Mozilla has pushed out a cross-platform update for Firefox that fixes multiple security flaws. Firefox 3.5.6 lances three critical vulns in the open source browser software. They include memory problems involving the liboggplay media library, an integer overflow crash bug in the libtheora video library, and a separate memory …
three MORE critical flaws
Remind me again what the main thrust of the multi-million dollar advertising campaign, that worked so well clueless fools repeat it ad-nausium?
Oh yeah, that it's 'safer'.
On the front page of the firefox site "Make the switch to Firefox – the faster, safer, smarter way to browse the Web."
Case for the trade descriptions act if ever there was one.
Re: three MORE critical flaws
Well, keep in mind that these are flaws discovered before they have been exploited. With a closed sauce application you wouldn't know if there were any, would you?
Calling these flaws "critical" is IMHO misdirecting the general ignorant public, e.g. Andrew Norton. They are "critical" in the sense that they _could_ be used to subvert your system. Often closed sauce applications release fixes to "critical" flaws _after_ they have been exploited. And probably (but we can never know) they release fixes to "critical" flaws without even telling anyone.
To compare the security-ness of current browsers please look at how large a timeslice of their lifetime they are susceptible to actual exploited flaws. FF would still beat many (but not all) browsers hands down. Lynx FTW. :-)
Holey browser, fireBatman!
It's a great shame that in all the renaming this browser has undergone before resting on FireFox, they never called it FireMole.
It's just that it would have made it easier to make jokes about holes, you know?
ogg & theora
The guy that thought the browser should be the OS should be killed. Hence the grenade.
Hear hear, HTML5 a bad idea.
At least plugins can be unplugged. Moving this shit into the browser core makes it an inseparable part of the attack surface - that's not minimising it like they should be. It's very like when MS moved GDI into NT kernel mode - and to be fair it really was kind of necessary there to in some way uncripple the performance problems caused when it was a subsystem, but at the same time it did mean that all of a sudden a bug in a font parsing library turns into a system-level vulnerability. Not good. So big thumbs-down from me to the idea of putting video and audio rendering into the browser core.
You can't blame Firefox for that
HTML 5 is a specification determined by the W3C, not Mozilla. The W3C is a standards consortium that includes companies like Microsoft, Apple and IBM as well as independent industry experts. ALL new browsers are expected to support HTML 5 if they are to be W3C compliant - and that includes IE, Chrome, Opera, Safari and Konqueror as well as Firefox.
As a web developer myself, I greatly approve of the changes in HTML 5. Most websites these days involve embedding application-level objects and having to rely on third-party proprietary plugins like Flash, Shockwave, Silverlight and Java has been nothing but a joke if not a nightmare. The new <audio> and <video> tags are an absolute boon to web developers because they allow a unilateral cross-platform presentation of multimedia content without having to waste our time and yours on proprietary plugins. Or having to code 4 different versions of a site to work with all the different incompatible solutions out there.
If you're that concerned about Web security in multimedia content, use NoScript, which blocks the new embedding tags unless you explicitly allow them.
Finally, while there will initially be security flaws with the new tags, when these flaws are discovered and corrected, the remedy instantly closes all doors across all sites. Compare that with the old plugin situation, where you could have many different flaws in different platforms and a fix for one did nothing to fix similar vulnerabilities in others. Adobe might fix a memory overrun bug in Flash but that would not fix a similar bug in Silverlight. Also, the standards in HTML 5 are open for anyone to see and fix, while plugins like Flash and Silverlight are closed and rely on their parent companies to fix them.
No, this is much cleaner. It's well past high time a multimedia standard was embraced by the W3C, and this hasn't come soon enough.
Firfox always has these bug every week we see new ones. Why do people use when they can have the free Internet Explorer which comes in the Windows box and is workng for us better?
If IE is so wonderful
then why is is only available for Windows platforms?
Not everone is locked into the Redmond machine.
Seriously, every browser has problems. We will just have to get on with it. At least with Firefox, mozilla seems interested in fixing things.
@three MORE critical flaws
FF can be considered safer because you are given more control over security settings especially if you use NoScript, although it does contain flaws they're not the same ones as in the dominant browser (IE) and the flaws that do exist are fixed faster than in IE. Not too difficult to understand, surely?
Firefox, the gift that keeps on giving...
Yep, about as secure as IE but they do update FF more often to keep plugging gaping security holes they seem to keep missing.
I'll stick with Safari.
You'll stick with Safari, despite Apple usually taking longer to plug published vulnerabilities than Mozilla or even MicroSoft?
Hype and Antihype
These comments make me laugh, Whenever a flaw is found in Firefox/Linux people jump all over it like flies on shit going 'Firefox/Linux is insecure crap! In your face fanbois!'
Yes, in your face fanbois, but these are found and fixed before they are exploited, whereas it takes a few botnets to appear before Microsoft will get off their arses to do anything about a flaw in their browser. (I exaggerate, for literary effect.)
When a flaw is found in these programs, because they have the marketing of being safe, when it's found they aren't perfect, people go mad. When will people realise that nothing is perfect? I mean, when did you last believe what the latest Microsoft Ad tells you?
Firefox is still > IE.
Case closed. (although likely to reopen if I can be arsed to argue the point.)
To all those morons who miss the point, announcing and plugging security holes is not what makes a browser insecure. Waiting until someone else has forced the issue, and even then waiting till next round of patches is.
I don't need you anymore
I broke up with that bitch, FF last week. Moved all my stuff out while she was sleeping and shacked up with I.E. I've done her a couple of times since but I used my Gmail SMIME condom. But that's it I swear.
3.5.6 Breaks Auto Proxy Auth
If you're using Firefox in an environment using authenticating proxy servers, you may wish to hold off on the 3.5.6 update.
3.5.6 breaks auto proxy authentication, as least for some. Refer to:
Waste of comment section
Whenever there is a story about security SNAFU's in either Linux or firefox might I suggest El Reg do the following?
Add two comments as below, close the comments section and just allow people to "upvote" (FFS) their particular point of view (think of the carbons you could save!):
Linux / firefox (delete as required) is shit, full of security holes and all you fanbois know it. Quit slagging off Microsoft, your stuff isnt perfect either
Micro$haft is so closed you wouldnt know about half of the critical vulns until it's too late. At least open source software is reviewd by many people so critical issues get seen much earlier and fixed much more quickly, even before the bad guys have a chance to esxploit them!
Joke Icon, just in case any rabid fanbois of either persuassion take exception to my JOKE
Post your own message
Brilliant. They'd need to add a third comment for the browser wars though. Something like "Blah Opera, blah blah Jesus blah blah independent blah blah irrelevant."
You are the embodiment of evil and must be exorcised at once.
why MS keep things like IE closed source - they could save themselves a lot of work, as its in a lot of devs interest for bugs to be fixed in IE. Could it be that they're embarassed about the quality of the code base - that if everyone saw it "Emperors" & "new clothes" would come to mind. This may be true of a lot of MS code.
On the subject of FF, surely stories of exploits are a reason to bash an app, not stories of bug fixes that may have never been exploited.
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Review Tough Banana Pi: a Raspberry Pi for colour-blind diehards
- Analysis Pity the poor Windows developer: The tools for desktop development are in disarray
- Product round-up Ten Mac freeware apps for your new Apple baby
- Chromecast video on UK, Euro TVs hertz so badly it makes us judder – but Google 'won't fix'