Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Mozilla Plans Fix For Critical Firefox Vulnerability In Next Release

Soulskill posted more than 4 years ago | from the sooner-than-later dept.

Firefox 140

Trailrunner7 writes "A month after an advisory was published detailing a new vulnerability in Firefox, Mozilla said it has received exploit code for the flaw and is planning to patch the weakness on March 30 in the next release of Firefox. Mozilla officials said Thursday that the vulnerability, which was disclosed February 18 by Secunia, is a critical flaw that could result in remote code execution on a vulnerable machine. The vulnerability is in version 3.6 of Firefox."

cancel ×

140 comments

Sorry! There are no comments related to the filter you selected.

Your official guide to the Jigaboo presidency (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31549870)

Congratulations on your purchase of a brand new nigger! If handled properly, your apeman will give years of valuable, if reluctant, service.

INSTALLING YOUR NIGGER.
You should install your nigger differently according to whether you have purchased the field or house model. Field niggers work best in a serial configuration, i.e. chained together. Chain your nigger to another nigger immediately after unpacking it, and don't even think about taking that chain off, ever. Many niggers start singing as soon as you put a chain on them. This habit can usually be thrashed out of them if nipped in the bud. House niggers work best as standalone units, but should be hobbled or hamstrung to prevent attempts at escape. At this stage, your nigger can also be given a name. Most owners use the same names over and over, since niggers become confused by too much data. Rufus, Rastus, Remus, Toby, Carslisle, Carlton, Hey-You!-Yes-you!, Yeller, Blackstar, and Sambo are all effective names for your new buck nigger. If your nigger is a ho, it should be called Latrelle, L'Tanya, or Jemima. Some owners call their nigger hoes Latrine for a joke. Pearl, Blossom, and Ivory are also righteous names for nigger hoes. These names go straight over your nigger's head, by the way.

CONFIGURING YOUR NIGGER
Owing to a design error, your nigger comes equipped with a tongue and vocal chords. Most niggers can master only a few basic human phrases with this apparatus - "muh dick" being the most popular. However, others make barking, yelping, yapping noises and appear to be in some pain, so you should probably call a vet and have him remove your nigger's tongue. Once de-tongued your nigger will be a lot happier - at least, you won't hear it complaining anywhere near as much. Niggers have nothing interesting to say, anyway. Many owners also castrate their niggers for health reasons (yours, mine, and that of women, not the nigger's). This is strongly recommended, and frankly, it's a mystery why this is not done on the boat

HOUSING YOUR NIGGER.
Your nigger can be accommodated in cages with stout iron bars. Make sure, however, that the bars are wide enough to push pieces of nigger food through. The rule of thumb is, four niggers per square yard of cage. So a fifteen foot by thirty foot nigger cage can accommodate two hundred niggers. You can site a nigger cage anywhere, even on soft ground. Don't worry about your nigger fashioning makeshift shovels out of odd pieces of wood and digging an escape tunnel under the bars of the cage. Niggers never invented the shovel before and they're not about to now. In any case, your nigger is certainly too lazy to attempt escape. As long as the free food holds out, your nigger is living better than it did in Africa, so it will stay put. Buck niggers and hoe niggers can be safely accommodated in the same cage, as bucks never attempt sex with black hoes.

FEEDING YOUR NIGGER.
Your Nigger likes fried chicken, corn bread, and watermelon. You should therefore give it none of these things because its lazy ass almost certainly doesn't deserve it. Instead, feed it on porridge with salt, and creek water. Your nigger will supplement its diet with whatever it finds in the fields, other niggers, etc. Experienced nigger owners sometimes push watermelon slices through the bars of the nigger cage at the end of the day as a treat, but only if all niggers have worked well and nothing has been stolen that day. Mike of the Old Ranch Plantation reports that this last one is a killer, since all niggers steal something almost every single day of their lives. He reports he doesn't have to spend much on free watermelon for his niggers as a result. You should never allow your nigger meal breaks while at work, since if it stops work for more than ten minutes it will need to be retrained. You would be surprised how long it takes to teach a nigger to pick cotton. You really would. Coffee beans? Don't ask. You have no idea.

MAKING YOUR NIGGER WORK.
Niggers are very, very averse to work of any kind. The nigger's most prominent anatomical feature, after all, its oversized buttocks, which have evolved to make it more comfortable for your nigger to sit around all day doing nothing for its entire life. Niggers are often good runners, too, to enable them to sprint quickly in the opposite direction if they see work heading their way. The solution to this is to *dupe* your nigger into working. After installation, encourage it towards the cotton field with blows of a wooden club, fence post, baseball bat, etc., and then tell it that all that cotton belongs to a white man, who won't be back until tomorrow. Your nigger will then frantically compete with the other field niggers to steal as much of that cotton as it can before the white man returns. At the end of the day, return your nigger to its cage and laugh at its stupidity, then repeat the same trick every day indefinitely. Your nigger comes equipped with the standard nigger IQ of 75 and a memory to match, so it will forget this trick overnight. Niggers can start work at around 5am. You should then return to bed and come back at around 10am. Your niggers can then work through until around 10pm or whenever the light fades.

ENTERTAINING YOUR NIGGER.
Your nigger enjoys play, like most animals, so you should play with it regularly. A happy smiling nigger works best. Games niggers enjoy include: 1) A good thrashing: every few days, take your nigger's pants down, hang it up by its heels, and have some of your other niggers thrash it with a club or whip. Your nigger will signal its intense enjoyment by shrieking and sobbing. 2) Lynch the nigger: niggers are cheap and there are millions more where yours came from. So every now and then, push the boat out a bit and lynch a nigger.

Lynchings are best done with a rope over the branch of a tree, and niggers just love to be lynched. It makes them feel special. Make your other niggers watch. They'll be so grateful, they'll work harder for a day or two (and then you can lynch another one). 3) Nigger dragging: Tie your nigger by one wrist to the tow bar on the back of suitable vehicle, then drive away at approximately 50mph. Your nigger's shrieks of enjoyment will be heard for miles. It will shriek until it falls apart. To prolong the fun for the nigger, do *NOT* drag him by his feet, as his head comes off too soon. This is painless for the nigger, but spoils the fun. Always wear a seatbelt and never exceed the speed limit. 4) Playing on the PNL: a variation on (2), except you can lynch your nigger out in the fields, thus saving work time. Niggers enjoy this game best if the PNL is operated by a man in a tall white hood. 5) Hunt the nigger: a variation of Hunt the Slipper, but played outdoors, with Dobermans. WARNING: do not let your Dobermans bite a nigger, as they are highly toxic.

