Firefox/Mozila releases new versions (release canidates)

Discussion in 'Computer Security' started by Imhotep, Sep 16, 2005.

  1. Imhotep

    Imhotep Guest

    http://news.yahoo.com/s/cmp/2005091...Nqor7oF;_ylu=X3oDMTBiMW04NW9mBHNlYwMlJVRPUCUl

    "Mozilla Corp. on Thursday posted new versions of its Firefox and the
    Mozilla browsers that include a fix for a recent vulnerability that could
    let attackers grab control of a PC.
    ADVERTISEMENT

    The "release candidates," which aren't quite final but are available for
    download and testing, fix the vulnerability in the browsers' support for
    international domain names (IDN). Other security patches have been added to
    the new versions -- dubbed Firefox 1.0.7 and Mozilla 1.7.12"

    http://news.yahoo.com/s/cmp/2005091...Nqor7oF;_ylu=X3oDMTBiMW04NW9mBHNlYwMlJVRPUCUl

    Imhotep
     
    Imhotep, Sep 16, 2005
    #1
    1. Advertising

  2. Imhotep

    Quaoar Guest

    "Imhotep" <> wrote in message
    news:...
    > http://news.yahoo.com/s/cmp/2005091...Nqor7oF;_ylu=X3oDMTBiMW04NW9mBHNlYwMlJVRPUCUl
    >
    > "Mozilla Corp. on Thursday posted new versions of its Firefox and the
    > Mozilla browsers that include a fix for a recent vulnerability that
    > could
    > let attackers grab control of a PC.
    > ADVERTISEMENT
    >
    > The "release candidates," which aren't quite final but are available
    > for
    > download and testing, fix the vulnerability in the browsers' support
    > for
    > international domain names (IDN). Other security patches have been
    > added to
    > the new versions -- dubbed Firefox 1.0.7 and Mozilla 1.7.12"
    >
    > http://news.yahoo.com/s/cmp/2005091...Nqor7oF;_ylu=X3oDMTBiMW04NW9mBHNlYwMlJVRPUCUl
    >
    > Imhotep


    Right! Mozilla (spell it correctly, at least!) is trying to catch up to
    IE as a secure browser. Who cares about Firefox when Mozilla.org has
    established its browser as a haven for exploits? Mozilla.org is playing
    'catch-up' to obviate its negligence in providing a secure alternative
    to IE. Said negligence was apparently based on the [brain-dead] user
    community's belief that *any* alternative browser is better than IE.

    http://it.slashdot.org/article.pl?sid=05/09/16/182232&tid=154&tid=172

    Q
     
    Quaoar, Sep 17, 2005
    #2
    1. Advertising

  3. Imhotep

    Steve Welsh Guest

    Steve Welsh, Sep 17, 2005
    #3
  4. Imhotep

    Imhotep Guest

    Quaoar wrote:

    >
    > "Imhotep" <> wrote in message
    > news:...
    >>

    http://news.yahoo.com/s/cmp/2005091...Nqor7oF;_ylu=X3oDMTBiMW04NW9mBHNlYwMlJVRPUCUl
    >>
    >> "Mozilla Corp. on Thursday posted new versions of its Firefox and the
    >> Mozilla browsers that include a fix for a recent vulnerability that
    >> could
    >> let attackers grab control of a PC.
    >> ADVERTISEMENT
    >>
    >> The "release candidates," which aren't quite final but are available
    >> for
    >> download and testing, fix the vulnerability in the browsers' support
    >> for
    >> international domain names (IDN). Other security patches have been
    >> added to
    >> the new versions -- dubbed Firefox 1.0.7 and Mozilla 1.7.12"
    >>
    >>

    http://news.yahoo.com/s/cmp/2005091...Nqor7oF;_ylu=X3oDMTBiMW04NW9mBHNlYwMlJVRPUCUl
    >>
    >> Imhotep

    >
    > Right! Mozilla (spell it correctly, at least!) is trying to catch up to
    > IE as a secure browser. Who cares about Firefox when Mozilla.org has
    > established its browser as a haven for exploits? Mozilla.org is playing
    > 'catch-up' to obviate its negligence in providing a secure alternative
    > to IE. Said negligence was apparently based on the [brain-dead] user
    > community's belief that *any* alternative browser is better than IE.
    >
    > http://it.slashdot.org/article.pl?sid=05/09/16/182232&tid=154&tid=172
    >
    > Q


    Out of respect for the other people here, please do not try to start a lame
    ass flame war. This post by the OP, me, was meant to inform people about a
    new version of software.

    P.S. If you really want to debate this, and I really think you don't, start
    a new thread with a topic of IE vs Firefox or whatever. I look forward to
    the debate. Else, out of respect for everyone else, keep to the topic.

