Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Germany Warns Against Using Firefox

timothy posted more than 4 years ago | from the fuer-ihre-sicherheit dept.

Firefox 509

jayme0227 writes "Due to the recent exploit in Firefox, Germany has warned against its use. This comes a couple months after Germany advised against using IE. Perhaps we should start taking odds as to which browser will be next." Note: the warning (from the Federal Office for Information Security) is provisional, and should be rendered moot by the release later this month of 3.6.2.

cancel ×

509 comments

Sorry! There are no comments related to the filter you selected.

3.6.2 released (5, Informative)

Anonymous Coward | more than 4 years ago | (#31580128)

Yup

Re:3.6.2 released (3, Insightful)

Z00L00K (682162) | more than 4 years ago | (#31580250)

And if you want to be really safe - use Lynx instead. No images, no Flash, no Javascript, No ability to view pr0n.

Re:3.6.2 released (5, Insightful)

gzipped_tar (1151931) | more than 4 years ago | (#31580280)

> No ability to view pr0n.

I doubt that.

Re:3.6.2 released (5, Informative)

Anonymous Coward | more than 4 years ago | (#31580332)

http://www.asciipr0n.com/ [asciipr0n.com]

Re:3.6.2 released (1)

L4t3r4lu5 (1216702) | more than 4 years ago | (#31580798)

I wonder if that site would set off the text filter...

Re:3.6.2 released (4, Funny)

impaledsunset (1337701) | more than 4 years ago | (#31580470)

Re:3.6.2 released (0)

Anonymous Coward | more than 4 years ago | (#31580806)

Yeah dunno why people keep suggesting lynx.

Links or w3m seem to have a better track record:
http://secunia.com/advisories/product/20922/?task=advisories [secunia.com]
http://secunia.com/advisories/product/12960/?task=advisories [secunia.com]

vs Lynx:
http://secunia.com/advisories/product/5883/?task=advisories [secunia.com]

Re:3.6.2 released (2, Insightful)

rvw (755107) | more than 4 years ago | (#31580508)

And if you want to be really safe - use Lynx instead. No images, no Flash, no Javascript, No ability to view pr0n.

Use Noscript.

Re:3.6.2 released (0)

Anonymous Coward | more than 4 years ago | (#31580622)

Somehow, I've always hated firefox.
Yes it is overrated, bloated and ugly (always has been), it wastes screen space and .. its organic software (organic! I tell you)

  And look at their web page, its full of stuff that was made up by clever marketing people. Its not the best browsing experience and certainly not a fast one. Hell, I even prefer IE 8 to this crappy software.

go opera, go chrome

Re:3.6.2 released (0)

Anonymous Coward | more than 4 years ago | (#31580640)

I'll grant you that it's "bloated" and possibly "overrated," but it's only as ugly as the user wants it to be.

3.6.2 is out. (2, Informative)

Anonymous Coward | more than 4 years ago | (#31580132)

3.6.2 is out. [mozilla.org]

governments warn us about exploits (0)

Anonymous Coward | more than 4 years ago | (#31580144)

and advise us which browser to use? huh? my taxes are too high.

Re:governments warn us about exploits (1)

M8e (1008767) | more than 4 years ago | (#31580320)

Advise us which browser not to use. That is a big difference.

Re:governments warn us about exploits (2, Funny)

clarkkent09 (1104833) | more than 4 years ago | (#31580516)

Well they warned against IE and Firefox. On Windows that narrows it down to Chrome and Opera. I'm just waiting for one more announcement so I'll know which one is the winner.

(btw please don't show off your knowledge of esoteric browsers by listing them here. those are the four biggest ones by far)

Re:governments warn us about exploits (1)

M8e (1008767) | more than 4 years ago | (#31580678)

Well they warned against IE 6, 7 and 8 and Firefox 3.6.

TFTFY

Re:governments warn us about exploits (0)

Anonymous Coward | more than 4 years ago | (#31580830)

Safari is not an esoteric browser and is available on Windows. Brow'tard.

It ain't over till the fat lady sings (4, Funny)

Hognoxious (631665) | more than 4 years ago | (#31580796)

Opera. As any fule kno, Germans are really keen on opera. They have some that go on for weeks.

moot (0)

Anonymous Coward | more than 4 years ago | (#31580146)

They dun gone and been outmooted

Free software in action (4, Insightful)

Statecraftsman (718862) | more than 4 years ago | (#31580166)

As soon as I read about this on /. I realized Firefox is downloading an update to 3.6.2. This is why free software is our best tool against malware. Reaction time can scale with importance. And (shameless free software plug alert) it's why I wrote what's in my sig.