DISPOSAL OF DEAD NIGGERS.
Niggers die on average at around 40, which some might say is 40 years too late, but there you go. Most people prefer their niggers dead, in fact. When yours dies, report the license number of the car that did the drive-by shooting of your nigger. The police will collect the nigger and dispose of it for you.

COMMON PROBLEMS WITH NIGGERS - MY NIGGER IS VERY AGGRESIVE
Have it put down, for god's sake. Who needs an uppity nigger? What are we, short of niggers or something?

MY NIGGER KEEPS RAPING WHITE WOMEN
They all do this. Shorten your nigger's chain so it can't reach any white women, and arm heavily any white women who might go near it.

WILL MY NIGGER ATTACK ME?
Not unless it outnumbers you 20 to 1, and even then, it's not likely. If niggers successfully overthrew their owners, they'd have to sort out their own food. This is probably why nigger uprisings were nonexistent (until some fool gave them rights).

MY NIGGER BITCHES ABOUT ITS "RIGHTS" AND "RACISM".
Yeah, well, it would. Tell it to shut the fuck up.

MY NIGGER'S HIDE IS A FUNNY COLOR. - WHAT IS THE CORRECT SHADE FOR A NIGGER?
A nigger's skin is actually more or less transparent. That brown color you can see is the shit your nigger is full of. This is why some models of nigger are sold as "The Shitskin".

MY NIGGER ACTS LIKE A NIGGER, BUT IS WHITE.
What you have there is a "wigger". Rough crowd. WOW!

IS THAT LIKE AN ALBINO? ARE THEY RARE?
They're as common as dog shit and about as valuable. In fact, one of them was President between 1992 and 2000. Put your wigger in a cage with a few hundred genuine niggers and you'll soon find it stops acting like a nigger. However, leave it in the cage and let the niggers dispose of it. The best thing for any wigger is a dose of TNB.

MY NIGGER SMELLS REALLY BAD
And you were expecting what?

SHOULD I STORE MY DEAD NIGGER?
When you came in here, did you see a sign that said "Dead nigger storage"? .That's because there ain't no goddamn sign.

Re:Your official guide to the Jigaboo presidency (-1, Offtopic)

rdavidson3 (844790) | more than 4 years ago | (#31550268)

I could mark this one down as a troll as well, but what's the point since he is wasting one of my mod points in doing so, and it will just post this hate garbarge in another posting.

Has anyone contacted the police and get IP records and get this bozo charged with hate crimes? We do live in the 21st century; language, culture and humanity has moved waaaaaaay past this, and there are laws that are being broken here. Although I think this behavior shouldn't have been allowed to happen then and definitely not now. I am getting upset that I keep seeing this and have to waste time and points burying it, and have seen people posting that to just "ignore it and it will go away", but it hasn't gone away.

I really don't know why after so many months, we are allowing this clown to continue posting. The wording and language is almost exactly the same. So, why doesn't the filter pick this up and log IP and delete the post? Do the overlords in slashdot secretly agree with this language and choose to let this continue.

I come to slashdot to read and comment on various IT / science topics and may not agree with everyone here, but we can be civilized about it.

Sincerely,
White guy that hates racism in all forms.

P.S. Sorry for the rant, but this has gone on for too far. This will be the last time I will waste any of my time commenting on this or using mod points to deal with it. Mod me into oblivion if you wish to do so, but its your conscience.

Re:Your official guide to the Jigaboo presidency (0, Offtopic)

Clover_Kicker (20761) | more than 4 years ago | (#31550442)

With a small amount of work you can post from a different IP address every time.

Or it might be a dozen different losers cutting and pasting the same thing.

BTW, a reaction like yours will keep them motivated and posting, thanks ever so much.

Re:Your official guide to the Jigaboo presidency (0, Offtopic)

rdavidson3 (844790) | more than 4 years ago | (#31550510)

That's why logs are keep at the ISPs. Get the police involved and the time of the post, and they can identify the people or bots behind it.

With the language the same in every single post, why doesn't slashdot just filter this out to the garbage before it gets posted.

Maybe we should have a "-1 hate crime" mod, and the overlords can determine what to do with it. As it is, I only see myself or other mods pushing it down, thus wasting one of my mod points whereas I can be modding someone "+1 interesting" instead.

Re:Your official guide to the Jigaboo presidency (0, Offtopic)

b4dc0d3r (1268512) | more than 4 years ago | (#31550752)

Congratulations, you just encourage it. Twice, and with multiple replies. The moderation system is designed to account for this stuff. It's designed so you just need a single person with a single mod point to mark it as troll or flamebait, cleaning up the comments for others.

The only thing you've said that makes sense is filtering multiple copies of things. Everything else is heavy-handed censorship type stuff. Police involved for being racist? That's excessive.

Just ignore it. It's going to be harder than ever, because you just fed the troll. Do not feed the trolls. But just ignore it. I get a kick out of it every time. "Oh that again, silly retard, no one reads that." But I was wrong - you read it. Ignore it.

Re:Your official guide to the Jigaboo presidency (0, Offtopic)

Clover_Kicker (20761) | more than 4 years ago | (#31550870)

With the language the same in every single post, why doesn't slashdot just filter this out to the garbage before it gets posted.

Yes, because no-one would change a word or two in their post or do variations on the spelling. Yay, we get to have another lameness-filter style arms race, that'll improve the quality of the posts.

Maybe we should have a "-1 hate crime" mod, and the overlords can determine what to do with it. As it is, I only see myself or other mods pushing it down, thus wasting one of my mod points whereas I can be modding someone "+1 interesting" instead.

Maybe you should grow a skin and realize that you can't win this kind of pissing contest with griefers.

Seriously, just ignore it.

This very moment, some guy in his mom's basement has his pants down fwapping away to your outrage. You've provided motivation for gods know how many more cut'n'paste trolls, because you provided the kind of hysterical reaction they find so entertaining.

Good job, internet tough guy.