    Imhotep
     
    Imhotep, Sep 17, 2005
    #4
  5. "Steve Welsh" <> wrote in message
    news:...
    > Quaoar wrote:
    > > http://it.slashdot.org/article.pl?sid=05/09/16/182232&tid=154&tid=172

    >
    > Is that it?
    >
    > Does nothing to address the issues of whether Moz/Firefox are
    > intrinsically more secure, and, moreover totally ignores the fact that
    > M$ takes forever to actually DO anything - if they finally decide it
    > actually works.


    /Intrinsically/ more secure? It's software. And software that (in both
    cases) doesn't seem to have been tested all that well (the FF list included
    a couple of real howlers, IIRC).

    That said, they are both based on (in age terms, at any rate) fairly mature
    code. In the case of FF these seem to be things that are cropping-up in the
    new code and (ironically) have been seen before in IE, a few years back
    (e.g. IFRAME exploits). In other words, a progger just needs to search MS KB
    to get the solution.

    In theory, FF should eventually be /slightly easier to issue fixes for, as
    it's a monolithic chunk of code that doesn't provide external services to
    other software (as is the case with IE). The latter approach means that you
    have to do that much more testing, and run the risk of breaking someone
    else's code. Hence (large assumption on my part), the withdrawal of the
    recent IE patch.

    Although if they *do* delay a working and tested patch until the next
    batch - rather than issue straight away - that sucks.

    But is one platform "intrinsically" more secure? Assuming identically
    adequate testing on both products, that's a bit like arguing that putting
    all the code in one file is more secure than separating it into modules :eek:)

    Incidentally, and just having taken a look at the FF 1.0.6 code for the
    first time: it's littered with inline English-language status messages,
    mostly unencumbered with comments, and scattered with hard-coded inline
    parameter definitions. Not the best of practises when you're supposed to be
    dealing with something internationalized...

    Also - if there are any Mozilla developers reading - the documentation
    states that "bq--" is no longer checked, but in fact it's just sitting
    there, large as life, in nsIDNService.cpp. It's commented as being there
    "for test purposes". Perhaps getting the code to do what everyone else
    thinks it's doing would be a good start when working towards that permanent
    fix ;o)

    Incidentally, when an IDN "own any domain or certificate" bug was posted
    back in February, you had to do an little more work to make the enableIDN
    setting "stick":
    http://users.tns.net/~skingery/weblog/2005/02/permanent-fix-for-shmoo-group-exploit.html

    Anyone tested to see if this is still required?

    H1K
     
    Hairy One Kenobi, Sep 17, 2005
    #5
  6. Imhotep

    Dazz Guest

    On Fri, 16 Sep 2005 18:36:08 -0600, "Quaoar" <>
    wrote:

    <snipped>

    >Right! Mozilla (spell it correctly, at least!) is trying to catch up to
    >IE as a secure browser. Who cares about Firefox when Mozilla.org has
    >established its browser as a haven for exploits? Mozilla.org is playing
    >'catch-up' to obviate its negligence in providing a secure alternative
    >to IE. Said negligence was apparently based on the [brain-dead] user
    >community's belief that *any* alternative browser is better than IE.


    For a time, *any* alternative browser *was* better than IE. And to a
    certain degree, any alternative browser to IEstill is.

    >http://it.slashdot.org/article.pl?sid=05/09/16/182232&tid=154&tid=172


    The author took most of his (dis)information from the following two
    links:

    http://secunia.com/product/11/?period=2005#statistics
    http://secunia.com/product/4227/?period=2005#statistics

    When you dig a little deeper on both those pages, you start to see
    that IE *still* is the worst of the two browsers - Firefox may have
    had more vulnerabilities discovered, but they also apparently took
    those vulnerabilities seriously and issued patches or fixes much
    faster than M$ (when M$ could be bothered releasing a patch, that is).

    Breaking it down:

    Mozilla Firefox 1.x - Solution Status (Based on 18 advisories from
    2005)
    Unpatched - 6%
    Vendor Patch - 83%
    Vendor Workaround - 6%
    Partial Fix - 6%

    Microsoft Internet Explorer 6.x - Solution Status (Based on 11
    advisories from 2005)
    Unpatched - 45%
    Vendor Patch - 36%
    Vendor Workaround - 9%
    Partial Fix - 9%

    Mozilla Firefox 1.x - Criticality (Based on 18 advisories from 2005)
    Extremely - 0%
    Highly - 28%
    Moderately - 39%
    Less - 22%
    Not - 11%

    Microsoft Internet Explorer 6.x - Criticality (Based on 18 advisories
    from 2005)
    Extremely - 9%
    Highly - 36%
    Moderately - 9%
    Less - 18%
    Not - 27%

    I think those figures show just who is taking their security more
    seriously.