Re:Free software in action (1, Funny)

Anonymous Coward | more than 4 years ago | (#31580182)

Yes but you're forgetting the cancerous communism.

Re:Free software in action (5, Funny)

Anonymous Coward | more than 4 years ago | (#31580226)

That is a really poor standard you have. I don't want software that patches exploits quickly, I want software that was correctly written and had no exploits to begin with.

Re:Free software in action (1)

matria (157464) | more than 4 years ago | (#31580292)

Thank you; I needed a good laugh!

Re:Free software in action (1)

lattyware (934246) | more than 4 years ago | (#31580294)

Right. Find me a group of programmers that can write an entire web browser without any flaws or exploits, while having all the features everyone wants. Yeah.

Re:Free software in action (-1)

Anonymous Coward | more than 4 years ago | (#31580468)

lol! you say that like a browser is some complex piece of software.

http://secunia.com/advisories/product/28729/?task=advisories [secunia.com]

0 vulnerabilities. so, yeah, you're a fucking idiot.

Re:Free software in action (0, Flamebait)

Your.Master (1088569) | more than 4 years ago | (#31580530)

Everything you said in that post was stupid.

Every. Last. Word.

Re:Free software in action (1)

SuperDre (982372) | more than 4 years ago | (#31580542)

I think you are the preverbial idiot if you really believe it's possible to create something that doesn't have flaws/exploits.. How many flaws/exploits are found every day in software that was deemed flawless.. right too many to count.. Because you don't think there is an exploit possible, there's always some smartass who finds a way... some exploits are sooo genius no-one would have ever thought of them and always thought it was secure... Real secure software just isn't possible, there's always a way to circumvent the security...

Re:Free software in action (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31580612)

lol! yeah right, that is what an amateur programmer like you would say to cover your own incompetence.

Re:Free software in action (4, Funny)

Jurily (900488) | more than 4 years ago | (#31580646)

OpenBSD seems to do just fine, with a bigger codebase, written in C.

Wanna guess what the difference is? They have security-obsessed people in charge.

Nobody gets credit for fixing a bug. Instead, we celebrate the people who get a fix out fastest. We don't care about flammable buildings, but we watch the response time of the fire department like a hawk.

Re:Free software in action (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31580712)

Right. Find me a group of programmers that can write an entire web browser without any flaws or exploits, while having all the features everyone wants.

Yeah.

You sound English. Fucking wanker.

Re:Free software in action (1)

ipquickly (1562169) | more than 4 years ago | (#31580316)

I want software that was correctly written and had no exploits to begin with

And I want world peace.

Now which is more attainable? It all comes down to us-meatbags.

Re:Free software in action (1)

c-reus (852386) | more than 4 years ago | (#31580324)

Go ahead and construct a formal verification for any browser currently available. Here's a starting point [wikipedia.org] , let's see how far you'll get.

Re:Free software in action (1)

gzipped_tar (1151931) | more than 4 years ago | (#31580366)

Formal verification? Doesn't it all bog down to "Does Not Compute"? ;)

Re:Free software in action (3, Insightful)

Zontar The Mindless (9002) | more than 4 years ago | (#31580372)

I want software that was correctly written and had no exploits to begin with.

And I want Anonymous Cowards to start making /. posts that are insightful, useful, and realistic.

And WHERE'S MY PONY?!

Re:Free software in action (5, Insightful)

DNS-and-BIND (461968) | more than 4 years ago | (#31580456)

A sad day on Slashdot when someone saying "programming correctly is the right response" and he's ridiculed by at least 4 replies and modded +3 Funny. What the hell happened to this place?

Re:Free software in action (4, Funny)

chthon (580889) | more than 4 years ago | (#31580496)

They where probably all reactions from people who program for a living.

Re:Free software in action (0)

Anonymous Coward | more than 4 years ago | (#31580548)

Do you require HTML and CSS compatibility?

Re:Free software in action (2, Funny)

im_thatoneguy (819432) | more than 4 years ago | (#31580288)

What the German government should do is release an open source application which switches your default browser.

A team of German security experts would make a bi-weekly security assessment and then set the default browser for the period. ;)

Of course this browser switcher would also be able to push patches as well. Automate their recommendations!

