back to article Mozilla plugs 10 security holes in Firefox

Mozilla coughed its latest Firefox update this week and patched ten flaws – five of which were critical vulnerabilities – in the latest version of its browser. The firm said it strongly recommended that Firefox fanciers upgrade to version 2.0.0.13 because of the number of security fixes built into the latest update. Critical …

COMMENTS

This topic is closed for new posts.
  1. Steve Evans
    Stop

    Yuck

    Anyone with Javascript enabled in an email client really does deserve everything they get! Unfortunately it'll be us that gets the spam when their PC links up with the botnet and starts spewing.

    Does anyone out there (over the age of 14) really need javascript enabled emails? I don't even use HTML enabled emails! If I want to emphasize a word, I stick an asterisk on each end, job done!

  2. Anonymous Coward
    Stop

    Not Again

    I'm sick of these updates. I'm seriously considering going back to Internet Explorer for my everyday browsing.

  3. Anonymous Coward
    Paris Hilton

    Alternatives

    I must admit that I have installed this latest update, but I am beginning to feel a little concerned that FireFox is losing the hearts and minds battle.

    I gave Opera a try a short time ago. That was an extremely pleasant experience and I highly recommend others give it a try! Only problem for me is that Opera doesn't support RoboForm, which is what I use to keep track of my online passwords etc.

    One thing that FireFox is extremely good with however is providing support for web developers like me. IE and other browsers don't offer extensions. One of the extensions I use a lot is to show me web page table outlines so that I can make sure my HTML tables are up to scratch. Some other useful utilities too.

    Paris because I seem to have become fascinated by her. I must be getting old.

  4. Matt

    re: Not Again

    So you would prefer it if Mozilla didnt fix the bugs ?

    Dont be fooled into thinking that IE does not suffer from the same problems, the difference here is that Mozilla actualy fix the bugs where as Microsoft choose to ignore theirs.

  5. Anonymous Coward
    Anonymous Coward

    @AC

    OK, so there has been a little flurry of them just now, but I don't see how anyone could get "sick of these updates". All I had to do for each was press "restart later". My extensions update far more often.

    Stop moaning.

  6. Huw Davies
    Unhappy

    @ac

    Eh?

    You'd rather have a browser that had vulnerabilities that only got patched once in a blue moon?

  7. Anonymous Coward
    Stop

    @Not Again

    You realise that pesky little windows update thing that churns away all too often is also updating security flaws in IE, right? In what way is that better than Firefox's updates? I'd wager it takes MS longer to fix stuff than it does Mozilla too.

  8. Benny
    Thumb Down

    re:Not Again

    Yes, because theres never any updates to IE...

  9. Edward Rose

    slightly disturbed

    So, we're on 2.0.0.13, and they are Beta testing 3.

    You what?

    I think it's about time the Moz team got their heads removed from the dark places and looked at where they came from. They don't need to compete with IE on the bling front, not now MS look to be forced towards standards. Lets actually stop and as of 3 start doing a massive overhaul of the code to makesure it is compact and clean.

    Any good project should perform major code inspection / rewrite between major releases.

    Or am I missing the point here?

  10. Gilbert Wham

    @ Not Again

    What, you're sick of security updates? Like, people updating their software *when they find out there's a hole in it*, as opposed to when they feel like it(i.e. IE)?

    Ooooookayyyy...

  11. John Miles
    Stop

    @Not Again

    Why not just decline the security updates?

    Do that consistently for many months and you could be in a similarly insecure as state as using IE now.

  12. dodgy
    Go

    RE: Not Again

    At least the problems get fixed, how long ago was your last IE upgrade ?

    Stick with FF at least they ship fixes faster than M$

  13. Danny
    Dead Vulture

    bad update?

    It installed this morning for me and FF has been trouble ever since. I am getting about 10 minutes of browsing then suddenly it fails to resolve anything until I close it and relaunch. It isn't a DNS issue as IE has no problems when FF is failing to find anything. Anybody else having a similar problem?