Re:Your official guide to the Jigaboo presidency (0, Offtopic)

gbjbaanb (229885) | more than 4 years ago | (#31550584)

good - wasting time commenting on this stuff keeps them motivated to post.

that said, after reading your comment, I had to see what the fuss was about.. I found it quite amusing really. Well, no less amusing that "installing boyfriend 2.0" or "upgrading girlfriend to wife", or any Irish, Polish, or random celebrity jokes that no-one seems to have a problem with. (I'm not American so I don't have the same 'horror' of the N word BTW, round here it's the C word that's the 'uh-oh' one).

It obviously falls into the "not meant to be taken seriously" category (except by the author perhaps, but then he didn't care - he just cared to push your buttons).

So - ignore it and although it won't go away, you can stop caring about it. *That* is what will rile the poster.

Re:Your official guide to the Jigaboo presidency (1)

Zen Hash (1619759) | more than 4 years ago | (#31551834)

(I'm not American so I don't have the same 'horror' of the N word BTW, round here it's the C word that's the 'uh-oh' one).

Cracker? Communist?

Re:Your official guide to the Jigaboo presidency (-1, Offtopic)

TheRaven64 (641858) | more than 4 years ago | (#31550614)

Way off topic now, but you seem to have a really warped idea of what constitutes a hate crime. A hate crime is a crime motivated by the victim's social group. Assaulting someone because they are black is a hate crime. Smashing someone's windows because they are gay is a hate crime. The key fact is that these things are crimes irrespective of motivation, they become hate crimes because they are also motivated by hatred of a particular group.

Posting a rather boring monologue is not a crime. The fact that the monologue is racist just makes it stupid as well as boring. The original poster is exercising his right to free speech by posting as he does. We have the right to ignore him, and can also exercise our free speech rights to tell him to shut the fuck up.

The latter is unlikely to have any effect, because it is quite unlikely that the poster is actually racist - it's more likely that he just posts racist drivel in an attempt to provoke a reaction such as (for example) a hysterical and over-the-top demand to get the police involved.

You say 'laws have been broken,' but you don't give any indication of which laws. Hate crime laws are obviously not applicable here, so what do you think the police should be looking for?

Re:Your official guide to the Jigaboo presidency (0)

Anonymous Coward | more than 4 years ago | (#31550650)

Hate crime? I'm sorry, but you are a fucking idiot. It is not illegal to be racist, nor is it illegal to state your hatred of any specific race, gender, age, sexual orientation, religion, etc.

Re:Your official guide to the Jigaboo presidency (0, Offtopic)

Lehk228 (705449) | more than 4 years ago | (#31550658)

hate speech is not a hate crime, it is protected by the US constitution regardless of how distasteful it is.

fortunately for you, being an idiot is also completely legal

Re:Your official guide to the Jigaboo presidency (0, Offtopic)

rdavidson3 (844790) | more than 4 years ago | (#31550788)

Maybe its a good thing I am Canadian then. We do have laws that do something about this.

http://cnews.canoe.ca/CNEWS/Crime/2010/03/20/13300256-qmi.html [canoe.ca]

Re:Your official guide to the Jigaboo presidency (0)

Anonymous Coward | more than 4 years ago | (#31550984)

Uhh, no. That story says that the guy was busted for vandalizing buildings, not because he said something hateful. He would have been busted even if he had been tagging "I love Jews" graffiti and the Star of David.

So, yeah, learn to read.

Re:Your official guide to the Jigaboo presidency (-1, Offtopic)

causality (777677) | more than 4 years ago | (#31550692)

Has anyone contacted the police and get IP records and get this bozo charged with hate crimes? We do live in the 21st century; language, culture and humanity has moved waaaaaaay past this, and there are laws that are being broken here. Although I think this behavior shouldn't have been allowed to happen then and definitely not now.

I am definitely not a lawyer. Having said that, if this individual is in the USA, then no crime has been committed as far as I know. We don't really need to use the police power of government to censor such people anyway. Not only would it be quite difficult to catch many of them, but we simply deal with this differently here. Here, being called "racist" is one of the worst things that could happen to your social life. If you identify yourself as having beliefs like this, it's a tremendous stigma. Thus there is little or no open racism here, at least from white people, and no one has to go to jail to arrange that. If anything, the police would have to protect an open racist from others, and not the other way around. This is quite effective.

I really think that's how you deal with this. The problem with "hate crime" laws is that they are actually thought crimes. For example, if a criminal mugs someone in order to get his money, he receives X punishment. But if that criminal specifically mugged that victim because of race, he might receive X+Y punishment, depending on the state. The difference amounts to what the criminal was thinking. If I get mugged because of what I look like, I'm just as mugged as someone who was targeted randomly. My suffering isn't any more important than theirs; the contents of the attacker's brain does not change this. If muggers are not punished enough, then increase the penalties for all of them. I just don't want the government in the thoughtcrime business, not even when the stated reason is noble. To me that's just as dangerous as all of the "protect the children" and "stop terrorism" reasons that are so often given.

With text posted to a Web site, no one was physically harmed. People are going to say things on the Internet all the time that you and I would find absolutely despicable. Even if we released all the violent criminals and drug offenders today, I doubt there would be enough prison space to hold even a fraction of them. Additionally, you have a choice about whether you react emotionally or not to things you can't control.

When I read the post to which you replied, I just shook my head. I didn't get upset about it, I didn't get offended, and I didn't let it ruin my day. I already knew there were assholes in the world, so I'm not shocked or surprised by an example of one. With over 6.5 billion people in the world, I can guarantee that someone, somewhere is saying or doing something right now that I really wouldn't like. Should I be miserable 24/7 because of that? Should I be miserable only when I am reminded by an example of this? Should I allow some rather immature people to control my emotional well-being by taking them seriously? Like Richard S. Bach wrote, if your happiness depends on what other people are doing, then yes you do have a problem. This pathological tendency is exactly what trolls are counting on, what they exploit. It's so widespread that it's very rarely recognized as pathological.

I am getting upset that I keep seeing this and have to waste time and points burying it, and have seen people posting that to just "ignore it and it will go away", but it hasn't gone away.

I think they do this just because they want an emotional impact. As I mentioned above, you have 100% control over whether you give them what they want. You're really not ignoring it, and I very rarely see instances of these troll posts that are totally disregarded by everyone (I browse at -1). So I think we have yet to really try that. If that's true, we can't make too many statements about its effectiveness. Meanwhile, it's a shame you let this upset you. I bet that's exactly what they wanted.

