back to article Meet the Unmagnificent Seven: The critical holes plugged in Firefox update

Firefox maker Mozilla has pushed out a new version of its web browser in which multiple security vulnerabilities have been fixed - and seven of them are rated as critical. Firefox 24, released on Tuesday, grapples with a total of 17 exploitable flaws: the most dangerous of the squashed bugs, which could have allowed an …

COMMENTS

This topic is closed for new posts.
  1. codeusirae

    Try and not to be so negative ..

    Firefox 24 arrives with WebRTC support, NFC sharing on Android. new scrollbar style in Mac OS X 10.7, Ability to tear-off chat windows, fixed-ratio audio resampler in webrtc.org ..

    http://www.mozilla.org/en-US/firefox/24.0/releasenotes/

    1. Greg J Preece

      Re: Try and not to be so negative ..

      Been meaning to play with WebRTC, and now it's in Firefox I think I might!

      1. Jordan Davenport

        Re: Try and not to be so negative ..

        WebRTC has actually been in Firefox for a while now. It's just new to the Android version in 24.

        As a side note, it is my preferred browser on all platforms, but I see they still haven't fixed the weird bugs with text entry in the Android version. I typed this response on my tablet and have had troubles with the cursor jumping around when trying to clarify pronouns with unset antecedents earlier in the paragraph.

        1. Michael Wojcik Silver badge

          Re: Try and not to be so negative ..

          I typed this response on my tablet and have had troubles with the cursor jumping around when trying to clarify pronouns with unset antecedents earlier in the paragraph.

          Man, autocorrect has really gotten out of hand.

    2. Anonymous Coward
      Anonymous Coward

      Re: Try and not to be so negative ..

      Why not?

      I am expected to be excited about Firefox fixing things? I have personally stopped caring - with Mozilla, it seems that every "fix" of a problem also comes packaged with a unilateral decision on altering the user experience whether I want it or not.

      I am sick of it.

      I'm sick of the Mozilla developer's arrogance in making changes regardless of what their users prefer and then afterwards hit complainers with the equivalent comeback of "Deal with it". I've shut down my Firefox autoupdates and will manually update...when I'm damn good and ready. I might actually stay at my current level just out of protest, frankly, and truly do not mind seeing Firefox's market share drop - the developers need a much larger dose of humility than they are apparently used to getting.

      Firefox USED to be an almost automatic choice for extremely friendly alternative browsers, but I think most people are starting to grow tired of this roller coaster ride. If Mozilla wants to strip Firefox's UI down to the level of Chrome then I would just switch to Chrome...if that is what I wanted in the first place. Since I don't, it looks like I'm going into "Protest Mode".

      1. Jim 59

        Chrome

        Chrome == Google stalkware

        Try the disinfected version - SRware Iron

    3. Anonymous Coward
      Anonymous Coward

      Re: Try and not to be so negative .. @codeusirae

      All very well, but can you view web pages with it? And reliably?

  2. Roger B
    Thumb Up

    Tannin, any comment?

    I was going to just copy and paste your IE rant into this and swap out Firefox for Internet Explorer, but I thought I'd wait and see if you could manage to do it yourself.

    But, to be on topic, nice one for getting these fixed, FF is my preferred browser of choice and while the version numbers are getting a bit mental, always nice to see fixes being pushed out.

    1. Irony Deficient

      Firefox version numbers

      Roger, they’ve also released 24.0 ESR, so if you stay on their ESR track (and if they continue to follow past practice), you won’t see a new major version number until 31.0 ESR.

  3. Anonymous Coward
    Anonymous Coward

    Surprise!

    Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft.

    People need to give themselves a shake and stop using MS products!

    1. Ragarath

      Re: Surprise!

      Try posting with your real name, you can use the troll icon then!

    2. Maharg
      Facepalm

      Re: Surprise!

      “Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft.”

      Yep totally right, for instance these 16 (is that enough?) links from this site illustrate your point perfectly.

      http://www.theregister.co.uk/2013/08/19/fooling_the_appstore_one_codechunk_at_a_time/

      http://www.theregister.co.uk/2013/08/08/linux_banking_trojan/

      http://www.theregister.co.uk/2013/07/09/android_sig_vuln_exploit_seen_in_the_wild/

      http://www.theregister.co.uk/2013/08/02/fbi_staff_admit_hacking_android/

      http://www.theregister.co.uk/2013/02/20/apple_java_omnishambles/

      http://www.theregister.co.uk/2013/05/01/google_glass_security_nightmare/

      http://www.theregister.co.uk/2013/07/16/android_sig_vuln_analysis/

      http://www.theregister.co.uk/2013/03/07/baseband_processor_mobile_hack_threat/

      http://www.theregister.co.uk/2013/02/21/iphonedevsdk_hack_involvement/

      http://www.theregister.co.uk/2012/09/21/android_nfc/

      http://www.theregister.co.uk/2013/07/22/master_key_doctored_apps_google_play/

      http://www.theregister.co.uk/2013/07/17/google_glass_qr_exploit/

      http://www.theregister.co.uk/2012/11/30/cloud_based_web_browser_exploits/

      http://www.theregister.co.uk/2012/04/19/instagram_android_sms_trojan/

      http://www.theregister.co.uk/2012/11/23/mystery_chrome_0_day/

      http://www.theregister.co.uk/2012/09/26/samsung_remote_wipe_app_fix/

      1. Destroy All Monsters Silver badge
        Paris Hilton

        Re: Surprise!

