Mozilla has plugged a critical unpatched cross-platform vulnerability in Firefox a week ahead of its previously announced schedule. Firefox 3.6.2 fixes a flaw first discovered by security researcher Evgeny Legerov last month, and confirmed by Mozilla last week. The zero-day vulnerability - now identified as an integer overflow …
Now I can stop using Chrome. I like Chrome in most things (and the tab tearing off works much better in Chrome than in Firefox) but the lack of decent RSS support in Chrome (ie being able to display a readable form of an RSS feed within the browser) ruins it for me.
Well done to Mozilla for getting the bugfix out early.
The best way to view RSS in Firefox is the Feedly plugin/website. It actually makes RSS feeds useful.
Evil Bill, to offset the anti-Apple-tard below.
You must read a lot of RSS for that to be an issue. For me, the FF "awesomebar" is much more awesome than the Chrome version, and deleting unwanted cookies when the browser closes is something Chrome can't do.
So basically, they shat themselves and got into gear to appease Germany and the EU ASAP.
@The Emperor's new clothes
Back again with the same of schtick. Stop being an AC and come out of the closet.
Bit like you then.
"You can't handle the truth"
Doesn't change the fact that they shat themselves and released a patch "early" (if you can call it that after waiting a month already - It's like waiting for Patch Tuesday) because of what the German government started and the press picked up on.
Does it, Dance for me, monkey boy? Or may I just call you "Dance"?
The fact is, every time something like this happens, it's another mark on their track record. Long term, you can sense where it's headed. Netscape were once the darlings of the browser world, now they're just hated for NS4. Microsoft wowed people with IE5 and all the amazing things it revolutionised web browsing with (dynamic rendering, innerHTML, XMLHttpRequest, XML/XSLT,, providing a platform for web-based applications, etc), now they're hated for the IE6 legacy. Trust me... Firefox is already behind all but IE in terms of standards support, and even then only slightly ahead of IE8/9 for all the things that matter. It's certainly well behind all other browsers when it comes to security. It really isn't going to be long before Firefox becomes the new bad browser everyone hates.
Cue the point-and-grunt -moz-downvoters...
I don't have the full details of this, but it appears that Evgeny Legerov reported this exploit to Mozilla a month ago and they started working on a fix while the details were kept secret. This is standard practice with 'white hat' security researchers - they will release the details of what they have found but only after the developers have had an opportunity to fix it. However, it appears that "Legerov controversially offered to sell exploit code he developed." I don't doubt that the rushed release was a response to the German government telling people to stop using Firefox, but this in turn seems to have come in response to Legerov reneging on his agreement.
As I said, I do not know the full details, and this is only my interpretation of events. Perhaps someone has more information about what actually happened.
@Cue the point-and-grunt -moz-downvoters...
That is such a weak debating tactic.
Personally, I tried Chrome and Safari and thought they were awful. I've used Opera off and on for years but find that increasingly poor and never remotely as pleasant to use as even IE, let alone FF. After putting up with IE for many years, i.e. using it alongside FF, I've had enough of the M$ approach to security and blocked it via group policy. In FF - where Mozilla still act a hell of a lot faster than Microsoft - I use NoScript, ABP, RequestPolicy and FlashBlock. I keep machine security updated and competent. I don't get infected. Like so many other users who know what they're doing. For the ones that don't, the internet is insecure and becoming a victim is all but guaranteed.
I will call you 'Weakman'.
With the notification I got when running Firefox as standard user about the patch being available :)
This is why FF/open source rock, constast this with IE's track record in plugging vulnerabilities. Get the latest FF here: http://www.mozilla-europe.org/en/firefox/
IE's track record?
ie6 was released in 2001 and still gets security updates. Conversely, FF2, released in 2006, does not. from that I conclude that IE is better and plugging vulnerabiities
...more seriously, I know what you mean, but there's more than one aspect to security. For example, IE's once-a-month update cycle means compulsive-updaters are less protected for up to a few weeks, but has the upside of being the difference between large corporations updating once a month, after testing, or large corporations not bothering at all because tracking and testing updates as they're drip-fed out is too much hassle
which is better? depends who you are, really
A MONTH for a highly critical security vulnerability that has numerous live exploits on the web is NOT a good track record, infact it's an abysmal track record. It might be better than IE, but when you compare it to Safari and Opera, both closed source, and vulnerability fix times in the region of DAYS and not WEEKS or MONTHS as is Mozilla.
Worse still, Mozilla were quite happy to allow this critical vulnerability to wait for another few weeks, they released it early when threatened with a media storm lead by the German government. Clearly they value bad PR more important than their users security, otherwise it would have not originally been scheduled for next month.
This shows how the myth of Open Source community providing prompt fixes clearly does NOT work... It's exactly that, a myth. All Open Source does is allow hackers to freely browse your code looking for exploits..
Security by Obscurity?
AC, I'm pretty sure everyone is aware that security by obscurity doesn't work, which is what a closed source system is to software exploits. Safari is based off of WebKit, which last time I checked was opensource. I also remember the article talking about how there were no "weaponized" exploits out there. Doesn't mean there aren't any but it doesn't mean that there are "numerous live exploits on the web"
Yeah, and security by obscurity works sooooooooo well.