I really don't know why after so many months, we are allowing this clown to continue posting. The wording and language is almost exactly the same. So, why doesn't the filter pick this up and log IP and delete the post? Do the overlords in slashdot secretly agree with this language and choose to let this continue.

I sincerely doubt that Slashdot condones these trolls. I think it's more like, they aren't causing physical harm, they (presumably) aren't breaking into Slashdot's servers, they aren't using tremendous amounts of bandwidth, and there is already a moderation system in place to deal with undesirable posts. This wheel just isn't very squeaky, so it's not getting much oil. Then there's the double-edged sword of retaining IP records and such for AC posts. What if those same records are used to go after people who submit unfavorable reviews of a company or its products? To go after dissidents in oppressive countries? Even if none of that happens, why should all of us submit to tracking and possibly censorship because of a few jerks? Doesn't that mean the jerks win?

Re:Your official guide to the Jigaboo presidency (0)

Anonymous Coward | more than 4 years ago | (#31550728)

You are truly pathetic. And I sure as hell hope that you're not living in a Western country. Your attitude has no place in a society that values freedom.

Since you probably don't know this, let me inform you that my mother was a Jewish Ethiopian woman, and my father was from India. My skin is very dark, I have some black and Indian features, I'm Jewish, and I'm a woman. That has caused me to face all sorts of intolerance and prejudice over the years. Unlike you, I have actually endured real racism on many occasions.

However, NOTHING is more important than free expression. Absolutely nothing. Even though I find that post very distasteful, I would never think of preventing anyone from posting it if they wanted to.

It is absolutely sickening to read your post suggesting that somebody else should be muzzled. Censorship is a much greater social offense than racism ever could be.

Express your opinion if you want, but in terms of offensiveness, your post is many times worse than the GP's. We can laugh away racism; we can't laugh away censorship when people like you have taken away our ability to laugh.

Re:Your official guide to the Jigaboo presidency (0)

Anonymous Coward | more than 4 years ago | (#31552038)

What laws are being broken? Also, President Obama will be going away in 2012.

1.5 months for a response and release?! (1, Troll)

carlhaagen (1021273) | more than 4 years ago | (#31549878)

There's a disturbing amount of "Microsoft" in this.

Re:1.5 months for a response and release?! (0)

Anonymous Coward | more than 4 years ago | (#31549896)

Then why don't you fix it?

Re:1.5 months for a response and release?! (0, Interesting)

Anonymous Coward | more than 4 years ago | (#31549908)

Why don't you fix it?

Re:1.5 months for a response and release?! (-1, Redundant)

Anonymous Coward | more than 4 years ago | (#31549944)

Why don't you fix it?

Re:1.5 months for a response and release?! (3, Funny)

daveime (1253762) | more than 4 years ago | (#31550242)

Welcome to the FOSS bug patching system

Re:1.5 months for a response and release?! (1)

nschubach (922175) | more than 4 years ago | (#31550334)

In actuality, it's more the egoist side of human nature. There is someone, somewhere that would likely fix it and recompile. Whether they can get past this idea that their code is their intellectual property and thus, "Someone will have to pay!" will determine if the world can move past such an ego and continue thinking about more important things than a silly exploit.

Re:1.5 months for a response and release?! (2, Informative)

BrokenHalo (565198) | more than 4 years ago | (#31550374)

There is someone, somewhere that would likely fix it and recompile.

If you had taken the trouble to read the fine (and brief) article, you would be aware that the fix is already available in the release candidates.

Re:1.5 months for a response and release?! (1)

nschubach (922175) | more than 4 years ago | (#31551350)

I know this. I really wasn't referring to this exact instance... the daveime was speaking in generalities and I like to believe I was as well.

Re:1.5 months for a response and release?! (2, Informative)

bunratty (545641) | more than 4 years ago | (#31549902)

The flaw was disclosed to Mozilla only recently (perhaps just a few days ago), and there is already a patched build available.

Re:1.5 months for a response and release?! (1)

Gadget_Guy (627405) | more than 4 years ago | (#31550116)

The flaw was disclosed to Mozilla only recently

Well, we don't actually know when the flaw was disclosed. We only know that it was acknowledged to be disclosed recently, but it could have been a while back. However, I don't have a problem with it taking time to do the find, fix and test. The fix for the bug may have ramifications in other parts of the code, and it takes time to check this.

I think people can be a bit unreasonable with their expectations of patch times.

Re:1.5 months for a response and release?! (2, Informative)

wizardforce (1005805) | more than 4 years ago | (#31549912)

Mozilla already has released a beta build of Firefox 3.6.2, which contains the fix for the unpatched vulnerability.

A fix already exists, it's just not in the official release.

Re:1.5 months for a response and release?! (-1, Redundant)

rossdee (243626) | more than 4 years ago | (#31550000)

So when is the official release coming out?

Re:1.5 months for a response and release?! (2, Informative)

masmullin (1479239) | more than 4 years ago | (#31550088)

RTFS

March 30th.

Re:1.5 months for a response and release?! (2, Informative)

Anonymous Coward | more than 4 years ago | (#31550124)

1) about:config
2) app.update.channel = beta

And join the beta testers :)

Re:1.5 months for a response and release?! (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31550226)

Open source is great, except won't this mean hackers are able to do a diff on the source code and figure out the exploit?

Re:1.5 months for a response and release?! (0, Troll)

AmberBlackCat (829689) | more than 4 years ago | (#31550406)

Is this the part where some government official is supposed to recommend people stop using Firefox until March 30th, or does that only apply to Internet Explorer?

Re:1.5 months for a response and release?! (0)

Anonymous Coward | more than 4 years ago | (#31550686)

The difference being that in the case of IE, the patch wouldn't get fixed for 6 months and there'd be *nothing* for the public to use. In the case of Firefox, Secunia didn't release any details about the problem until a few days ago for which a beta patch was quickly created and can be downloaded *right now*.

fixed... (1)

uolamer (957159) | more than 4 years ago | (#31550726)

Alternatively, users can download Release Candidate builds of Firefox 3.6.2 which contains the fix from here:

https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.6.2-candidates/build3/ [mozilla.org]

Re:fixed... (2, Informative)

camperslo (704715) | more than 4 years ago | (#31551144)

The 3.6.2 beta has worked fine for me, but those uncomfortable with that and not willing to wait can avoid the bug by using a 3.5x version. The vulnerability is only in 3.6 series releases.

