back to article Firefox sweeps away carpet bombing bug

Mozilla has plugged two critical security holes in versions 2 and 3 of Firefox. Version 2.0.0.16 fixes a code injection risk involving vulnerabilities in its CSS reference counter, and a flaw in handling command-line URLs that means multiple tabs can be launched when Firefox is not running. The first flaw also affects the …

COMMENTS

This topic is closed for new posts.
  1. Webster Phreaky
    Jobs Halo

    Foot dragging

    "Dubbed the "carpet bombing" bug, this was disclosed by independent researcher Billy Rios in May and patched by Apple - after some foot-dragging - in June."

    ... and only then patched by Mozilla - after an ADDITIONAL month of foot-dragging - in mid-July.

  2. Anonymous Coward
    Unhappy

    Here we go again

    I'm sick and bloody tired of Firefox updates, I'm seriously considering going back to Internet Explorer.

  3. Kerberos
    Flame

    Re: Here we go again

    If you don't like it TURN OFF AUTO UPDATES!

    It's not like IE has less bugs, they just tend to sit on them and do them all at once.

  4. Rhyd
    Joke

    @AC

    Agreed, why can't the Firefox developers get the code right first time like IE?

    Oh, wait...

  5. Mark
    Paris Hilton

    Re: Here we go again

    Bye!

    'course you will still get updates to IE, but you can't walk away from that, can you, 'cos you looove Microsoft.

  6. Pieter Vos
    Gates Horns

    Re: Here we go again

    Good idea, move from a browser that actually bothers with updates to one with a rather less healthy track record...

  7. TimM

    Re: Here we go again

    "I'm sick and bloody tired of Firefox updates, I'm seriously considering going back to Internet Explorer."

    Well the latter has just the same level of updates, just the fixes are rolled up and issued less frequently, leaving you vulnerable for longer in theory.

    Don't see why it's a problem for you though. It auto updates and takes a few seconds, and you don't have to reboot your computer unlike you probably would with IE.

    Face it. Software will always need patches to update and fix issues that just could never be foreseen. Lack of updates on a software product generally concerns me more. Updates are a good thing.

    Still, thank yourself lucky you're not running Linux. It's pretty much daily now that updates are issued and a very large amount of those are security fixes!

    p.s. shock horror... a Mac OS X vulnerability! surely not? !!!! ;-)

  8. Pink Duck

    Patch frequency

    Why not restrict yourself to applying Firefox updates once per month on an arbitrary date like IE instead?

  9. matt
    Thumb Down

    RE: Here we go again

    Yeah with IE you dont have to worry about those so tricky to install updates all the time, because MS will leave holes for months before fixing them

    Great idea...

  10. John P
    Stop

    @AC

    Don't do that, go to Opera.

    It's faster than Firefox and IE and, let's face it, both of those browsers just steal things off Opera anyway (tabbed browsing, enhanced history, more I'm sure).

  11. Anonymous Coward
    Paris Hilton

    @Here we go again

    Ditto. Especially since the Firefox developers seem to find it unnecessary to fix the "Windows can't find ..." error message bug, that is caused by FF screwing up registry entries and was first raised against FF 0.9 in the first half of 2004 (!).

    I'm sick and bloody tired of it.

    Paris, because she knows how to keep the punters happy.

  12. Anonymous Coward
    Dead Vulture

    Broken extensions/themes

    Will EVERY minor update to Firefox 3 result in our themes and extensions being incompatible until they are re-written AGAIN? GRRRRRRR!!!!

  13. Robert Harrison

    @Here we go again

    You sir are Steve Ballmer and I claim my 5 pounds[1].

    [1] This joke is as tired as your complaint.

  14. Anonymous Coward
    Coat

    I wish you would Anonymous Coward...

    Because its ages since i sifted though your mail and looked at all your local files from my international PC of mystery.

    Bring back the good old days of hacking ;p

    -ano

  15. Anonymous Bastard
    Flame

    @Here we go again By Anonymous Coward

    That's the great thing about Internet Explorer, a lack of updates!

  16. Anonymous Coward
    Anonymous Coward

    Re: Here we go again

    Yup, use IE and you can quite happily browse away and never be forced to fix any of the critical security bugs.

    Pro-tip: You could also save yourself energy by not locking your doors at night.

  17. Alex Smith
    Flame

    @Here we go again

    And you think windows update doesn't patch IE? lol....

    At least Firefox -tells- you when there's an update -before- your computer gets owned.

  18. Chris

    errrr

    Would you rather they not patch it?

  19. Anonymous Coward
    Anonymous Coward

    Re "Here we go again"

    @AC - You can turn the updates off if you're not too bothered about having the latest & greatest & most secure version, you know.