  14. Hugh Cowan
    Thumb Up

    @slightly disturbed

    Have you used Firefox 3? It had a huge overhaul of code and is now much faster and responsive!

    The one question I have is, are these flaws already fixed in FF 3?

  15. SpitefulGOD
    Gates Halo

    firefox

    What a piece of dung!

  16. Duncan
    Coat

    hang on a mo..

    Didn't we all used to moan about how often we were being given updates to IE and pointed to this fact as an indication of how insecure it was. at that time firefox had very few security updates some said this was because no one but us techies were actually using it the couter argument was that because there were so few updates it was an indication that it was an incredibly secure browser.

    I think we need to keep a hold of the ground here people.

    persoannly i have gone back to IE as there is just no benifit to me having firefox installed anymore i suspect it is becomming a little less secure than IE these days and also seeing as i can't uninstall IE why have two, hey but thats another argument

    shall i get my coat?

  17. Eddie Johnson
    Thumb Up

    @AC

    I'm sick of the frequency of Firefox updates too but in their defense, at least *they* don't require a reboot to update a browser. I always laugh when I see MS use the term "hotfix" about various patches because they clearly don't know what "hot" implies.

    What the FF folks tend to forget is that half the time you are prevented from upgrading quickly due to plugin compatibility. I've lost a number of useful plugins that haven't worked since 1.5. I ran 1.0 for most of 1.5's lifetime because 1.5 *never* supported Calendar. Hell, I still have a Mozilla 1.7 icon on my desktop that I have to get out for various tasks.

    My coat's the one with 4 screwdrivers and an adjustable wrench in the breast pocket.

  18. I. Aproveofitspendingonspecificprojects

    bad update? @Danny

    I just got it too but I thought it was version 3. I swear it said version 3.

    Anyway, it works fine for me. I did see some add ons such as the translator and the foreign letters add ons have problems. You might have some add on that you should remove.

  19. Solomon Grundy

    Multiple Browsers

    I'm with Duncan on this. Why does anyone need two (or more) browsers? (except developers) I liked FF when it first came out but after IE added tabbed browsing and such there was no reason to keep FF. IE works just fine.

    Remember, it's not a monopoly when people have a choice.

  20. Roger Garner
    Stop

    Sings in a high pitched voice...

    I switched to Opera back when it was either Netscrap or Internet Exploder. Easy choice, even having to pay for it then by far the superior browser.

    Never looked back, its a fast efficient browser and whilst nothing is perfect, rarely has to issue security fixes. I hate Firefox... once you've used Opera you realise its just horribly slow but as with the masses that still use IE, you dont realise how good the alternatives are until you try them.

  21. Stephen
    Gates Horns

    RE:Multiple browsers

    To be perfectly honest I really do not like the way IE works with tabbed browsing it seems more klunky than FF. Also Firefox enables me to re-open my existing tabs from my old session, something IE falls short of along with In-line spell checking.

    Still if your complaining about the number of updates from Mozilla you have obviously never installed the NoScript addon into Firefox. The makers of that plugin seem to update it every week practically!

    Even if FF has had more updates of late than IE that would not prove much. Microsoft can easily wait and stick in plenty of fixes into a single windows update patch, or better yet keep vulnerabilities secret so they can point the finger at the Mozilla lot who are fixing their bugs. Fortunately that's the difference with Open Source you can see what has been reported and what is being fixed, Microsoft only seems to act swiftly when some security expert finds a massive exploit and loudly shouts it.

    For all the flag waving about IE7 you would never have got it had Firefox not been around to show what a god awful and insecure browser IE6 truly was, suddenly having an alternative proved that the IE6 monopoly was bad and it showed. Remember Microsoft originally planned IE7 for Vista only but ended up having to make it available for XP users to try to regain lost ground with Mozilla.

  22. Kjetil

    Re:Alternatives

    What do you need RoboForm for? Opera has that function built in.

  23. Paul Talbot

    re: Mulitple browsers

    Unfortunately, I don't have a choice. If I want to use Firefox, I still have to have IE installed. i'd uninstall IE instantly if I could.