        Why would you want to compile such a list?

        1. Maharg

          Re: Surprise!

          because he was wrong and I had 2 minutes to spare

      2. Anonymous Coward
        Anonymous Coward

        Re: Surprise!

        The Linux banking trojan was a load of crap that didn't work.

        http://www.zdnet.com/linux-hot-bank-trojan-failed-malware-7000020436/

        Keep up.

        1. Maharg

          Re: Surprise! @AC

          I didn’t say it was correct, I didn’t review any of the articles, but the quote I was replying to was:

          ““Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft.””

          Keep up.

          1. Anonymous Coward
            Anonymous Coward

            Re: Surprise! @AC

            And if you look in the comment thread of each of those articles you'll see the same hilarious "why is it always microsoft" comment. Yes, if I repeat it often enough IT WILL BECOME FUNNY!!!!

            1. Michael Wojcik Silver badge

              Re: Surprise! @AC

              Yes, if I repeat it often enough IT WILL BECOME FUNNY!!!!

              Unfortunately this behavior is asymptotic.

  4. Rol

    Linux anyone?

    While FF might have left a few doors ajar, it is the OS architecture that has left your prized possessions on the table in the hallway.

    Linux isn't beyond fault, but it is so damnably hard to crack it open that script kiddies just wouldn't bother.

    So while FF before the patch had a few cracks, the vermin that might crawl in are looking for Microsoft morsels and would die of starvation on a Linux system.

    Dual boot and use Linux to access the internet, if only for the occasions you want to trawl through the sewers.

    1. Anonymous Coward
      Anonymous Coward

      Re: Linux anyone? @Rol

      Straw man arguments are feeble.

    2. Paul Crawford Silver badge

      Re: Linux anyone?

      I use Linux and recommend it to friends/family, but I never tell them it is "safe". You have to always be careful and never, ever, assume the machine is immune.

      On a side point, most distros disable the apparmor profile for firefox - that is a dubious step to allow easier file down/up load from a non-default directory. If you are very serious about security you should enable it to sandbox the browser.

      Oh, and if really serious, us another account for dubious browsing, maybe a 3rd for very important browsing. And change the /home/* directories to remove 'other' access.

    3. Jordan Davenport

      Re: Linux anyone?

      I'm a Linux proponent, but even I can't back your sentiments here. Once you get malware on a computer that's compiled for that target system, it's going to run with whatever privileges it's given by the current user, no matter what OS you're using unless memory is so thoroughly managed that you need a 3GHz or faster CPU core just for a simple calculator or text editor.

      Malware that can gain root/admin permissions has been steadily on the decline for several years now, even on Windows. Linux on the desktop is barely used at the moment (though market share is slowly rising), so it's not profitable for malware developers to compile for the system. The best practice is just to stay up-to-date with security patches and be careful about your browsing. You can take a proactive approach if you're ready for the hassle by installing several security extensions such as Ghostery, AdBlock, NoScript, etc; disable third party cookies; make plugins click-to-run; etc. Simply running on Linux won't offer you much protection unless it's an environment loaded into RAM and never saved to the disk.

  5. Gene Cash Silver badge

    Android web video sucks

    There's no way to keep it from autoplaying w/o just turning everything off in about:config. Thus, I got annoyed by videos & sound autoplaying on kickstarter and turned every-damn-thing off. I don't want that shit happening in the middle of a restaurant or a meeting or something like that.

    I thought that sort of rude crap was gone when we saw the last of Flash on Android. I guess not. Retards.

    1. Mystic Megabyte
      Big Brother

      Re: Android web video sucks

      Call me old fashioned but why would you be using a "smart-thing" in a restaurant?

      P.S. I don't own a "smart-thing" and at this rate will probably never own one in view of the lack of privacy etc.

  6. Dan 55 Silver badge
    Stop

    Confused

    If FF 24 were just a bugfix release as the story seems to suggest then it would have been called 23.0.2.

    1. Destroy All Monsters Silver badge

      Re: Confused

      NEVER! These are HUGE BUGS that warrant a full VERSION INCREASE!

    2. Tom 13
      Unhappy

      Re: Confused

      You haven't been paying attention Dan. The Chocolate Factory re-wrote the rules for versioning. Every time you update you now do a full number increment.

      If we were following your rules we'd still be back at about version 6. The last update under the old rules was 3 point something. They inexplicably jumped to 6 for the transition and it's been going up a full increment about once a month since then.

      Icon because like you, I remember when the numbers were somewhat meaningful.

  7. cyberdemon Silver badge
    Unhappy

    Lamentable

    Firefox used to be a really good browser, but I'm really not sure what happened to make it what it is today: Frankly a pile of cack.

