Sign in / up

back to article Mozilla swats Firefox zero-day bug a week early

Mozilla has plugged a critical unpatched cross-platform vulnerability in Firefox a week ahead of its previously announced schedule. Firefox 3.6.2 fixes a flaw first discovered by security researcher Evgeny Legerov last month, and confirmed by Mozilla last week. The zero-day vulnerability - now identified as an integer …

COMMENTS

House rules Send corrections
This topic is closed for new posts.
  1. Jolyon Ralph
    Go

    Phew

    Now I can stop using Chrome. I like Chrome in most things (and the tab tearing off works much better in Chrome than in Firefox) but the lack of decent RSS support in Chrome (ie being able to display a readable form of an RSS feed within the browser) ruins it for me.

    Well done to Mozilla for getting the bugfix out early.

    7 1
    1. Bilgepipe
      Reply Icon
      Gates Horns

      Feedly

      The best way to view RSS in Firefox is the Feedly plugin/website. It actually makes RSS feeds useful.

      Evil Bill, to offset the anti-Apple-tard below.

      0 0
    2. Craigness
      Reply Icon
      WTF?

      RSS?

      You must read a lot of RSS for that to be an issue. For me, the FF "awesomebar" is much more awesome than the Chrome version, and deleting unwanted cookies when the browser closes is something Chrome can't do.

      1 0
  2. Anonymous Coward
    Jobs Horns

    Fox droppings

    So basically, they shat themselves and got into gear to appease Germany and the EU ASAP.

    Good-good.

    0 7
    1. Anonymous Coward
      Reply Icon
      Gates Horns

      @The Emperor's new clothes

      Back again with the same of schtick. Stop being an AC and come out of the closet.

      3 0
      1. Test Man
        Reply Icon
        FAIL

        Hmmm

        Bit like you then.

        2 1
      2. Anonymous Coward
        Reply Icon
        Jobs Horns

        "You can't handle the truth"

        Doesn't change the fact that they shat themselves and released a patch "early" (if you can call it that after waiting a month already - It's like waiting for Patch Tuesday) because of what the German government started and the press picked up on.

        Does it, Dance for me, monkey boy? Or may I just call you "Dance"?

        The fact is, every time something like this happens, it's another mark on their track record. Long term, you can sense where it's headed. Netscape were once the darlings of the browser world, now they're just hated for NS4. Microsoft wowed people with IE5 and all the amazing things it revolutionised web browsing with (dynamic rendering, innerHTML, XMLHttpRequest, XML/XSLT,, providing a platform for web-based applications, etc), now they're hated for the IE6 legacy. Trust me... Firefox is already behind all but IE in terms of standards support, and even then only slightly ahead of IE8/9 for all the things that matter. It's certainly well behind all other browsers when it comes to security. It really isn't going to be long before Firefox becomes the new bad browser everyone hates.

        Cue the point-and-grunt -moz-downvoters...

        3 10
        1. Joseph Haig
          Reply Icon

          The truth?

          I don't have the full details of this, but it appears that Evgeny Legerov reported this exploit to Mozilla a month ago and they started working on a fix while the details were kept secret. This is standard practice with 'white hat' security researchers - they will release the details of what they have found but only after the developers have had an opportunity to fix it. However, it appears that "Legerov controversially offered to sell exploit code he developed." I don't doubt that the rushed release was a response to the German government telling people to stop using Firefox, but this in turn seems to have come in response to Legerov reneging on his agreement.

          As I said, I do not know the full details, and this is only my interpretation of events. Perhaps someone has more information about what actually happened.

          5 0
        2. Anonymous Coward
          Reply Icon
          Anonymous Coward

          @Cue the point-and-grunt -moz-downvoters...

          That is such a weak debating tactic.

          Personally, I tried Chrome and Safari and thought they were awful. I've used Opera off and on for years but find that increasingly poor and never remotely as pleasant to use as even IE, let alone FF. After putting up with IE for many years, i.e. using it alongside FF, I've had enough of the M$ approach to security and blocked it via group policy. In FF - where Mozilla still act a hell of a lot faster than Microsoft - I use NoScript, ABP, RequestPolicy and FlashBlock. I keep machine security updated and competent. I don't get infected. Like so many other users who know what they're doing. For the ones that don't, the internet is insecure and becoming a victim is all but guaranteed.

          I will call you 'Weakman'.