The REAL question is, (1)

Runaway1956 (1322357) | more than 4 years ago | (#31551392)

"But, does it run on Linux?"

Hey, if the damned exploit won't run on Linux, then it's not a real exploit, is it? This kind of thing kinda pisses me off. There are all KINDS of neat software out there, that just won't run on Linux. It's definitley not fair. I think it might even be illegal. In today's modern world, no one is supposed to be excluded from anything. Not even nerds!!

What kept them? (1)

RAMMS+EIN (578166) | more than 4 years ago | (#31549900)

Ok, so, since the summary didn't make this clear and I didn't find any explanation in the article, maybe someone on Slashdot can shed some light on this. What took Mozilla so long? It's a critical vulnerability that allows remote code execution. Why did is it taking over a month to fix?

Re:What kept them? (3, Informative)

bunratty (545641) | more than 4 years ago | (#31549916)

Because the vulnerability was not disclosed to Mozilla at first.

Re:What kept them? (1, Insightful)

abhishekupadhya (1228010) | more than 4 years ago | (#31549922)

Also if this was IE, browser fanboys would take the flamebait oh-so-quickly. Every browser has its own issues. Deal with it.

Re:What kept them? (4, Funny)

NotQuiteReal (608241) | more than 4 years ago | (#31549930)

Lynx is pretty secure

Re:What kept them? (1)

Securityemo (1407943) | more than 4 years ago | (#31550014)

Well, the code surface area exposed is pretty small, and the code is old and stable, but how do you know? Have you checked, ran a fuzzer against it? (Only half joking. The punchline being, you never do know until you go look.)

Re:What kept them? (1)

TheLink (130905) | more than 4 years ago | (#31550252)

> Lynx is pretty secure

Yeah, no botnet creator in his right mind is going to target lynx.

Re:What kept them? (1)

csmanoj (1760150) | more than 4 years ago | (#31550260)

Wow. If only someone added images, javascript and css support (and still kept it secure), I'll dump all these other browsers.

Re:What kept them? (1)

68kmac (471061) | more than 4 years ago | (#31550382)

Lynx is pretty secure

Even Lynx has had security issues. While searching for an example, I found this [cgisecurity.com] , which is even better ;-)

Right (0)

Anonymous Coward | more than 4 years ago | (#31550198)

Because if this was IE, the bug would already be patched in what is a beta release... oh no. IE takes months if not years to patch holes in production releases.

MS fanboy's, always miss those tiny details for some reason.

Re:What kept them? (2, Insightful)

thetoadwarrior (1268702) | more than 4 years ago | (#31550426)

If it's patched on March 30 then that's just over a month since it was revealed. That's not too bad and better than Microsoft's record as a whole.

No one claims Firefox is perfect (or any browser for that matter) but IE gets more grief because it most certainly has more problems than the rest. If it weren't for competition as well we'd probably still be stuck on IE6 too since MS was quite happy to stop updating IE when they thought they had the market cornered.

So no need to get defensive about an awful browser like IE.

Re:What kept them? (1, Flamebait)

Anonymous Brave Guy (457657) | more than 4 years ago | (#31550574)

No one claims Firefox is perfect

Part of the problem with trying to have a sensible discussion on this topic is that so many people do pretty much claim $FOSS_APP is perfect: with enough eyes, all bugs are shallow, yada yada. If a large chunk of your culture and advocacy is based on that sort of foolishness, you're bound to get negative press when inevitably you can't always live up to your own hype.

Even the parent poster seems to be somewhat guilty of this, throwing in a couple of knee-jerk IE bashing responses. Have you actually looked at the security record of IE vs. Firefox in recent versions, particularly the number of vulnerabilities and the time required to get systems in the field patched against them? Firefox still runs all its tabs under the same process, so its fans are hardly in a position to be throwing stones at anyone else over security and reliability.

Further details available in Customer Area (1)

tepples (727027) | more than 4 years ago | (#31549928)

It's a critical vulnerability that allows remote code execution. Why did is it taking over a month to fix?

Answer: Further details available in Customer Area [secunia.com]

Re:Further details available in Customer Area (1, Interesting)

Anonymous Coward | more than 4 years ago | (#31549984)

Regardless of your stance on full disclosure, disclosure in return for payment seems to be little more than extortion. I'm going to blame this one on secunia.

So this just shows, that you can't relax. (2, Insightful)

Securityemo (1407943) | more than 4 years ago | (#31549954)

Just because you run Firefox, you can't relax about malware attacks. Not on Windows anyway. Imagine how quickly an exploit of this type could be integrated into a malware kit, already running on countless compromised sites? No one can relax about buffer/stack smashing, dangling pointers, etc..., until there's a bulletproof safeguard against them built into the OS/processor architecture.

Re:So this just shows, that you can't relax. (0)

Anonymous Coward | more than 4 years ago | (#31550108)

I don't know why people think Linux is a silver bullet. Imagine a world where "they" manage remove code execution on a remove machine, any remote machine.

On Linux with Firefox, the browser runs as the normal user, so when it gets exploited they can't take over the OS, but they still steal your personal information and can destroy all your personal documents. For me, at least, my personal data is far more important than my OS! Corporate networks may disagree.

On Windows (Vista+) with IE, the browser runs in low integrity mode, so it doesn't even have access to local user data. (!) Users running as normal users are more protected by the architecture than on Linux. The majority of attacks are crippled, but occasionally something bad happens.

On Windows with Firefox, the browser runs as the normal user, so when it gets exploited they can't take over the OS, unless they're running as administrator, which post XP is a stupid thing to do. They can lose personal information in all cases.

Of course, this assumes we're not comparing modern Linux to a Windows release from 2001.

Written from Firefox on Windows 7 running as a standard user, because I still care more about usability than security.

Re:So this just shows, that you can't relax. (0, Troll)

Securityemo (1407943) | more than 4 years ago | (#31550218)

Currently, you *can* relax about _malware_ if you're on Linux/*nix, because it's just not a target. Windows 7 has good security on the native-level front, with stack/heap NX, and full ASLR, but both of these can be coded around, in many exploit situations. It's still better than many end-user-oriented linux dists, code quality notwithstanding. Also, you forget one attack vector, and perhaps the easiest in terms of not having to deal with security measures: having the payload embed malicious code in the browser itself and steal data from, say, banking sessions.