    HINT: It's not M$.

    Dazz

    >Q
    >
     
    Dazz, Sep 17, 2005
    #6
  7. From: "Dazz" <>


    |
    | For a time, *any* alternative browser *was* better than IE. And to a
    | certain degree, any alternative browser to IEstill is.
    |
    >> http://it.slashdot.org/article.pl?sid=05/09/16/182232&tid=154&tid=172

    |
    | The author took most of his (dis)information from the following two
    | links:
    |
    | http://secunia.com/product/11/?period=2005#statistics
    | http://secunia.com/product/4227/?period=2005#statistics
    |
    | When you dig a little deeper on both those pages, you start to see
    | that IE *still* is the worst of the two browsers - Firefox may have
    | had more vulnerabilities discovered, but they also apparently took
    | those vulnerabilities seriously and issued patches or fixes much
    | faster than M$ (when M$ could be bothered releasing a patch, that is).
    |
    | Breaking it down:
    |
    | Mozilla Firefox 1.x - Solution Status (Based on 18 advisories from
    | 2005)
    | Unpatched - 6%
    | Vendor Patch - 83%
    | Vendor Workaround - 6%
    | Partial Fix - 6%
    |
    | Microsoft Internet Explorer 6.x - Solution Status (Based on 11
    | advisories from 2005)
    | Unpatched - 45%
    | Vendor Patch - 36%
    | Vendor Workaround - 9%
    | Partial Fix - 9%
    |
    | Mozilla Firefox 1.x - Criticality (Based on 18 advisories from 2005)
    | Extremely - 0%
    | Highly - 28%
    | Moderately - 39%
    | Less - 22%
    | Not - 11%
    |
    | Microsoft Internet Explorer 6.x - Criticality (Based on 18 advisories
    | from 2005)
    | Extremely - 9%
    | Highly - 36%
    | Moderately - 9%
    | Less - 18%
    | Not - 27%
    |
    | I think those figures show just who is taking their security more
    | seriously.
    |
    | HINT: It's not M$.
    |
    | Dazz
    |

    Well stated and quantified !

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Sep 17, 2005
    #7
  8. Imhotep

    Imhotep Guest

    Dazz wrote:

    > On Fri, 16 Sep 2005 18:36:08 -0600, "Quaoar" <>
    > wrote:
    >
    > <snipped>
    >
    >>Right! Mozilla (spell it correctly, at least!) is trying to catch up to
    >>IE as a secure browser. Who cares about Firefox when Mozilla.org has
    >>established its browser as a haven for exploits? Mozilla.org is playing
    >>'catch-up' to obviate its negligence in providing a secure alternative
    >>to IE. Said negligence was apparently based on the [brain-dead] user
    >>community's belief that *any* alternative browser is better than IE.

    >
    > For a time, *any* alternative browser *was* better than IE. And to a
    > certain degree, any alternative browser to IEstill is.
    >
    >>http://it.slashdot.org/article.pl?sid=05/09/16/182232&tid=154&tid=172

    >
    > The author took most of his (dis)information from the following two
    > links:
    >
    > http://secunia.com/product/11/?period=2005#statistics
    > http://secunia.com/product/4227/?period=2005#statistics
    >
    > When you dig a little deeper on both those pages, you start to see
    > that IE *still* is the worst of the two browsers - Firefox may have
    > had more vulnerabilities discovered, but they also apparently took
    > those vulnerabilities seriously and issued patches or fixes much
    > faster than M$ (when M$ could be bothered releasing a patch, that is).
    >
    > Breaking it down:
    >
    > Mozilla Firefox 1.x - Solution Status (Based on 18 advisories from
    > 2005)
    > Unpatched - 6%
    > Vendor Patch - 83%
    > Vendor Workaround - 6%
    > Partial Fix - 6%
    >
    > Microsoft Internet Explorer 6.x - Solution Status (Based on 11
    > advisories from 2005)
    > Unpatched - 45%
    > Vendor Patch - 36%
    > Vendor Workaround - 9%
    > Partial Fix - 9%
    >
    > Mozilla Firefox 1.x - Criticality (Based on 18 advisories from 2005)
    > Extremely - 0%
    > Highly - 28%
    > Moderately - 39%
    > Less - 22%
    > Not - 11%
    >
    > Microsoft Internet Explorer 6.x - Criticality (Based on 18 advisories
    > from 2005)
    > Extremely - 9%
    > Highly - 36%
    > Moderately - 9%
    > Less - 18%
    > Not - 27%
    >
    > I think those figures show just who is taking their security more
    > seriously.
    >
    > HINT: It's not M$.
    >
    > Dazz
    >
    >>Q
    >>


    Good argument backed by data!