          2 0
  3. Pink Duck
    Thumb Up

    Pleased

    With the notification I got when running Firefox as standard user about the patch being available :)

    4 0
  4. Anonymous Coward
    Thumb Up

    FF

    This is why FF/open source rock, constast this with IE's track record in plugging vulnerabilities. Get the latest FF here: http://www.mozilla-europe.org/en/firefox/

    5 0
    1. frymaster
      Reply Icon

      IE's track record?

      ie6 was released in 2001 and still gets security updates. Conversely, FF2, released in 2006, does not. from that I conclude that IE is better and plugging vulnerabiities

      ...more seriously, I know what you mean, but there's more than one aspect to security. For example, IE's once-a-month update cycle means compulsive-updaters are less protected for up to a few weeks, but has the upside of being the difference between large corporations updating once a month, after testing, or large corporations not bothering at all because tracking and testing updates as they're drip-fed out is too much hassle

      which is better? depends who you are, really

      1 0
  5. Anonymous Coward
    FAIL

    re: FF

    A MONTH for a highly critical security vulnerability that has numerous live exploits on the web is NOT a good track record, infact it's an abysmal track record. It might be better than IE, but when you compare it to Safari and Opera, both closed source, and vulnerability fix times in the region of DAYS and not WEEKS or MONTHS as is Mozilla.

    Worse still, Mozilla were quite happy to allow this critical vulnerability to wait for another few weeks, they released it early when threatened with a media storm lead by the German government. Clearly they value bad PR more important than their users security, otherwise it would have not originally been scheduled for next month.

    This shows how the myth of Open Source community providing prompt fixes clearly does NOT work... It's exactly that, a myth. All Open Source does is allow hackers to freely browse your code looking for exploits..

    4 16
    1. dolcraith
      Reply Icon

      Security by Obscurity?

      AC, I'm pretty sure everyone is aware that security by obscurity doesn't work, which is what a closed source system is to software exploits. Safari is based off of WebKit, which last time I checked was opensource. I also remember the article talking about how there were no "weaponized" exploits out there. Doesn't mean there aren't any but it doesn't mean that there are "numerous live exploits on the web"

      7 0
    2. The BigYin
      Reply Icon
      FAIL

      lolz

      Yeah, and security by obscurity works sooooooooo well.

      4 0
  6. Robert Carnegie Silver badge

    Went like this

    There is an insecurity in your multi-megabyte program and I'm not going to tell you what it is.

    What! A week later and you don't believe me? You haven't fixed it? Secunia believed me, I gave this smart guy's name as mine and they like him...

    2 0
  7. Anonymous Coward
    FAIL

    @dolcraith

    You know webkit is a JUST a rendering engine right? There is a whole load of other stuff needed to make a browser. A Javascript engine, a browser framework for starters.

    Safari is mostly closed source... It's opensourced part of it, as it helps their agenda.

    1 4
    1. J 3
      Reply Icon
      FAIL

      @AC 23rd March 2010 15:23 GMT

      Freaking cowards, have to get a time stamp to identify the scum...

      You are so ignorant it hurts, AC. Yeah, JUST the rendering engine of HTML, nothing important for a browser, sure...

      "Safari is mostly closed source... It's opensourced part of it, as it helps their agenda."

      Really, AC (anonymous cretin)? They didn't "opensource" anything. They (Apple) used a component SOMEONE ELSE had already released as Open Source. Apple just kept it open.

      "WebKit's HTML and JavaScript code began as a branch of the KHTML and KJS libraries from KDE." http://webkit.org/

      4 2
      1. Anonymous Coward
        Reply Icon
        FAIL

        Pot...kettle...gecko

        "Freaking cowards, have to get a time stamp to identify the scum..."

        Yeah, I know what you mean, "J 3".

        3 3
        1. J 3
          Reply Icon
          Coffee/keyboard

          Still me

          Yup, still me, and you can tell. Now which AC are YOU?

          Or which idiot thinks that people should be putting their identification details on line when commenting on random stuff? Want my SSN and home address too?

          2 2
          1. Anonymous Coward
            Reply Icon
            Anonymous Coward

            Whatever

            The word is 'fucking'.

            1 0
          2. Anonymous Coward
            Reply Icon
            Anonymous Coward

            What's in a name?

            May just be me, but I think the comments are just meant to be read. "Tags" are an optional extra.

            1 0
  8. Anonymous Coward
    Anonymous Coward

    I got 3.6.2 on the 19th

    you know: the beta? Installed it, supposed bugs and all. Secunia kept flagging FF 3.6.* as unpatched so I figured they probably don't bother with the betas.

    Today having read this story I ran 'check for updates' and got told there was none. So I went to http://www.mozilla-europe.org/en/firefox/customize/ where 3.6.2 was/is offered and no mention of a beta. Downloaded and installed it.

    Copied the installer to my Mozilla software store whereupon I was asked if I wanted to replace the beta I got on Friday. Both 7.79MB and dated 16th March. So, offered without reference to the beta, but the beta nonetheless - complete with supposed bugs?