Re:So this just shows, that you can't relax. (1)

Anonymous Brave Guy (457657) | more than 4 years ago | (#31550648)

Your point, that data can be more valuable than system integrity and is not protected by Linux-style user vs. root access control, is excellent. I just wanted to pick up on this comment:

For me, at least, my personal data is far more important than my OS! Corporate networks may disagree.

Anywhere I've ever worked, the corporate network would agree with you, and strongly. Replacing a compromised machine is just a format and reinstall of a drive image, something Corporate IT do all the time with new machines anyway. On the other hand, losing confidential information about business plans, trade secrets, or God forbid anything sensitive that has been provided in confidence by a client or business partner, can be crippling to the point of killing projects or destroying the business.

This is why threats from within (employees gone bad) are usually the most dangerous, but the same principle applies to any external attacks.

Re:So this just shows, that you can't relax. (1)

causality (777677) | more than 4 years ago | (#31550206)

Just because you run Firefox, you can't relax about malware attacks. Not on Windows anyway. Imagine how quickly an exploit of this type could be integrated into a malware kit, already running on countless compromised sites? No one can relax about buffer/stack smashing, dangling pointers, etc..., until there's a bulletproof safeguard against them built into the OS/processor architecture.

Agreed. Personally I use Gentoo Hardened [gentoo.org] with PaX and Grsecurity in the kernel plus a hardened toolchain and userspace measures against buffer overflows. That includes things like address randomization, non-executable pages, mprotect() restrictions, etc. Further measures are also available, like capability systems. It's good, though I would not call it "bulletproof", not even if I thought it was.

Really none of this is any substitute for patching known vulnerabilities. What it does provide is a second line of defense against vulnerabilities you don't yet know about or cannot yet patch. Because I am building Firefox (really all my programs) from source with these features enabled, I benefit from some protection against flaws like this.

I think some of these measures are becoming increasingly common on more mainstream Linux distributions. That's a very good thing as well, since I realize that many users don't want to compile source code. For example, one of my friends is set up with OpenSUSE and it has AppArmor and other protections available by default. I can't remember whether they were enabled by default, but it's still a step in the right direction. You can arrange your systems so merely discovering that you run a vulnerable version is not good enough for the attacker. At least with Linux this is readily achievable, though still not commonplace.

I'd be interested in knowing what options are available for similarly hardening Windows. What I'd really like to see is for the average system to become difficult enough to compromise that there is no longer fertile ground for automated attacks and the botnets that follow. I think that's achievable too, if we really wanted to do it.

Re:So this just shows, that you can't relax. (1)

Securityemo (1407943) | more than 4 years ago | (#31550358)

Personally, I just run Arch with the standard security (ASLR, not sure about NX), and use an OpenBSD VM when I need to touch "places" that have a risk for targeted attacks. I even run sudo without password prompting. For hardening Windows boxes, take a look at eEye's products? Frankly, however, I don't know about exploitation prevention frameworks/apps on Windows (other than signature-based IDS) either.

Re:So this just shows, that you can't relax. (0)

Anonymous Coward | more than 4 years ago | (#31550336)

No one can relax about buffer/stack smashing, dangling pointers, etc..., until there's a bulletproof safeguard against them built into the OS/processor architecture.

That's already done. It's called DEP (NX bit). WinXP have to enable it manually for non-MS apps. Win 7/Vista users enjoy the protection for all apps by default.

(And even if your old CPU doesn't support the NX bit, DEP will work for you as they have a software emulation for it in the OS.)

Re:So this just shows, that you can't relax. (2, Informative)

TheRaven64 (641858) | more than 4 years ago | (#31550662)

(And even if your old CPU doesn't support the NX bit, DEP will work for you as they have a software emulation for it in the OS.)

Not true. The DEP code on machines without NX bit support in the page tables will only protect you from a certain category of attack involving Microsoft's Structured Exception Handling system.

Contrast this with the OpenBSD implementation, which uses the x86 segment protection mechanism to enforce W^X when the NX bit is not present.

Re:So this just shows, that you can't relax. (2, Interesting)

Rick17JJ (744063) | more than 4 years ago | (#31551098)

I run Firefox sandboxed from within SandboxIE on my Windows XP computer. SandboxIE builds a virtual sandbox around the default browser on a computer. In addition, my computer is set up to where I am normally logged in with a user name. I only log in as administrator, when needed. I also use the NoScript and Adblock Plus extensions for Firefox. I only enable the running of scripts for certain Websites that I trust. Perhaps, those measures might help, but I am not a computer expert and do not know for sure.

I use Kubuntu Linux on my other computer, which is my main home computer. That is the computer which I am using at the moment. I also use Firefox on it, but there is not a Linux version of SandboxIE. Perhaps, I should use the Konqueror browser instead, until the final release of the patched version of Firefox becomes available. The Konqueror browser is already installed on this computer.

In the Linux version of Firefox, I also use the NoScript and Adblock Plus extensions. Of course, when using the Linux computer, I am normally logged in under under my user name, with the limited privileges which go with it. Like most Linux users, I do not run as root all the time. When I temporarily need more privileges I use sudo.

I am not a computer expert. I am just someone who uses both Linux and also Windows XP on my two computers at home.

http://esecurityplanet.com/features/article.php/3842331/Sandboxie-Blocking-Web-Based-Malware-From-Your-PC.htm

Planning? It's not enough! (-1)

bogaboga (793279) | more than 4 years ago | (#31549974)

I am afraid, just planning for a fix isn't enough. Saying definitively that a fix will be available is more useful.

You might ask why:

Because plans are notorious for remaining just that. That is, plans.

Re:Planning? It's not enough! (0, Informative)

Anonymous Coward | more than 4 years ago | (#31550052)

RTFA. The fix is already there in beta version of Firefox 3.6.2. They're QA-ing it.

Re:Planning? It's not enough! (5, Informative)

maxume (22995) | more than 4 years ago | (#31550072)

Are you being intentionally ridiculous?

The fix is in the latest beta release already, that binary is slated to be the release candidate, and if testing goes well, it will be the release.

