Firefox/Mozila releases new versions (release canidates)

http://news.yahoo.com/s/cmp/20050916...NlYwMlJVRPUCUl

"Mozilla Corp. on Thursday posted new versions of its Firefox and the
Mozilla browsers that include a fix for a recent vulnerability that could
let attackers grab control of a PC.
ADVERTISEMENT

The "release candidates," which aren't quite final but are available for
download and testing, fix the vulnerability in the browsers' support for
international domain names (IDN). Other security patches have been added to
the new versions -- dubbed Firefox 1.0.7 and Mozilla 1.7.12"

http://news.yahoo.com/s/cmp/20050916...NlYwMlJVRPUCUl

Imhotep

Imhotep

"Imhotep" <> wrote in message
news:3YidnTtbe4KJjLbeRVn-...
> http://news.yahoo.com/s/cmp/20050916...NlYwMlJVRPUCUl
>
> "Mozilla Corp. on Thursday posted new versions of its Firefox and the
> Mozilla browsers that include a fix for a recent vulnerability that
> could
> let attackers grab control of a PC.
> ADVERTISEMENT
>
> The "release candidates," which aren't quite final but are available
> for
> download and testing, fix the vulnerability in the browsers' support
> for
> international domain names (IDN). Other security patches have been
> added to
> the new versions -- dubbed Firefox 1.0.7 and Mozilla 1.7.12"
>
> http://news.yahoo.com/s/cmp/20050916...NlYwMlJVRPUCUl
>
> Imhotep

Right! Mozilla (spell it correctly, at least!) is trying to catch up to
IE as a secure browser. Who cares about Firefox when Mozilla.org has
established its browser as a haven for exploits? Mozilla.org is playing
'catch-up' to obviate its negligence in providing a secure alternative
to IE. Said negligence was apparently based on the [brain-dead] user
community's belief that *any* alternative browser is better than IE.

http://it.slashdot.org/article.pl?si...id=154&tid=172

Q

Quaoar

Quaoar wrote:
> http://it.slashdot.org/article.pl?si...id=154&tid=172

Is that it?

Does nothing to address the issues of whether Moz/Firefox are
intrinsically more secure, and, moreover totally ignores the fact that
M$ takes forever to actually DO anything - if they finally decide it
actually works.

Steve Welsh

Quaoar wrote:

>
> "Imhotep" <> wrote in message
> news:3YidnTtbe4KJjLbeRVn-...
>>
http://news.yahoo.com/s/cmp/20050916...NlYwMlJVRPUCUl
>>
>> "Mozilla Corp. on Thursday posted new versions of its Firefox and the
>> Mozilla browsers that include a fix for a recent vulnerability that
>> could
>> let attackers grab control of a PC.
>> ADVERTISEMENT
>>
>> The "release candidates," which aren't quite final but are available
>> for
>> download and testing, fix the vulnerability in the browsers' support
>> for
>> international domain names (IDN). Other security patches have been
>> added to
>> the new versions -- dubbed Firefox 1.0.7 and Mozilla 1.7.12"
>>
>>
http://news.yahoo.com/s/cmp/20050916...NlYwMlJVRPUCUl
>>
>> Imhotep
>
> Right! Mozilla (spell it correctly, at least!) is trying to catch up to
> IE as a secure browser. Who cares about Firefox when Mozilla.org has
> established its browser as a haven for exploits? Mozilla.org is playing
> 'catch-up' to obviate its negligence in providing a secure alternative
> to IE. Said negligence was apparently based on the [brain-dead] user
> community's belief that *any* alternative browser is better than IE.
>
> http://it.slashdot.org/article.pl?si...id=154&tid=172
>
> Q

Out of respect for the other people here, please do not try to start a lame
ass flame war. This post by the OP, me, was meant to inform people about a
new version of software.

P.S. If you really want to debate this, and I really think you don't, start
a new thread with a topic of IE vs Firefox or whatever. I look forward to
the debate. Else, out of respect for everyone else, keep to the topic.

Imhotep

Imhotep

"Steve Welsh" <> wrote in message
news:...
> Quaoar wrote:
> > http://it.slashdot.org/article.pl?si...id=154&tid=172
>
> Is that it?
>
> Does nothing to address the issues of whether Moz/Firefox are
> intrinsically more secure, and, moreover totally ignores the fact that
> M$ takes forever to actually DO anything - if they finally decide it
> actually works.

/Intrinsically/ more secure? It's software. And software that (in both
cases) doesn't seem to have been tested all that well (the FF list included
a couple of real howlers, IIRC).

That said, they are both based on (in age terms, at any rate) fairly mature
code. In the case of FF these seem to be things that are cropping-up in the
new code and (ironically) have been seen before in IE, a few years back
(e.g. IFRAME exploits). In other words, a progger just needs to search MS KB
to get the solution.

In theory, FF should eventually be /slightly easier to issue fixes for, as
it's a monolithic chunk of code that doesn't provide external services to
other software (as is the case with IE). The latter approach means that you
have to do that much more testing, and run the risk of breaking someone
else's code. Hence (large assumption on my part), the withdrawal of the
recent IE patch.