    Anyway, it's down to choice. You prefer IE? Fine (but seriously, you're OK using it because they finally added tabbed browsing? Why not use the browsers that are doing the innovating?).

    For all the whiners above about the number of updates - you're deluded. You update IE security fixes all the time but probably don't realise it because they're in the "Windows updates" section (and get withheld for the Tuesday updates). I for one prefer the fact that Firefox lets me know when there's an update available, makes it available as soon as the bugs are fixed and gives me a choice about whether to download them.

  24. Anonymous Coward
    Stop

    Huh?

    Now this is why I dislike OSS. It's not the technical aspect - as it's normally excellent - it's the "community".

    Every time MS update IE with patches it's "here we go again" and "more fixes from M$". Mozilla fix TEN holes in one go and the comments are "well would you rather them not fix it?"

    The OSS myth has been broken. It's not any more secure just cause it's OSS. The worlds second most popular browser is FF and after hundereds of peer reviews of the source still haven't uncovered all the bugs. Yeah, IE is probably less "secure" (it's subjective), and I'm not saying that OSS is insecure at all - but for the last decade or more all you hear from Linux users is that closed source is insecure by nature compared to OSS. It's fucking not. More people have probably looked as the source of FF than paid developers have for IE7 - yet FF is still full of bugs. As is Safari (that's obvious as it's by Apple), as is IE.

    The two faced attitude of a rather large and vocal users/admins/devs of OSS keep giving it a bad name. MS (sorry, "M$") patches "ha ha - it's so insecure and full of bugs. Move to OSS - it's so much more secure by default cause even you can look at the code". Yet the thousands of patches released for OSS applications (Linux, OpenOffice, Apache, PHP, MySQL, The GIMP, Pidgin, Firefox, Thunderbird) get silence from everyone other than a few such as Duncan and Solomon Grundy who dare to comment get replies of "don't you want it fixed?".

    Oh - and the usual corrections: Stephen, IE7 does support automated reopening existing tabs from your previous session. Though I do agree that FF is great and was required if only to get MS to pull their finger out regarding updating IE6.

    Matt, Dodgy, AC's, and Huw: When you refer to Mozilla patching straightaway rather than when they want to (implying MS), would you care to re-read the article which states it's going to take several weeks (implying months) to get the same fixes into Thunderbird...? SEVERAL WEEKS?! That would put it on par with MS right?

    Firefox is great. It's kicking MS up the arse which was long overdue. Now we have IE7 which has new features for end-users (tabs, RSS builtin, Phishing filter etc.), and coming up soon (hopefully) we should get IE7 that's actually compatible with web standards - which MS are going to call "IE8".

    But please OSS fans, take some criticism when a single, pretty small application has 10 security holes fixed in one go (5 of which are critical) - and then won't/can't fix the OSS mail client for weeks and weeks either.

    It ain't bad, but it sure as hell aint' perfect either.

  25. RW

    Detection of holes

    How many of these fixes were to holes spotted by reviewing the source code and how many by sad experience?

    I have to wonder if the entire modern approach to design and construction of programs is fundamentally flawed. TCP/IP stack implementations seem to be pretty much bug-free; is that because of the carefully layered abstraction of the stack scheme? Is a similar approach possible with application programs?

  26. James
    Thumb Up

    Why Firefox

    Well I've just spent most of my afternoon clearing 110 bits if adware and spyware from my system. How many of those do you think were affecting Firefox? That's right, none. Whatever the reasons for this (e.g. IE more popular so more of a target), this is why I use Firefox.

    If I could uninstall IE I would.

    Security updates are a good thing, and the faster they are available the better. The Firefox updates are so painless as well, it even remembers what websites you had open before you ran it. Just because IE itself doesn't say "I have updates" doesn't mean they aren't being done.

  27. Bruce
    Unhappy

    2 years old

    Some of the bugs date from February 2006.