  20. wobbly1
    Unhappy

    Has gates got a job a mozilla?

    update has killed noscript & ABP... the very reasons for using firfox... reinstall doesn't fixc it ... Bugzilla reporting is so complex i forget halfway thorugh most of the details i need to report. Well i suppose they are trying to emulate Microsoft.

  21. Patrick Ernst
    Happy

    @Here we go again

    Would you prefer firefox doesn't get updated? Look at the foot-dragging MS did for years with IE5 then 6. They still patch 6, as they should. Logic flaws will always be found in software. Some of this stuff is very sophisticated and may not be found during normal test cycles.

    So since I'm sick and bloody tired of AC whinges, please please go back to internet exploder. You deserve it.

  22. Pete Spicer

    IE updates?

    @ Webster Phreaky - is it the same carpet-bombing bug? Safari's one is concerning dumping downloads on the desktop from a malicious source. Firefox's is to do with CSS, which appears to be from a completely different part of the browser.

    @ AC - IE does get updated, but remember that it took a number of years for Microsoft to bother to update IE seriously... wonder why? Could it be because it had competition?

    So, FF has to be updated from time to time. IE does too. Since I bothered to get IE 7 for web-site testing purposes last week, there have been 2 hotfixes it wanted to download since then. I'd rather have a browser that does try to keep patched and secure (and doesn't require a reboot of my PC)

    Interesting point of debate: considering that its source is available to anybody (and I don't think you can say the same about the others), hackers can browse through it looking for holes. Yet it doesn't get that many patches rolled out to users, the reason for which I can only conclude is that not too many problems get through the testing. Can IE say the same?

  23. Eduardo
    Unhappy

    Odd problems with Firefox recently...

    Certain websites taking forever to load for instance - including various torrent based ones.

    Same issues not present in either IE or Flock - wtf is going on I wonder?

    Answers on (this) a webpage please!

  24. Phil
    Jobs Horns

    Re: Here we go again

    @AC: Ah, so that's why MS so rarely fix the vulnerabilities in IE, not because they can't be bothered / don't know how to, but so as not to trouble us with updates. Yes, you're right , better to have the vulns and not have to restart your browser now and again.

  25. James Hughes

    RE; Here we go again

    So, going back to a browser that is security updated once a month (ish), vs. one that is updated more frequently, because you are tired of a few seconds of uploading/updating?

    Weird.

    Pretty sure I prefer the latter. And at least I don't usually have to reboot for a Firefox update.

  26. adnim

    @here we go again

    Just Firefox, not sacking windows because you are sick and tired of windows updates too?

    Yes, it has taken sometime to get this update out, maybe they were testing to ensure it didn't break anything else or introduce even more insecurity. Something Microsoft don't seem to give a shit about. Of course they could just be recovering from the hangover caused by the celebrations after version 3 release. Or, if they are anything like me they are just bone idle.

  27. Chris
    Happy

    Here we go again

    I'm sick and bloody tired of people moaning about Firefox updates, I'm seriously considering suggesting they write their own web browser.

  28. Pete

    Have they

    fixed the video bug in FF3 yet? The one that crashes it when playing wmv etc?

  29. Kajiki
    Gates Horns

    IE updates suck big hairy balls

    It not really a hardship to do the update. Firefox tells you it has downloaded the update, all you have to do is close FF and open it again when you are ready. I didn't even have to reboot the PC. If FF doesn't provides updates it gets flamed, if it does, FF still gets critised.

    Don't get me started on IE and the retarded system restarts that are "required" at 5 minutes notice just when you have started some online gaming session or have work open have just walked away from the PC for a few minutes. I mean, surely the update engine can look at the system uptime of the PC and see it was only turned on 20 minutes ago and so it can trust me to turn off the PC when I have finished with it.

  30. Anonymous Coward
    Paris Hilton

    @AC "Here we go again"

    Yep, I have only received 2 updates in how many months, rather than M$ that only gives an update when forced to, and only when it is a bad security issue.

    I have to use both, because my firm will only launch external access through IE (what a bad idea).

    Paris, because she will always give you a choice.

  31. Paul Talbot

    'Here we go again

    Why? Do you prefer the Windows updates for when Internet Explorer needs patching? Do you prefer to be kept in the dark about exactly when your browser is updating? Or would you prefer Mozilla didn't patch Firefox when they find bugs?

  32. Richard
    Thumb Down

    @ Here we go again

    Out of interest, why are you sick and tired of them? They take a very small amount of time to download and install (about 30s max on the 2 machines I updated today with v3.0.1), your current browser state (tabs, history etc) is retained after the restart, and they keep your system as up-to-date against threats as possible.

    IE has updates too, it's just they're included with all the other windows updates, and probably require a PC reboot after install. You can always disable the automatic search for updates in firefox from Tools->Options.

    Use whichever browser you prefer, but this seems to be a strange thing to base your browser choice on.

  33. Andy Barber
    Jobs Halo

    @Webster Phreaky

    I'm getting a Mac next week/tomorrow!