Re:Free software in action (1)

umghhh (965931) | more than 4 years ago | (#31580782)

I think you are right but your proposal misses one vital feature - this switcher should also fully automatically transfer all our account information to the tax man - that would save the government some millions usually charged for bank accounts info stolen from swiss banks.

Re:Free software in action (0)

Anonymous Coward | more than 4 years ago | (#31580308)

Where does it say in the GNU license that I can expect timely fixes? (or any at all?) This has nothing to do with free software. Firefox is riddled with security holes, is bloated and crashes more often than an old scottish drunk. Opera has a much better track record than Firefox and is by far the better browser. Though for a open source cheerleader like you, facts are probably unimportant.

Re:Free software in action (1)

Beelzebud (1361137) | more than 4 years ago | (#31580334)

If Firefox is bloated and crashes a lot, that's your own damn fault for installing 100 addons.

Re:Free software in action (1)

bickerdyke (670000) | more than 4 years ago | (#31580476)

The gpl guarantees fixes as fast as you are able to debug the code yourself.

Thats what is guaranteed. But what you can expect is getting a fix as soon as someone debugged the code. (usually pretty fast, but not guaranteed)

and even that CMA-guarantee is much better than what you get for closed source.

They could contact them easily too (1)

Ilgaz (86384) | more than 4 years ago | (#31580354)

Better yet, free software authors (developers) aren't hiding anywhere. It would be hard to contact IE team but Mozilla developers can be reached easily, via mail or even IRC.

Posting this warning while it is easy to figure/ask 3.6.2 is OTW really requires some review by German Govt. For example, did someone from that team have some dinner/launch with some company executive lately?

Re:Free software in action (5, Interesting)

Zoidbot (1194453) | more than 4 years ago | (#31580382)

You know it's taken over a month to fix this right? The exploit was discovered 18-02-2010 according to securina.

Opera takes less than a week usually (and the occurrence of exploits is less also).

The argument that Open Source allows anyone to fix things and thus making patches quicker does not work, as clearly it also opens up your code for hackers to review looking for new exploits. I don't believe in security by obscurity, but the fact remains, Opera is closed source and the most secure (and fastest) web browser out there.

Re:Free software in action (2, Informative)

Anonymous Coward | more than 4 years ago | (#31580770)

The guy who found the bug didn't give details to Mozilla promptly, he sold it in his security product to clients for a few weeks, then told Mozilla. Can't blame Mozilla for not fixing a bug they had 0 details on. Once they were given details they fixed it in a few days, not bad for fixing the bug, making a build, QA'ing and releasing it.

Re:Free software in action (1)

MrMista_B (891430) | more than 4 years ago | (#31580790)

You know it takes a little while to bug test bug patches, right?

Re:Free software in action (1)

umghhh (965931) | more than 4 years ago | (#31580754)

This is all very strange - on BSI [bsi.bund.de] (this is what the german abbreviation of Federal Office for IT Security is) site there is nothing about this, BuergerCert [buerger-cert.de] site informs about new upcoming release of firefox that is going to fix unspecified security problem. If you compare it with IE warning from some time ago there is a difference - back then BSI issued a warning telling people not to use compromised software that is actively used for attacks and here you have a warning based on information of new release. Fear mongering - that is what it is - a new and terrible thing has happened - somebody is releasing software to fix the bug that nobody has abused yet. Good that German Gov. is issuing warning but judging on this government record (Moevenpick subsidy to hoteliers or sucking of Mr Sawicki on request of big Pharma) I'd say FDP and/or CDU (governing parties) took money from somebody again. I would not look for conspiracy anywhere but current government actually does not even bother with hiding their deplorable attitude towards private money - funny thing is that they do it in such incompetent way that it is almost laughable (well one should cry actually - they have our tax money).

To add some information to the void.. (4, Informative)

Seth Kriticos (1227934) | more than 4 years ago | (#31580188)

The vulnerability *only* affects the current 3.6 branch. Patch is complete and will be pushed on the 30th of March.

Here is the Mozilla blog entry on the topic:
http://blog.mozilla.com/security/2010/03/18/update-on-secunia-advisory-sa38608 [mozilla.com]

Here is the original bug report:
http://secunia.com/advisories/38608 [secunia.com]

Ps: can we please get security related articles with some content instead of *OMG, we are all going to die!!* ??

Re:To add some information to the void.. (2, Insightful)

n6mod (17734) | more than 4 years ago | (#31580204)

Seth, scroll up one post in the blog. 3.6.2 was released tonight.