    It's still miles better than IE of course, but it's a shame that I now have to choose between a browser that is probably tracking my every move (Chrome) and a browser that crashes all the time, eats all my memory, and just generally plain sucks (Firefox). Regrettably I choose the former.

    It was around version 3 when things started getting bad. I can't entirely remember why. Then they changed the menus, broke all the extensions, and started doing silly version numbers and it was all downhill from there.

    1. Anonymous Coward
      Anonymous Coward

      Re: Lamentable

      a browser that crashes all the time, eats all my memory, and just generally plain sucks (Firefox)

      Have you tried disabling all your extensions and plugins in Firefox and noting how crashy it is then? Badly written extensions are often the culprits. If it's stable then add the extensions back in one at a time to see which is/are causing issues. I've seen installations that have 50+ extensions installed. To be frank, that's just asking for problems.

      Firefox never crashes here on any platform.

      1. cyberdemon Silver badge

        Re: Lamentable

        Nope. No extensions.. The last time I used it was on a University PC with Firefox installed as part of their standard build. Whenever I tried to use it for literature surveys and the like, it would crash after about half an hour of heavy use.

        I wouldn't be surprised if the culprit was the Adobe PDF plugin (the kind of steaming pile that Adobe is)

        But then again, why should ANY plugin or extension be able to crash the entire browser? Surely there are catch statements to prevent that sort of thing?

        1. Anonymous Coward
          Anonymous Coward

          Re: Lamentable

          But then again, why should ANY plugin or extension be able to crash the entire browser?

          Why should anything be able to crash an entire OS? It happens.

          Surely there are catch statements to prevent that sort of thing?

          Firefox plugins have been run in a sandbox since early 2010 and Adobe added their own plugin sandbox a year or so ago.

          Give the current version a try. You won't be disappointed.

        2. DropBear
          FAIL

          Re: Lamentable

          Probably for the same reason any tab momentarily experiencing a total freeze is able to prevent me from at least looking at some other tab in the mean time (or, for that matter, probably the same reason any non-loading Farcebook or similar "social" share button can prevent the rendering of the whole bloody page while also making sure I can't even scroll down in whatever _did_ get rendered at least). In other words, 18th century software architecture, most likely.

          When are these "boffins" finally going to understand that the HIGHEST priority there is on a PC is supposed to go to servicing the GUI, and always, under any circumstances it should be able to render whatever is currently available?!? Please by all means try to imagine a lowly servant - no matter how important a task it is carrying out - telling its king who want a word with him "I don't feel like it right now, go take a hike while I ponder the mysteries of the universe some more, maybe come back tomorrow". I'm not time-sharing CPU on a 70's mainframe: I'm the king of my PC, and it bloody well should pay attention to me first and do anything and everything else whenever its remaining CPU time permits it to - but this is hardly how it works right now, innit...?

        3. Pascal Monett Silver badge

          Re: The last time I used it was on a University PC

          Yeah, because uni computer equipment is always top notch and never, ever has anything dodgy installed on it.

          Uh-huh.

          I have been a Firefox user for a long, long while. I abandoned IE for Netscape back in the day. Since that time, I stayed away from IE as much as possible, and was quite happy to have done so the day I found out that IE would accept forced downloads without a pip, whereas Firefox popped a warning panel with possibility to refuse (I'm sure that issue has been fixed since). What keeps me on Firefox is simply NoScript - the most browser- and privacy-securing extension that can possibly exist.

          That said, my Firefox (which is not up to the last version) has a curious habit. When I'm working on the PC, I have no trouble, but if I leave it on in the evening to go watch a film or some other hour-long activity, sometimes I come back and, now and then, the PC is hung. A Win 7/64 PC.

          I'm pretty sure that Firefox is the culprit, because when I leave the PC on for an all-nighter, I always shut down everything that is not essential to what I'm doing, and there never is any issue there - the PC is always on in the morning.

          So there is some niggle with FF on my PC, not a biggie. Maybe the next version will fix it, maybe it won't, but I'm not leaving FF until you pry NoScript from my cold, dead hands.

    2. Tom 13

      Re: not sure what happened to make it what it is today

      One word: Chrome

      As to why, that I'll never understand.

    3. Dan 55 Silver badge
      Unhappy

      Re: Lamentable

      Well get ready for FF 26 or thereabouts because the UI is going to get Chromified.

      I'm not sure what this relentless drive to dumb-down the UI is about, in the last couple of versions we've lost image blocking (using a tethered laptop? screw you then), JavaScript disabling, and in this version CRL management.

      I'm generally happy with FF, no memory problems or speed problems here (probably due to bad add-ons) but needing 4-5 add-ons to bring back functionality lost since FF 3.6 because they can't sit down and think of a UI that isn't like Chrome is annoying.

    4. Anonymous Coward
      Anonymous Coward

      Re: Lamentable

      Pale Moon and SRWare Iron are a couple (out of many) alternatives you might want to take a look at.

This topic is closed for new posts.

Other stories you might like