    Im
     
    Imhotep, Sep 17, 2005
    #8
  9. Imhotep

    Winged Guest

    Quaoar wrote:
    > "Imhotep" <> wrote in message
    > news:...
    >
    >>http://news.yahoo.com/s/cmp/2005091...Nqor7oF;_ylu=X3oDMTBiMW04NW9mBHNlYwMlJVRPUCUl
    >>
    >>"Mozilla Corp. on Thursday posted new versions of its Firefox and the
    >>Mozilla browsers that include a fix for a recent vulnerability that
    >>could
    >>let attackers grab control of a PC.
    >>ADVERTISEMENT
    >>
    >>The "release candidates," which aren't quite final but are available
    >>for
    >>download and testing, fix the vulnerability in the browsers' support
    >>for
    >>international domain names (IDN). Other security patches have been
    >>added to
    >>the new versions -- dubbed Firefox 1.0.7 and Mozilla 1.7.12"
    >>
    >>http://news.yahoo.com/s/cmp/2005091...Nqor7oF;_ylu=X3oDMTBiMW04NW9mBHNlYwMlJVRPUCUl
    >>
    >>Imhotep

    >
    >
    > Right! Mozilla (spell it correctly, at least!) is trying to catch up to
    > IE as a secure browser. Who cares about Firefox when Mozilla.org has
    > established its browser as a haven for exploits? Mozilla.org is playing
    > 'catch-up' to obviate its negligence in providing a secure alternative
    > to IE. Said negligence was apparently based on the [brain-dead] user
    > community's belief that *any* alternative browser is better than IE.
    >
    > http://it.slashdot.org/article.pl?sid=05/09/16/182232&tid=154&tid=172
    >
    > Q
    >
    >

    Of course if you look at the "real" numbers the "critical" Firefox
    exploits have been fixed within 3 weeks of discovery. www.secunia.com
    shows IE with critical exploits that have been available and documented
    and being exploited since 2004.

    Catch up...Firefox with all source code fully published has a few
    exploits that get fixed. IE with its source code fully hidden gets
    exploited and MS does nothing. MS with all of the new exploits that have
    been discovered this month is not releasing any patches this month.

    The arguments do not add up. Since I left IE I have yet to get any
    crapware on my system, before I left it was a constant battle. Thanks,
    but I won't buy the argument that IE is safer when personal exp is
    contrary to opinion.....bah. It may well be it is attacked less, but as
    number 2 and easily detectable I somehow do not believe this to be the case.

    On a new note there is a new Trojan exploit out designed to exploit .NET
    framework in a driveby shooting. Trojan exploit runs system level perms
    (imagine that). This possibility was discussed earlier this year on
    this newsgroup. It looks like .NET will bring the same type
    vulnerabilities as ActiveX only now exploits can be done in more
    languages.

    Winged
     
    Winged, Sep 18, 2005
    #9
  10. Imhotep

    Imhotep Guest

    Winged wrote:
    <snip>

    > On a new note there is a new Trojan exploit out designed to exploit .NET
    > framework in a driveby shooting. Trojan exploit runs system level perms
    > (imagine that). This possibility was discussed earlier this year on
    > this newsgroup. It looks like .NET will bring the same type
    > vulnerabilities as ActiveX only now exploits can be done in more
    > languages.
    >
    > Winged


    I, and many other people, thought that would happen. It was only a matter of
    time...

    I do think that it will be more severe than active-x though...

    Im
     
    Imhotep, Sep 18, 2005
    #10
  11. David H. Lipman, Sep 21, 2005
    #11
  12. Imhotep

    Imhotep Guest

    Imhotep, Sep 21, 2005
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Anton Gysen

    Making suggestions about Mozila

    Anton Gysen, Mar 5, 2004, in forum: Firefox
    Replies:
    2
    Views:
    1,616
    Anton Gysen
    Mar 5, 2004
  2. docfl

    Mozila you have a convert!!

    docfl, Jul 16, 2004, in forum: Firefox
    Replies:
    2
    Views:
    484
    docfl
    Jul 17, 2004
  3. Gerko Frunkescovitch

    Mozila 1.0 still opening blank sessions

    Gerko Frunkescovitch, Dec 26, 2004, in forum: Firefox
    Replies:
    1
    Views:
    560
    Leonidas Jones
    Dec 31, 2004
  4. Martin ©¿©¬  @mandeREMOVETHIS.plus.com

    Mozila Firefox & Net Transport downloader

    Martin ©¿©¬ @mandeREMOVETHIS.plus.com, Jul 17, 2004, in forum: Computer Support
    Replies:
    1
    Views:
    687
    The Fallen One
    Jul 18, 2004
  5. steve281499
    Replies:
    9
    Views:
    518
    steve281499
    Jul 3, 2008
Loading...

Share This Page