Re:Planning? It's not enough! (4, Informative)

Athanasius (306480) | more than 4 years ago | (#31550082)

As someone else already quoted:

Mozilla already has released a beta build of Firefox 3.6.2, which contains the fix for the unpatched vulnerability

You can already go and download that 3.6.2 beta [mozilla.org] if you want, I did.

The 'planning' is about the data of 3.6.2's release, not whether or not it will have this fix included.

Re:Planning? It's not enough! (1)

DutchUncle (826473) | more than 4 years ago | (#31550344)

Why isn't this a little easier to find on their site???? Search for 3.6.2 and find nothing!

Re:Planning? It's not enough! (1)

maxume (22995) | more than 4 years ago | (#31550508)

Because it is a beta. They don't want to support the people who can't find it on their own.

Re:Planning? It's not enough! (1)

ClosedSource (238333) | more than 4 years ago | (#31550652)

Hiding the patch doesn't really make any sense. I suspect they just didn't want to do the work to make its location more obvious.

Re:Planning? It's not enough! (1)

TheRaven64 (641858) | more than 4 years ago | (#31550672)

They'd rather support people who were exploited because they were running the vulnerable version?

Re:Planning? It's not enough! (1)

maxume (22995) | more than 4 years ago | (#31550796)

Do you have any evidence of this exploit being used in the wild?

(Of course, I was mostly being a jerk in my previous comment, but it really isn't that shocking that they are following their standard release procedure here)

Re:Planning? It's not enough! (0)

Anonymous Coward | more than 4 years ago | (#31551584)

How was they going to support them, anyway? Send flowers as a "sorry" gift?

Re:Planning? It's not enough! (0)

thetoadwarrior (1268702) | more than 4 years ago | (#31550440)

It may already be released. I've had an update pushed through to all my instances of Firefox this week. If not, just over a month is better than some company's records for getting a fix out.

Re:Planning? It's not enough! (1)

moteyalpha (1228680) | more than 4 years ago | (#31550552)

<humor>There appears to be a critical vulnerability in your logic and why did you not fix it before you posted? Were you not aware of it? Did you not research the problem and preview before submitting a solution? As a result, you created a second and worse vulnerability.</humor>
As others have pointed out, there is already a patch and I have looked at it myself.

Someone enlighten me (3, Insightful)

mrsteveman1 (1010381) | more than 4 years ago | (#31550036)

Why are companies so unwilling to micro-patch their software? If Mozilla has a fix NOW, why are they waiting another ~2 weeks to push it out with the next minor upgrade? Just to avoid making users upgrade too often?

Re:Someone enlighten me (2, Informative)

marcansoft (727665) | more than 4 years ago | (#31550062)

QA. New releases need to go through QA anyway to make sure they haven't botched anything up.

Usually the release process for a large piece of software requires a certain degree of human interaction (anywhere from light to extreme), and there's always the possibility that something will mess up, even if the bugfix itself is perfectly trivial or safe.

Re:Someone enlighten me (0)

Anonymous Coward | more than 4 years ago | (#31550566)

QA. New releases need to go through QA anyway to make sure they haven't botched anything up.

QA? WTF is that? Nobody does QA any more... if it compiles, ship it!

It's not fixed until it's QA'd (1)

ClosedSource (238333) | more than 4 years ago | (#31550590)

So you can get the untested version now which may or may not fix the vulnerability and potentially botch-up your system. This is better than waiting until March 30th in what way?

Re:It's not fixed until it's QA'd (1)

CyberDragon777 (1573387) | more than 4 years ago | (#31551616)

Supporting Firefox by beta testing it?

Something's already botched... (0)

Anonymous Coward | more than 4 years ago | (#31551044)

Seeing as how something's already botched up, QA seems like a moot point...

Re:Someone enlighten me (1)

mrsteveman1 (1010381) | more than 4 years ago | (#31551208)

Yes, i know.

I'm asking why companies insist on patching 20-30 things all at the same time, surely it is easier to test for regressions when you're only including a single patch? Why can't you patch, test, release, and move on to the next problem?

Isn't this what MS does with their micro-patch KB fixes?

Re:Someone enlighten me (1)

oldhack (1037484) | more than 4 years ago | (#31550064)

Uhh... cuz it takes time to write and test patches and not add more (security) bugs?

Re:Someone enlighten me (1)

thetoadwarrior (1268702) | more than 4 years ago | (#31550464)

When a flaw is found they have to find how to fix it, write the code to fix it and the test it (so they're not left with a flaw due to the fix) and that isn't just a case of opening Firefox on one computer. They have numerous versions to test for.

I'm not sur eif the fix was pushed out already because this week I've have updates cropping up for all my instances of Firefox at home and work. So either they're early or I'll get another one on the 30th. Either way, they're clearly doing their best.

Re:Someone enlighten me (1)

eulernet (1132389) | more than 4 years ago | (#31550536)

I guess that it's because it costs a ton of bandwidth (and thus money) to make a patch available.
Mozilla's patch system is pretty ugly, since it needs to download 3 megabytes for a few bytes changed.

And NO, it doesn't have anything to do with validating the patch, since it's very easy to check that the behaviour doesn't change, especially when the impact is very small.
Microsoft uses the "we need some time to check the patch" because they have to maintain a lot of differents versions of their OS.

Re:Someone enlighten me (1)

TheRealSlimShady (253441) | more than 4 years ago | (#31550582)

But surely a 3MB patch is still less than the entire browser download - so therefore less bandwidth?

Re:Someone enlighten me (0)

Anonymous Coward | more than 4 years ago | (#31550598)

This is one of the funniest things about Firefox. A minor update, from say 3.6.1 to 3.6.2, is still significantly larger in size than a full download of the latest version of Opera. And what's funnier is that Opera is still more capable than Firefox, runs faster, and uses significantly less memory.

Re:Someone enlighten me (0, Flamebait)

wampus (1932) | more than 4 years ago | (#31551512)

And what's funnier still is that no one likes Opera or really gives a fuck about it.

Re:Someone enlighten me (2, Insightful)

The MAZZTer (911996) | more than 4 years ago | (#31550766)

Because the fix could break other things, or even not actually fix anything or fix the security vulnerability completely, or even cause a different security vulnerability (possibly worse).