    Mozilla is kind of slow.

    https://bugzilla.mozilla.org/buglist.cgi?bug_id=345529,328258,405783,399286,415827,384871

  28. neil hanvey
    Dead Vulture

    strange

    i was sat on my mac yesterday and did the update, then as soon as firefox restarts, the talkback app loads up (obviously some kind of problem as the talkback app is used for error reporting) then my mac goes tits up and now it won't even boot in safe mode, has the fox got rabies? i use firefox and ie btw, it's the curse of every web developer :(

    vulture because it represents my poorly G5

  29. paul
    Gates Horns

    Competition

    This is 2008 , not 1995. Internet Explorer is so 20th C.

    My internet browsing these days is done on a big HDTV using my PS3 (which just had an update to the internet browser based on mozilla , amongst other things).

    My wii runs opera.

  30. Nano nano

    But "History: view by site" is _still_ broken

    and just gives a list of all pages without a Tree view of sites ...

  31. Glenn Gilbert
    Paris Hilton

    IE and Firefox in the same sentance - yuck

    How can some people consider Firefox and IE7 to be the same? Sure, they render web pages, but that's about as far as it goes.

    As IE7 is 'closely built into the operating system', it suffers all the problems that the OS has; it's seldom updated (there was 6 years between IE6 & IE7); and offers limited functionality and customisation.

    Firefox is an application that's free from the constraints of the OS, so much so that it runs on many different operating systems compared with IE's one. It is highly extensible so anyone can install different addins to make life bearable (Flashblock and AdBlock for starters with mouse gestures -- OK, idea stolen from Opera -- for seconds; and that's without considering the amazing array of development tools). It follows standards whereas Microsoft make them up as they go along. It's reliable and is less likely to take down the computer. And it's an order of magnitude more secure than IE despite Microsoft's bluster (IE's part of the operating system n'est pas?).

    If you feel that moving to IE from Firefox is a good move when they've just patched some security holes -- *without* rebooting the OS -- then you're either trolling, a Microsoft fanboi, need your head read, or need to install a few addins.

    I wonder if Paris 'fox.

  32. Anonymous Coward
    Anonymous Coward

    only..

    "The firm said it strongly recommended that Firefox fanciers upgrade"

    When do acompanies ever do anything else?

    we mildly recommend?

    we recommend you do this in your time?

    We've produced these updates, but you don't really need 'em. whenever you're ready.

  33. Herby

    Re: Multiple Browsers

    While I prefer FF, it is a VERY sad fact of life that some things require IE. In my case, I an required to use this ugly application called Kronos. It is all in Java, and needs to be pacified with IE. Then there are some web pages that only seem to render well in IE as well (IBM's ClearQuest).

    Yes, all of these things are stupid for insisting on IE. Me, I grin and bear it.

  34. David
    Gates Horns

    @ Long Winded AC

    One thing about your comments:

    Yes, more people have probably looked at the code for FireFox (I'm included) than IE, but the people working on Internet Exploder are PAID to do so. That's all they do; they're code monkeys for MS. Most of the people that have tinkered with FF code have lives outside their computer (not necessarily outside of computers in general though).

    Just food for thought.

  35. Anonymous Coward
    Anonymous Coward

    @Huh?

    'Now this is why I dislike OSS. It's not the technical aspect - as it's normally excellent - it's the "community". '

    Nicely put - zings the Linux, Firefox and OpenOffice brigades. Well, brigade. Of course, like anyone who isn't rabidly anti-MS you're now bundled in with the SS, animal experimenters, anyonewho doesn't like Dr. Who ... And no stupid Paris crap either! Is this an early April Fool thing, or are you actually normal?

  36. Shades

    @Stephen:

    "Still if your complaining about the number of updates from Mozilla you have obviously never installed the NoScript addon into Firefox. The makers of that plugin seem to update it every week practically!"

    ...and I still wouldn't even dream of being without NoScript!!!

  37. kain preacher

    wierd

    my company keeps a calendar of available days off. Funny thing is it does not display right in IE but in fire fox. The main web aplication we use is prone to have issue if you use fire fox.