Although if they *do* delay a working and tested patch until the next
batch - rather than issue straight away - that sucks.

But is one platform "intrinsically" more secure? Assuming identically
adequate testing on both products, that's a bit like arguing that putting
all the code in one file is more secure than separating it into modules )

Incidentally, and just having taken a look at the FF 1.0.6 code for the
first time: it's littered with inline English-language status messages,
mostly unencumbered with comments, and scattered with hard-coded inline
parameter definitions. Not the best of practises when you're supposed to be
dealing with something internationalized...

Also - if there are any Mozilla developers reading - the documentation
states that "bq--" is no longer checked, but in fact it's just sitting
there, large as life, in nsIDNService.cpp. It's commented as being there
"for test purposes". Perhaps getting the code to do what everyone else
thinks it's doing would be a good start when working towards that permanent
fix ;o)

Incidentally, when an IDN "own any domain or certificate" bug was posted
back in February, you had to do an little more work to make the enableIDN
setting "stick":
http://users.tns.net/~skingery/weblo...p-exploit.html

Anyone tested to see if this is still required?

H1K

Hairy One Kenobi

On Fri, 16 Sep 2005 18:36:08 -0600, "Quaoar" <>
wrote:

<snipped>

>Right! Mozilla (spell it correctly, at least!) is trying to catch up to
>IE as a secure browser. Who cares about Firefox when Mozilla.org has
>established its browser as a haven for exploits? Mozilla.org is playing
>'catch-up' to obviate its negligence in providing a secure alternative
>to IE. Said negligence was apparently based on the [brain-dead] user
>community's belief that *any* alternative browser is better than IE.

For a time, *any* alternative browser *was* better than IE. And to a
certain degree, any alternative browser to IEstill is.

>http://it.slashdot.org/article.pl?si...id=154&tid=172

The author took most of his (dis)information from the following two
links:

http://secunia.com/product/11/?period=2005#statistics
http://secunia.com/product/4227/?period=2005#statistics

When you dig a little deeper on both those pages, you start to see
that IE *still* is the worst of the two browsers - Firefox may have
had more vulnerabilities discovered, but they also apparently took
those vulnerabilities seriously and issued patches or fixes much
faster than M$ (when M$ could be bothered releasing a patch, that is).

Breaking it down:

Mozilla Firefox 1.x - Solution Status (Based on 18 advisories from
2005)
Unpatched - 6%
Vendor Patch - 83%
Vendor Workaround - 6%
Partial Fix - 6%

Microsoft Internet Explorer 6.x - Solution Status (Based on 11
advisories from 2005)
Unpatched - 45%
Vendor Patch - 36%
Vendor Workaround - 9%
Partial Fix - 9%

Mozilla Firefox 1.x - Criticality (Based on 18 advisories from 2005)
Extremely - 0%
Highly - 28%
Moderately - 39%
Less - 22%
Not - 11%

Microsoft Internet Explorer 6.x - Criticality (Based on 18 advisories
from 2005)
Extremely - 9%
Highly - 36%
Moderately - 9%
Less - 18%
Not - 27%

I think those figures show just who is taking their security more
seriously.

HINT: It's not M$.

Dazz

>Q
>

Dazz

From: "Dazz" <>


|
| For a time, *any* alternative browser *was* better than IE. And to a
| certain degree, any alternative browser to IEstill is.
|
>> http://it.slashdot.org/article.pl?si...id=154&tid=172
|
| The author took most of his (dis)information from the following two
| links:
|
| http://secunia.com/product/11/?period=2005#statistics
| http://secunia.com/product/4227/?period=2005#statistics
|
| When you dig a little deeper on both those pages, you start to see
| that IE *still* is the worst of the two browsers - Firefox may have
| had more vulnerabilities discovered, but they also apparently took
| those vulnerabilities seriously and issued patches or fixes much
| faster than M$ (when M$ could be bothered releasing a patch, that is).
|
| Breaking it down:
|
| Mozilla Firefox 1.x - Solution Status (Based on 18 advisories from
| 2005)
| Unpatched - 6%
| Vendor Patch - 83%
| Vendor Workaround - 6%
| Partial Fix - 6%
|
| Microsoft Internet Explorer 6.x - Solution Status (Based on 11
| advisories from 2005)
| Unpatched - 45%
| Vendor Patch - 36%
| Vendor Workaround - 9%
| Partial Fix - 9%
|
| Mozilla Firefox 1.x - Criticality (Based on 18 advisories from 2005)
| Extremely - 0%
| Highly - 28%
| Moderately - 39%
| Less - 22%
| Not - 11%
|
| Microsoft Internet Explorer 6.x - Criticality (Based on 18 advisories
| from 2005)
| Extremely - 9%
| Highly - 36%
| Moderately - 9%
| Less - 18%
| Not - 27%
|
| I think those figures show just who is taking their security more
| seriously.
|
| HINT: It's not M$.
|
| Dazz
|

Well stated and quantified !