    0 0
  9. Anonymous Coward
    Go

    Firefox

    ...is a great piece of software, from my perspective. Small, fast enough for me, functional to read pages of high intellectual crap, ermm discourse, like theregister.co.uk and /.

    I only use IE9 at work because the bozos of the IT dept can't manage to update FF from something like 3.2 to 3.6. (this is a major institution of German finance, but I will not divulge its identity).

    At least they deny me Administrative rights, so that I can't infect the PC thoroughly.

    Flashblocker is also a major "selling point" of FF. Reduces CPU load and memory requirements by approx a factor of ten.

    GO FIREFOX, GO !

    2 0
  10. Anonymous Coward
    Thumb Down

    Wahoo?

    No one experienced any trouble with this security 'fix' then? I couldn't get Yahoo's inbox to load up and wasn't alone in that. Also, those anti-spambot captcha type things wouldn't load on the Mozilla FF support site either so couldn't report it. Fix was to uninstall FF and reinstall/disabling auto-updates. After reading about 3.6.2 vulnerabilities might just downgrade till they fix this thing properly.

    1 1
  11. diogratia

    3.6.2 releases Mac OS X filename fix

    An update to 3.6 saw the demise of the shell wrapper in the Firefox Application bundle. All the sudden filename paths with whitespace wouldn't open (but filenames without spaces could be dragged and dropped onto Firefox). This is the first non-beta release with the fix in. Now I can open my HTML copy of 'Bleak House' without re-adding a shell wrapper to the Firefox Application bundle which would have to be undone manually on update or renaming/linking the target without spaces in the path name.

    Thanks Mozilla for putting the users first, or is it just governments you're trying to appease?

    0 0
  12. jhermans

    @George Spiggottby-Name

    The last beta is always identical to the released version - that's why you din't receive any new update.

    0 0
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      I guess the bit about the bugs

      was just ASSuming rather than known.

      0 0
  13. jhermans

    @AC 13:41

    What exploit code ? Secunia has put up a warning for a security problem, but refused to say what the problem was. And none of the exploit code was seen either. That makes it quite difficult to fix, right ?

    Mozilla received more information from Legerov last week (when he *finally* released the exploit code), and a patch was available the 18th.

    AC : where are your "numerous live exploits" ? You're not just an AC, you're also a liar.

    3 0
  14. Steve Roper
    Troll

    To those who responded to the anti-FF trolltard AC

    Come on guys. It's pretty obvious why he can't put his real name to his posts. After all, the words "Steve Ballmer" in the name column would be a bit of a giveaway, would it not?

    3 0
    1. dogged
      Reply Icon
      Stop

      miataken identity

      his relentless fluffing of Safari would indicate a different Steve.

      0 0
  15. Anonymous Coward
    Stop

    @jlocke

    Get Opera, it's more secure, has quicker patch turnaround times in the even that something does crop up (even when it does, it's usually much less severe than Firefix security problems).

    It also has better content, noscript and plugin blocking. You can choose between globally blocking everything and allowing individual inclusions, or globally allowing everything and making individual exclusions.

    That's not to mention the other benefits, like better standards conformance better CSS support, better performance, none of the problems of having to upgrade plugins all the time (as all the useful ones are already built in), better memory control etc etc etc.

    Firefox is basically for those too stupid or too lazy to explore better and more secure alternatives. They end up having it, because a family friend installed it several years back when it was a better alternative to IE (which it was, AT THE TIME)...

    1 3
    1. blackworx
      Reply Icon
      Grenade

      @AC 09:50

      You: "Hey you should move in to that empty house next door, it's got a bigger bathroom and better locks on the door."

      Me: "Hmmm, but I like my own house just fine. It has a functional bathroom and my locks are perfectly good. Also I reckon there's a mould problem in that house, and there's a rabid dog in the garden that barks and growls whenever anyone goes near the fence, especially Bill who lives in that huge mansion over the road. No, I think I'll just stay where I am."

      You: "You are stupid and lazy"

      Me: "Fuck off"

      1 0
  16. Bob Gateaux
    Thumb Up

    Simple

    Best way we stop Firefox giving bank details to russian on internet is use the Internet Explorer instead - it come free and work safe and fast.

    0 2
    1. blackworx
      Reply Icon
      FAIL

      Ha ha

      Nice try

      0 0
    2. blackworx
      Reply Icon
      Coat

      Oops

      Sarcasm detector fail

      0 0
  17. mhenriday

    Patching quickly is never wrong ;

    well done, Mozilla !...

    Henri

    0 0
This topic is closed for new posts.

Other stories you might like