  38. Phillip
    Black Helicopters

    Firefox

    Seriously, i've been a web developer for about 7 years, and Firefox is a pile of shit.

    Any developer who thinks Firefox makes their life easier, is not a good developer. It's easier to code for Opera and fix a couple of minor things in IE and Firefox, than it is to code for Firefox's own crappy standards and then spend hours fixing for every other browser.

    Everyone in the Firefox community is a douchbag.

    "Oh i need this plugin and that plugin or i can't do my daily tasks of surfing the net"...

    9 times out of 10 the plugin your using is a weak version of whats been in opera for a year.

    But what ever, most of the people who write comments in the register are morons too.

  39. Randy

    Re: Alternatives: Andres // Sings in... : Roger

    Big Opera fanboi over here... ok now that that's outta the way...

    About time you guys realized Opera is a contender. About time you guys realized that Firefox may be nice in a lot of ways, but it is a HOG on resources. Anybody gonna try to refute that Opera is quick like a bunny compared to the Firepig? Compare them side by side in Taskman someday and you'll see for yourself. Anybody care to refute that it's wonderful having a browser with great options out of the box, with no need to install and keep updating a pile of browser extensions whenever there's a browser revision AND/OR extension revision update? Also, if you trust a browser to safely keep your passwords, ANY browser in ANY OS, yes including my beloved Opera... you got bigger stones than I. Hope that goes well for you.

    Oh, and for those who believe the only reason to have more than 1 browser is for dev... get out of El Reg and go read Digg or one of the other nancy-boy rags.

  40. Eddie Johnson
    Stop

    @RW

    >> "I have to wonder if the entire modern approach to design and construction of programs is fundamentally flawed."

    ITA with that. To me the pace of change is the problem. What good is my ability to review the source because by the end of the month it will have changed. No one can know the software well because it changes before you have more than a cursory knowledge. FF needs to slow down with the major versions and the added features to control the bloat. Focus on recoding for security, reliability and efficiency.

  41. SilverWave
    Linux

    noscript is your friend

    Patching is just a fact of life with any large codebase and Firefox makes updates painless so stop whinging.

    If you have a look most of the problems lately are JavaScript related... so noscript is an easy extra layer of protection. I would say 99% of sites I visit work OK without JavaScript... so I just turn it on when needed.

    Anybody who still uses IE obviously likes spyware, what other explanation is there?

    And TBH use IE if you want... its not my machine you are infecting by your stupidity, so knock yourself out :D

    Just remember that laughing you hear... the next time you have to reinstall your OS because you have lost control?

    Yeah thats me :D

  42. Graham Lockley

    Huh ?

    Such vituperation nowadays in the pages of the venomous Vulture !!

    (Yeah I've been watching V for Vendetta again)

    Personally FF and NoScript (don't use any other plugins) suit my browsing habits 90% of the time and don't seem to hog resources unduly.

    Ive used Opera since the early days and like it lots but maybe I'm just too lazy to promote it from No.2 to No.1 on my machines (yea IE is third and when I get round to trying out Safari, possibly fourth)

    @Phillip - 1/10 for that effort, troll school is turning out such poor graduates nowadays. 10,000 lines on my desk in the morning saying 'I must learn to troll in a more subtle manner'

  43. Anonymous Coward
    Black Helicopters

    @ Phillip

    "But what ever, most of the people who write comments in the register are morons too."

    I actually just fell off my chair and dropped my cheeseburger after reading that and laughing so hard.

  44. Will
    Coat

    Don't worry you guys!

    You have all got Safari now :)

    The one with the knife hole in the back...

  45. Anonymous Coward
    Anonymous Coward

    conventional wisdom not always conventional

    In fact I will refute the assertion that opera is quick like a bunny compared to firefox. Having a laptop with the crappiest fan bug imaginable this is something I'm acutely aware of. I frequently switch browsers, pretty much depending on what mood I'm in. Is it a fair comparison? Well opera has skins loaded so absolutely not, however it's worth saying I don't feel the need to reskin firefox. The point is that it's not always a clear case that opera is faster. It isn't. That said, they're both adequately fast when you disable flash. It's a pity opera doesn't get more limelight.