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David H. Lipman

Dazz wrote:

> On Fri, 16 Sep 2005 18:36:08 -0600, "Quaoar" <>
> wrote:
>
> <snipped>
>
>>Right! Mozilla (spell it correctly, at least!) is trying to catch up to
>>IE as a secure browser. Who cares about Firefox when Mozilla.org has
>>established its browser as a haven for exploits? Mozilla.org is playing
>>'catch-up' to obviate its negligence in providing a secure alternative
>>to IE. Said negligence was apparently based on the [brain-dead] user
>>community's belief that *any* alternative browser is better than IE.
>
> For a time, *any* alternative browser *was* better than IE. And to a
> certain degree, any alternative browser to IEstill is.
>
>>http://it.slashdot.org/article.pl?si...id=154&tid=172
>
> The author took most of his (dis)information from the following two
> links:
>
> http://secunia.com/product/11/?period=2005#statistics
> http://secunia.com/product/4227/?period=2005#statistics
>
> When you dig a little deeper on both those pages, you start to see
> that IE *still* is the worst of the two browsers - Firefox may have
> had more vulnerabilities discovered, but they also apparently took
> those vulnerabilities seriously and issued patches or fixes much
> faster than M$ (when M$ could be bothered releasing a patch, that is).
>
> Breaking it down:
>
> Mozilla Firefox 1.x - Solution Status (Based on 18 advisories from
> 2005)
> Unpatched - 6%
> Vendor Patch - 83%
> Vendor Workaround - 6%
> Partial Fix - 6%
>
> Microsoft Internet Explorer 6.x - Solution Status (Based on 11
> advisories from 2005)
> Unpatched - 45%
> Vendor Patch - 36%
> Vendor Workaround - 9%
> Partial Fix - 9%
>
> Mozilla Firefox 1.x - Criticality (Based on 18 advisories from 2005)
> Extremely - 0%
> Highly - 28%
> Moderately - 39%
> Less - 22%
> Not - 11%
>
> Microsoft Internet Explorer 6.x - Criticality (Based on 18 advisories
> from 2005)
> Extremely - 9%
> Highly - 36%
> Moderately - 9%
> Less - 18%
> Not - 27%
>
> I think those figures show just who is taking their security more
> seriously.
>
> HINT: It's not M$.
>
> Dazz
>
>>Q
>>

Good argument backed by data!

Im

Imhotep

Quaoar wrote:
> "Imhotep" <> wrote in message
> news:3YidnTtbe4KJjLbeRVn-...
>
>>http://news.yahoo.com/s/cmp/20050916...NlYwMlJVRPUCUl
>>
>>"Mozilla Corp. on Thursday posted new versions of its Firefox and the
>>Mozilla browsers that include a fix for a recent vulnerability that
>>could
>>let attackers grab control of a PC.
>>ADVERTISEMENT
>>
>>The "release candidates," which aren't quite final but are available
>>for
>>download and testing, fix the vulnerability in the browsers' support
>>for
>>international domain names (IDN). Other security patches have been
>>added to
>>the new versions -- dubbed Firefox 1.0.7 and Mozilla 1.7.12"
>>
>>http://news.yahoo.com/s/cmp/20050916...NlYwMlJVRPUCUl
>>
>>Imhotep
>
>
> Right! Mozilla (spell it correctly, at least!) is trying to catch up to
> IE as a secure browser. Who cares about Firefox when Mozilla.org has
> established its browser as a haven for exploits? Mozilla.org is playing
> 'catch-up' to obviate its negligence in providing a secure alternative
> to IE. Said negligence was apparently based on the [brain-dead] user
> community's belief that *any* alternative browser is better than IE.
>
> http://it.slashdot.org/article.pl?si...id=154&tid=172
>
> Q
>
>
Of course if you look at the "real" numbers the "critical" Firefox
exploits have been fixed within 3 weeks of discovery. www.secunia.com
shows IE with critical exploits that have been available and documented
and being exploited since 2004.

Catch up...Firefox with all source code fully published has a few
exploits that get fixed. IE with its source code fully hidden gets
exploited and MS does nothing. MS with all of the new exploits that have
been discovered this month is not releasing any patches this month.

The arguments do not add up. Since I left IE I have yet to get any
crapware on my system, before I left it was a constant battle. Thanks,
but I won't buy the argument that IE is safer when personal exp is
contrary to opinion.....bah. It may well be it is attacked less, but as
number 2 and easily detectable I somehow do not believe this to be the case.

On a new note there is a new Trojan exploit out designed to exploit .NET
framework in a driveby shooting. Trojan exploit runs system level perms
(imagine that). This possibility was discussed earlier this year on
this newsgroup. It looks like .NET will bring the same type
vulnerabilities as ActiveX only now exploits can be done in more
languages.

Winged

Winged

Winged wrote:
<snip>

> On a new note there is a new Trojan exploit out designed to exploit .NET
> framework in a driveby shooting. Trojan exploit runs system level perms
> (imagine that). This possibility was discussed earlier this year on
> this newsgroup. It looks like .NET will bring the same type
> vulnerabilities as ActiveX only now exploits can be done in more
> languages.
>
> Winged

I, and many other people, thought that would happen. It was only a matter of
time...

I do think that it will be more severe than active-x though...

Im

Imhotep