  34. Alex Smith

    @Broken extensions/themes

    That'll be the extention/theme developers needing to adjust the max value for the install version... that's not mozilla's fault.

    Only one extention broke here, thanks to VMWare having not updated it for a while... Oh look... the developers of the extention are at fault.

    If you -really- need to use them, read up on how to overide the max value on the xpi.

  35. Chris

    Re: Here we go again

    "I'm sick and bloody tired of Firefox updates, I'm seriously considering going back to Internet Explorer."

    Eh?! You mean, you'd rather use an insecure browser because it bothers you less? That's just stupid.

    How hard is it to click two buttons and wait for Firefox to restart itself and you're back exactly where you were before, only safer? Answer: not very.

  36. J
    Dead Vulture

    @Foot dragging

    Webster? Are you OK, mate? :O)

  37. paul
    Heart

    I LOVE FIREFOX

    I mean just how quick would ie fix a flaw ?

  38. Neil Stansbury

    Updates

    @AC - Broken extensions/themes

    Only if you use extns from devs who don't read the documentation and specify a version number of 3.0.0 rather than 3.0.* in their XPIs. Unless an update changes a feature unzip the XPI and change it yourself.

    @JohnP

    "It's faster than Firefox and IE and, let's face it, both of those browsers just steal things off Opera anyway (tabbed browsing.."

    Yet another ill-informed Opera fan boy - for the umpteenth time - OPERA DID NOT INVENT TABBED BROWSING

    @Pete

    "fixed the video bug in FF3 yet? The one that crashes it when playing wmv etc?"

    I take it a Google search is just too much for you?

    http://www.google.co.uk/search?hl=en&q=firefox+wmv+plugin&btnG=Google+Search

  39. Jason DePriest
    Boffin

    Re: all the "my old extension for Firefox doesn't work any more"

    You can fix that yourself.

    Download the XPI. It is just a renamed Zip file.

    Unzip it.

    Find the install.rdf file and open it in an editor.

    Look for the targetApplication section with the id of {ec8030f7-c20a-464f-9b0e-13a3a9e97384} and change the maxVersion to 3.*

    Re-zip it and change the extension to .xpi.

    Drag and drop your new file into your Firefox browser.

    Dance joyously.

  40. Anonymous Coward
    Anonymous Coward

    RE: Here we go again (2)

    *I'm sick and bloody tired of people moaning about Firefox updates, I'm seriously considering suggesting they write their own web browser.*

    I did but its still too buggy for me so, from now on, sod bloody browsers; I'm going to go on the bus to all these places in the web pages and look at them with my eyes. I'll be round the El Reg Offices next week to watch you type all the stories and then coming round all your houses to watch you type silly comments. I'm sending this by Royal Mail.

  41. Roger Heathcote

    @Broken extensions/themes

    Maybe for a while yeah. This is one of the reasons why the 2.0.0.X branch is still maintained, you don't have to use FF3.x until you're satisfied its stable enough to run all your plugins.

    You have to bear in mind also that sloppy plugin coding can be a factor, if a security fix breaks a plugin then that would suggest to me that that plugin wasn't necessarily that well written / secure to begin with.

    Roger Heathcote.

  42. Bruce Sinton
    Paris Hilton

    I am happy for all of you

    posters out there , whose biggest problem in their lives is getting updates and bug fixes for Firefox.

    One day you might actually get some problem (Health , family or financial) that will take your mind completely off this eenie , weenie ,teency weency irritant .

    Peace and Joy.(from me and Paris)

  43. Josh

    @ wobbly1

    Much as others have said, extensions can be fixed.

    Regarding ABP and NoScript, I've had no downtime at all on those two, or any of the other 5 that I use. I just checked to make sure they were all working, but FF 3.0.1 has them all online with no gripes or complaints. *shrugs*

  44. Anonymous Coward
    Unhappy

    Reg fails to pop up

    Having installed the latest update, I find that when I click a link in the Reg newsletter, the FF window no longer pops up over the mail window. FF is already running and sometimes the program icon in the taskbar flashes orange (windows xp), sometimes it doesn't.

    Bit disconcerting - deliberate revenge on Reg by FF?

  45. Richard Hodgson

    It's not the regularity...

    ...that annoys me, it's the fact that code for handling extensions uses the main software version number in order to determine compatibility of the extensions I have installed.

    It's likely that the changes made wont affect 99% of the extensions out there, but regardless, Firefox will disable a number of the extensions I've installed because the compatibility number in their XPI file is 0.0.0.1 less than the new version.

    I know that this is partially down to the extension developers, and assuming that they ever update their plugins using the Mozilla site (which some don't, due to some of the methods the site uses being cumbersome), they'll update on their own, but at the same time, I wish that there was a better system for determining compatibility.

This topic is closed for new posts.

Other stories you might like