Went like this
There is an insecurity in your multi-megabyte program and I'm not going to tell you what it is.
What! A week later and you don't believe me? You haven't fixed it? Secunia believed me, I gave this smart guy's name as mine and they like him...
Safari is mostly closed source... It's opensourced part of it, as it helps their agenda.
@AC 23rd March 2010 15:23 GMT
Freaking cowards, have to get a time stamp to identify the scum...
You are so ignorant it hurts, AC. Yeah, JUST the rendering engine of HTML, nothing important for a browser, sure...
"Safari is mostly closed source... It's opensourced part of it, as it helps their agenda."
Really, AC (anonymous cretin)? They didn't "opensource" anything. They (Apple) used a component SOMEONE ELSE had already released as Open Source. Apple just kept it open.
"Freaking cowards, have to get a time stamp to identify the scum..."
Yeah, I know what you mean, "J 3".
Yup, still me, and you can tell. Now which AC are YOU?
Or which idiot thinks that people should be putting their identification details on line when commenting on random stuff? Want my SSN and home address too?
The word is 'fucking'.
What's in a name?
May just be me, but I think the comments are just meant to be read. "Tags" are an optional extra.
I got 3.6.2 on the 19th
you know: the beta? Installed it, supposed bugs and all. Secunia kept flagging FF 3.6.* as unpatched so I figured they probably don't bother with the betas.
Today having read this story I ran 'check for updates' and got told there was none. So I went to http://www.mozilla-europe.org/en/firefox/customize/ where 3.6.2 was/is offered and no mention of a beta. Downloaded and installed it.
Copied the installer to my Mozilla software store whereupon I was asked if I wanted to replace the beta I got on Friday. Both 7.79MB and dated 16th March. So, offered without reference to the beta, but the beta nonetheless - complete with supposed bugs?
...is a great piece of software, from my perspective. Small, fast enough for me, functional to read pages of high intellectual crap, ermm discourse, like theregister.co.uk and /.
I only use IE9 at work because the bozos of the IT dept can't manage to update FF from something like 3.2 to 3.6. (this is a major institution of German finance, but I will not divulge its identity).
At least they deny me Administrative rights, so that I can't infect the PC thoroughly.
Flashblocker is also a major "selling point" of FF. Reduces CPU load and memory requirements by approx a factor of ten.
GO FIREFOX, GO !
No one experienced any trouble with this security 'fix' then? I couldn't get Yahoo's inbox to load up and wasn't alone in that. Also, those anti-spambot captcha type things wouldn't load on the Mozilla FF support site either so couldn't report it. Fix was to uninstall FF and reinstall/disabling auto-updates. After reading about 3.6.2 vulnerabilities might just downgrade till they fix this thing properly.
3.6.2 releases Mac OS X filename fix
An update to 3.6 saw the demise of the shell wrapper in the Firefox Application bundle. All the sudden filename paths with whitespace wouldn't open (but filenames without spaces could be dragged and dropped onto Firefox). This is the first non-beta release with the fix in. Now I can open my HTML copy of 'Bleak House' without re-adding a shell wrapper to the Firefox Application bundle which would have to be undone manually on update or renaming/linking the target without spaces in the path name.
Thanks Mozilla for putting the users first, or is it just governments you're trying to appease?
The last beta is always identical to the released version - that's why you din't receive any new update.
I guess the bit about the bugs
was just ASSuming rather than known.
What exploit code ? Secunia has put up a warning for a security problem, but refused to say what the problem was. And none of the exploit code was seen either. That makes it quite difficult to fix, right ?
Mozilla received more information from Legerov last week (when he *finally* released the exploit code), and a patch was available the 18th.
AC : where are your "numerous live exploits" ? You're not just an AC, you're also a liar.
To those who responded to the anti-FF trolltard AC
Come on guys. It's pretty obvious why he can't put his real name to his posts. After all, the words "Steve Ballmer" in the name column would be a bit of a giveaway, would it not?
his relentless fluffing of Safari would indicate a different Steve.
Get Opera, it's more secure, has quicker patch turnaround times in the even that something does crop up (even when it does, it's usually much less severe than Firefix security problems).
It also has better content, noscript and plugin blocking. You can choose between globally blocking everything and allowing individual inclusions, or globally allowing everything and making individual exclusions.
That's not to mention the other benefits, like better standards conformance better CSS support, better performance, none of the problems of having to upgrade plugins all the time (as all the useful ones are already built in), better memory control etc etc etc.
Firefox is basically for those too stupid or too lazy to explore better and more secure alternatives. They end up having it, because a family friend installed it several years back when it was a better alternative to IE (which it was, AT THE TIME)...
You: "Hey you should move in to that empty house next door, it's got a bigger bathroom and better locks on the door."
Me: "Hmmm, but I like my own house just fine. It has a functional bathroom and my locks are perfectly good. Also I reckon there's a mould problem in that house, and there's a rabid dog in the garden that barks and growls whenever anyone goes near the fence, especially Bill who lives in that huge mansion over the road. No, I think I'll just stay where I am."
You: "You are stupid and lazy"
Me: "Fuck off"
Best way we stop Firefox giving bank details to russian on internet is use the Internet Explorer instead - it come free and work safe and fast.
Sarcasm detector fail
Patching quickly is never wrong ;
well done, Mozilla !...