox apart from chrome except for the license. Some purists will prefer firefox for that reason but it's pretty much a coin toss.

Re:

[cmiller173]

Or use the " -profilemanager" switch on the shortcut that you launch Firefox with. You could then have a profile that loads no extensions that you use when surfing untrustworthy sites. And a profile that does load your extensions when you doing normal surfing. What I actually use it for is I have a profile that loads my development tools (Web Developer Toolbar, Firebug, and DOM Inspector) a profile for just normal surfing, and a profile with no extensions for when I need to be absolutely sure that the ad

Re:

[SanityInAnarchy]

Actually, not even the license, really. Just use Chromium, if you care.

Re:

[thePowerOfGrayskull]

There's also the fact that FireFox doesn't force you to install an always-running background service whose sole purpose is to wake up periodically and check for updates (I think it is, anyway). You'd think these folks had never heard of "cron" or "task scheduler".

Re:

[DavidTC]

As should extensions that retrieve data from responsible sites, like those extensions that alter google result pages. Assuming Google doesn't try to attack us, they should be fine.

I use to have an assload of extensions, but I've been really trying to restrict what I have for speed issues, so I'm not that worried.

That actually makes sense.

[SanityInAnarchy]

From TFS:

Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension.

Not one of these is true of Chrome extensions -- or at least, it is possible to develop extensions which are not fully trusted.

Re:

[LordLimecat]

An interesting note on this: I currently run Chrome (dev channel) with 3 extensions. A few days ago my extensions went to update, and all of a sudden I had an alert that the youtube extension update was going to change its permission level to grant it access to all websites. I promptly denied the request and uninstalled the extension.

Maybe Im crazy for not expecting this to be the default for all extension systems, but I was impressed.

Re:

[jgtg32a]

No you should switch to Chrome. I use FF because of the extensions, honestly I don't consider vanilla FF that much better than IE8. I've already moved all my friends off of FF to Chrome because they weren't interested in using extensions

Re:

[clone53421]

they weren't interested in using extensions

Give them AdBlock Plus and let them use it for a while, and I honestly doubt they’ll still feel that way.

Re:

[jgtg32a]

Already tried and that was a long a stupid conversation; I had to drink heavily afterwords

Re:

[LordLimecat]

Chrome (dev channel) has adblock plus. With subscriptions (easylist), a cute little icon, and gui-driven configuration that is identical to firefox's. I really do not see any area where firefox has a leg up-- even the dev tools rock in chrome. I can inspect an element, toy around with the CSS, and watch the changes apply in real time on the web page (note i am not a web dev).

Re:

[jgtg32a]

Try chromium-browser

Re:

[clone53421]

I thought you were trolling, and then I read this:

I'll be switching my law firm back to IE and looking into a lawsuit against all FF contributors for their grossly negligent behavior.

Poe’s Law [rationalwiki.com] appears to be in full effect today.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[what about]

It is Java again, just on different name because Microsoft has convinced anybody that Java is bad.
- Anybody knows what sandboxing is ?
- Defining privileges for applets or for downloaded applications ? (Java web start)

Anybody see the similarity between C# and Java (really CLR is a JVM, oh boy how much Microsoft has struggled to convince you that CLR is not a JVM)

So, just use Java, you cannot even say that it is slow, after Vista and Windows 7, anything is fast !
Firefox extensions could just be Java applets (