Testing is important, especially when you want to attract users, not drive them away. Unstable software will do that.

Re:Someone enlighten me (2, Informative)

bunratty (545641) | more than 4 years ago | (#31551008)

If the vulnerability were publicly (fully) disclosed, perhaps Mozilla would rush a fix out the door. As far as I know, there has been limited disclosure of the vulnerability to only a few parties, and I haven't heard that the vulnerability is being exploited.

Re:Someone enlighten me (1)

Hurricane78 (562437) | more than 4 years ago | (#31551126)

In Linux world, it’s normal that the packages you get via your package manager have custom patches in them. So we get the fixes ASAP anyway. (Of course Windows, being the Playmobil OS that is is, lacks a general package manager.)

But I also wonder why they don’t just shove the minor updates in patch form trough their update functionality. Just like addons can get updated every time you start Firefox. It would be what? A a couple of bytes?

OMFG (0, Flamebait)

Anonymous Coward | more than 4 years ago | (#31550060)

OMFG, it's a critical vulnerability and it takes ONE month for them to fix. Those dogs of redmond... That's the advantage of OS. An open source project would have issued a fix in one day....oh wait...

Re:OMFG (4, Insightful)

wizardforce (1005805) | more than 4 years ago | (#31550186)

Mozilla is aware of the claim of a zero-day in Firefox as posted here: http://secunia.com/advisories/38608/ [secunia.com] . We cannot confirm the report as we have received no details regarding the reported vulnerability, such as a proof-of-concept or steps to reproduce. We’ve attempted to contact the researcher who discovered the issue but have not received a response.

Secunia: omfg Firefox has a vulnerability!!!
Mozilla: ok so what are the specifics?
Secunia: ...
Mozilla: Hello?
Secunia: ...
Mozilla: Anyone?
Secunia a few days ago: Right then... here are the details...
Mozilla: *patched beta*

Re:OMFG (1)

Securityemo (1407943) | more than 4 years ago | (#31550562)

Of course. You have to build up the correct suspension first, if you're not going the "surprise proof-of-concept 05.00 in the morning" route. It's just how these things are done.
People just have no respect for good professional showmanship.

Re:OMFG (2, Insightful)

recoiledsnake (879048) | more than 4 years ago | (#31550730)

Maybe it was more like this:

Secunia: omfg Firefox has a vulnerability!!!
Mozilla: ok so what are the specifics?
Secunia: ... (puts it on black hat exploit auctions)
Mozilla: Hello?
Secunia: ... (sells it to the highest bidders)
Mozilla: Anyone?
Secunia a few days ago: Right then... here are the details... (Milked it enough)
Mozilla: *patched beta*

Re:OMFG (1)

Anonymous Brave Guy (457657) | more than 4 years ago | (#31550738)

I love the way you implicitly assume that exactly the same problems don't apply to Microsoft/IE, or any other browser development team.

Did you realise that you are the guy the grandparent post was mocking?

Re:OMFG (0)

Anonymous Coward | more than 4 years ago | (#31552136)

Mozilla has earned the benefit of the doubt.

Microsoft has a proven track record of ill will, negligence and general contempt for its customers. Therefor it is generally met with suspicion and distrust and has to proof there case every time because of it.

Karma is a bitch.

Updating... how to? (0)

Anonymous Coward | more than 4 years ago | (#31550568)

Which distro would make it easier to update FFox and other apps?

I've used the rpm ones and rpm Uvh is somewhat easy; repositories are not that immediate though and dependence is not always simple to solve.

Ubuntu has well-maintained repositories and apt-search/apt-get makes ones life so easy -- except when you find you can't get the last FF. I installed the last one once, only to see it returned to the version present in the official repositories.

And there's always the problem of binary availability... not that compiling is that frightening -- but regarding binaries, it's either Fedora or Debian/Ubuntu.

To further complicate matters, I don't want Gnome...

And what happened to distro-agnostic packaging?

Re:Updating... how to? (3, Informative)

Bambi Dee (611786) | more than 4 years ago | (#31551740)

When I go to mozilla.com, a big green button offers me a .tar.bz2 with a distro-agnostic Firefox binary. Isn't that what you mean?

Why Mozilla should be implemented in Java or... (-1, Flamebait)

Paul Fernhout (109597) | more than 4 years ago | (#31550660)

This is why Mozilla should be implemented in Java, Smalltalk, Lisp, OCaml or a similar system. I don't know enough about this particular vulnerability to say if it would make a difference, but in general any garbage-collected language without obvious pointer indexing and with built-in array index checking is going to have a lot fewer low level security problems like buffer overruns or duplicate deallocations and so on that can lead to malicious code execution... Is the slight speed boost from a language like C++ worth all the extra security issues at this point, now that we have such fast computers? And with manual memory allocation and deallocation, sometimes code written in C++ can be slower than a language that takes care of it for the programmer in an optimal way... As a reminder:
    http://en.wikipedia.org/wiki/Greenspun's_Tenth_Rule [wikipedia.org]
"Any sufficiently complicated C or Fortran program contains an ad hoc, informally-specified, bug-ridden, slow implementation of half of Common Lisp." (or Smalltalk or some other languages...)

Re:Why Mozilla should be implemented in Java or... (0)

Anonymous Coward | more than 4 years ago | (#31550802)

And why they should use crayons instead of pencils.

Re:Why Mozilla should be implemented in Java or... (1)

shovas (1605685) | more than 4 years ago | (#31550962)

There are serious pros and cons one has to weigh choosing an implementation language for a project on the scale and the types of requirements that firefox has. I'm pretty sure your only serious contender in the list was Java and it has significant baggage all of its own. I'll take C/C++, I just wish programmers had a passion for better code in all of its aspects including the ever present yet most fundamental buffer overflow bugs.

Rediculous Memory Consumption (0, Offtopic)

CranberryKing (776846) | more than 4 years ago | (#31551346)

I thought rats got in my computer and ate my sdram module, then I discovered it was just FF 3.6. Seriously, anyone one else having a huge memory gobbling problem with this?

Recommendation (0, Redundant)

iPhr0stByt3 (1278060) | more than 4 years ago | (#31552282)

In other news, several security bigwigs have recommended using IE or Opera until 3.6.2 is released... wait, no... as the faulty product is not from MS, we don't care... keep using FireFox.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>