    As for updates I have mixed opinions. I find that firefox, as others say, is a lot more about bling than being stable and reliable. If there's a problem to be had with bugfix releases it's that there /seems/ to be a lot of bugs to be fixed, presumably overlooked in the name of tickboxing features in the initial releases. After all, finding bugs is boring. Implementing new stuff is fun. It's just sad that it can /appear/ that the king of bugs (IE) seems in better shape some days, and it's not an especially good advertisement for OSS, considering firefox is probably the most widely used OSS software, and most especially it's not an encouragement to anyone trying out a non-IE browser, to download an update that provides only something you thought you got in the first place.

    And, as an end user myself, I personally prefer not to update all the software on about a dozen platforms every two hours just to stay current either. Such activity is intensely tedious. I sure don't remember this kind of stuff with staid old mozilla^H^H^H^H^H^H^Hseamonkey. I guess that either I'm remembering selectively, or it's that as software gets popular the overall quality drops when its makers attempt to cater to what everyone that uses it wants.

  46. Geoff Mackenzie

    Damn these updates!

    Oh, actually, it was no hassle. Unless you count Firefox's polite request to be restarted at my convenience after the install silently completed without bugging me.

    Can't believe anyone would think about going back to glacially slow, squishy-layout MSIE over something so trifling.

  47. David Wilkinson
    Alert

    Why are people so negative.

    Firefox can't be good unless IE is worthless.

    Opera can't be good unless IE is worthless.

    IE can't be good ..... (well ok even I get negative at times, but IE7 is a lot better than IE6)

    When I hear someone telling he I have to use X because Y and Z are complete crap, and I know that both Y and Z are decent programs. Well I just sort of assume that X is for retards. :)

    It makes me suspect that deep down that person thinks that maybe choosing X was a horrible horrible mistake, so they overcompensate by shouting how great X and how stupid everyone who thinks differently must be.

    The one trying to convert you the most is likely the one whose own faith is on shaky ground.

  48. b shubin
    Boffin

    Why multiple browsers

    because XSS vulns. repeatedly. in most if not all browsers, at one point or another.

    thus, different browsers for secure connections to a bank, to webmail(s), to another bank, to an online tech gear shopping site, to eBay, to Amazon.com, etc., and yet another app for just browsing.

    how many things do you have going on at the same time? i have 3 to 4 browsers open at any given time, and IE is not one of them, because i'm busy, not stupid, and after supporting MS products for 20 years, i know those MS code monkeys really ARE monkeys, mostly.

  49. Tharglet
    Go

    Updates

    I'm amazed about the number of people complaining about browser updates.

    Not had any problems with FF since the last upgrade myself, and the upgrades never take very long. If I'm busy I'll wait til I'm going away from the desk for a minute, click the button, then by the time I get back, it's done. Admittedly, I suppose it could be tedious if you have to do this a lot of times, but then again, MSIE's updates come in the dreaded windows updater anyway.

    I'm a Firefox user as I find it much better to use, compared to IE. Between FF2 and IE7 I haven't noticed a huge difference in speed on XP. (IE6 was faster, but effectively does less). At the end of the day *I* prefer Firefox, but if you want to prefer IE/Opera/Safari/Netscape/Lynx... *shrug*.

    I find the added functionality of addons and the layout of the browser the main deciding factors, however I find FF's rendering generally better in quality over IE.

  50. Anonymous Coward
    Jobs Horns

    @Bruce

    If you'd read the bug filed in Feb 2006 - https://bugzilla.mozilla.org/show_bug.cgi?id=328258 - you'd know that it was an Apple bug that also affected Safari, and the reason it took so long was that Apple were being slowpokes at fixing it. (Actually, apparently they still haven't released a fix for 10.4, only for 10.5)

This topic is closed for new posts.