Firefox update plugs three critical flaws Mozilla has pushed out a cross-platform update for Firefox that fixes multiple security flaws. Firefox 3.5.6 lances three critical vulns in the open source browser software. They include memory problems involving the liboggplay media library, an integer overflow crash bug in the libtheora video library, and a separate memory …
Remind me again what the main thrust of the multi-million dollar advertising campaign, that worked so well clueless fools repeat it ad-nausium?
Oh yeah, that it's 'safer'.
On the front page of the firefox site "Make the switch to Firefox – the faster, safer, smarter way to browse the Web."
Case for the trade descriptions act if ever there was one.
Well, keep in mind that these are flaws discovered before they have been exploited. With a closed sauce application you wouldn't know if there were any, would you?
Calling these flaws "critical" is IMHO misdirecting the general ignorant public, e.g. Andrew Norton. They are "critical" in the sense that they _could_ be used to subvert your system. Often closed sauce applications release fixes to "critical" flaws _after_ they have been exploited. And probably (but we can never know) they release fixes to "critical" flaws without even telling anyone.
To compare the security-ness of current browsers please look at how large a timeslice of their lifetime they are susceptible to actual exploited flaws. FF would still beat many (but not all) browsers hands down. Lynx FTW. :-)
The first vuln caused by HTML 5. FFS, browsers are to parse HTML and interpret JavaScript. Not fscking playing videos! If I want to play music or a video, I use one of the 5 software I have here to do this: QuickTime, Plex.app, Mplayer, VLC or heck, even iTunes! Not Firefox!
The guy that thought the browser should be the OS should be killed. Hence the grenade.
At least plugins can be unplugged. Moving this shit into the browser core makes it an inseparable part of the attack surface - that's not minimising it like they should be. It's very like when MS moved GDI into NT kernel mode - and to be fair it really was kind of necessary there to in some way uncripple the performance problems caused when it was a subsystem, but at the same time it did mean that all of a sudden a bug in a font parsing library turns into a system-level vulnerability. Not good. So big thumbs-down from me to the idea of putting video and audio rendering into the browser core.
HTML 5 is a specification determined by the W3C, not Mozilla. The W3C is a standards consortium that includes companies like Microsoft, Apple and IBM as well as independent industry experts. ALL new browsers are expected to support HTML 5 if they are to be W3C compliant - and that includes IE, Chrome, Opera, Safari and Konqueror as well as Firefox.
As a web developer myself, I greatly approve of the changes in HTML 5. Most websites these days involve embedding application-level objects and having to rely on third-party proprietary plugins like Flash, Shockwave, Silverlight and Java has been nothing but a joke if not a nightmare. The new <audio> and <video> tags are an absolute boon to web developers because they allow a unilateral cross-platform presentation of multimedia content without having to waste our time and yours on proprietary plugins. Or having to code 4 different versions of a site to work with all the different incompatible solutions out there.
If you're that concerned about Web security in multimedia content, use NoScript, which blocks the new embedding tags unless you explicitly allow them.
Finally, while there will initially be security flaws with the new tags, when these flaws are discovered and corrected, the remedy instantly closes all doors across all sites. Compare that with the old plugin situation, where you could have many different flaws in different platforms and a fix for one did nothing to fix similar vulnerabilities in others. Adobe might fix a memory overrun bug in Flash but that would not fix a similar bug in Silverlight. Also, the standards in HTML 5 are open for anyone to see and fix, while plugins like Flash and Silverlight are closed and rely on their parent companies to fix them.
No, this is much cleaner. It's well past high time a multimedia standard was embraced by the W3C, and this hasn't come soon enough.
FF can be considered safer because you are given more control over security settings especially if you use NoScript, although it does contain flaws they're not the same ones as in the dominant browser (IE) and the flaws that do exist are fixed faster than in IE. Not too difficult to understand, surely?
These comments make me laugh, Whenever a flaw is found in Firefox/Linux people jump all over it like flies on shit going 'Firefox/Linux is insecure crap! In your face fanbois!'
Yes, in your face fanbois, but these are found and fixed before they are exploited, whereas it takes a few botnets to appear before Microsoft will get off their arses to do anything about a flaw in their browser. (I exaggerate, for literary effect.)
When a flaw is found in these programs, because they have the marketing of being safe, when it's found they aren't perfect, people go mad. When will people realise that nothing is perfect? I mean, when did you last believe what the latest Microsoft Ad tells you?
Firefox is still > IE.
Case closed. (although likely to reopen if I can be arsed to argue the point.)
If you're using Firefox in an environment using authenticating proxy servers, you may wish to hold off on the 3.5.6 update.
3.5.6 breaks auto proxy authentication, as least for some. Refer to:
http://support.mozilla.com/tiki-view_forum_thread.php?locale=en-US&comments_parentId=526892&forumId=1
Whenever there is a story about security SNAFU's in either Linux or firefox might I suggest El Reg do the following?
Add two comments as below, close the comments section and just allow people to "upvote" (FFS) their particular point of view (think of the carbons you could save!):
Linux / firefox (delete as required) is shit, full of security holes and all you fanbois know it. Quit slagging off Microsoft, your stuff isnt perfect either
Micro$haft is so closed you wouldnt know about half of the critical vulns until it's too late. At least open source software is reviewd by many people so critical issues get seen much earlier and fixed much more quickly, even before the bad guys have a chance to esxploit them!
Joke Icon, just in case any rabid fanbois of either persuassion take exception to my JOKE
why MS keep things like IE closed source - they could save themselves a lot of work, as its in a lot of devs interest for bugs to be fixed in IE. Could it be that they're embarassed about the quality of the code base - that if everyone saw it "Emperors" & "new clothes" would come to mind. This may be true of a lot of MS code.
On the subject of FF, surely stories of exploits are a reason to bash an app, not stories of bug fixes that may have never been exploited.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