Re:To add some information to the void.. (1)

EldestPort (1693956) | more than 4 years ago | (#31580494)

Why would they wait a week to push an important security patch anyway?

Re:To add some information to the void.. (1)

allo (1728082) | more than 4 years ago | (#31580502)

and why is the patch not pushed ASAP?!

Re:To add some information to the void.. (1)

andrea.sartori (1603543) | more than 4 years ago | (#31580600)

it is.

This just in (3, Insightful)

Rijnzael (1294596) | more than 4 years ago | (#31580200)

German government warns against use of the internet and software that has bugs.

Software is inevitably going to have bugs in it and try as we might, it's something we'll always have to deal with. There are always mitigation strategies, such as running Firefox in a virtualized environment a la Sandboxie [sandboxie.com] or a full virtual machine, but we'll never be privy to using only bug-free software day to day. I'm glad to see the German government taking an active approach to notifying people in regard to vulnerabilities in an attempt to mitigate them, but as TFA states, what's the point in suggesting users quit using Firefox when the alternatives are potentially just as vulnerable?

Re:This just in (1)

mlts (1038732) | more than 4 years ago | (#31580506)

Sometimes I wonder if application virtualization like Sandboxie should be part of the OS. Not just Windows, but on UNIX as well. With ZFS, this is easier because a directory can be rolled back fairly easy due to the snapshot functionality.

Another cool idea is how Thinstall (well, now called VMWare ThinApp) packages apps. The app thinks it has admin rights and can happily doodle around the Registry and the filesystem, but in reality, all it does is just modify stuff stored in \users\blarf\appdata\roaming\Thinstall\appname. Even the Registry changes are stored as a file. If an OS could do this for legacy apps, it would help security tremendously, so if an app is compromised via a code injection, only that directory ends up suspect, and not the whole user environment, or even worse, the whole system.

Re:This just in (1)

rawler (1005089) | more than 4 years ago | (#31580592)

Only if that app does not have to communicate in any way with the rest of the system. What people encouraging virtualization tends to forget is that a multi-tasking OS already have means of protection. The memory an application sees is virtual, and the access to the rest of the system often enforces a security-model.

Still, however, the user has little use for isolated applications that cannot talk to others. A modern web-browser more or less requires other apps to be of any use, such as flash, a pdf viewer, maybe access to the OS centralised authentication management (stored passwords, Kerberos SSO...), and it needs to be able to store downloaded files where other applications can open them.

Fully contained and isolated apps are great for security, but crap for the user, which is when users usually starts breaking down the security enforcements to get any work done. The key is finding an appropriate balance between usability and security, which of course varies depending on security-requirements.

Bah (3, Insightful)

tsotha (720379) | more than 4 years ago | (#31580206)

The take-away from this is Germans are never happy.

Re:Bah (0)

Anonymous Coward | more than 4 years ago | (#31580266)


The take-away from this is Germans are never happy.

I so agree. Godwin is SUCH a Nazi.

Re:Bah (3, Insightful)

beh (4759) | more than 4 years ago | (#31580276)

So, what would you rather have?

That they warn you about vulnerabilities in IE6, but ignore vulnerabilities in open source browsers?

I think they've done the right thing - there was a security hole (in the 'current' 3.6), and they warned about it. Their warning DID include that it affected the 'current' 3.6 version and that it should be fixed in 3.6.2.

That's fair comment, and it's their job to report it and not lull people into a false sense of security that the (then current 3.6) version of firefox was safe.

If they had NOT warned, it might have damaged their reputation for NOT covering it, and it might also have helped MS lobbying efforts if they could have been shown to be biased by reporting on IE issues, but not Firefox ones...

Re:Bah (1)

hackel (10452) | more than 4 years ago | (#31580378)

If they would have contacted the Mozilla team they could have announced that the update was due out TODAY and advise users to upgrade, instead of advising them not to use it.

This is just irresponsible fear-mongering, and I think it is highly likely that it was done as a form of retaliation against the previous IE recommendation.

Re:Bah (0)

Anonymous Coward | more than 4 years ago | (#31580490)

to be fair, 3.6.2 wasn't originally scheduled for today. the German announcement forced Mozilla to push forward the release date, which means other fixes didn't make it, and there was less time for testing.

Bah humbug! mod parent TROLL (2, Informative)

beh (4759) | more than 4 years ago | (#31580522)

mod parent TROLL...

Have you looked at the BSI page and linked mozilla blog page?

The mozilla blog entry was dated March 18th (giving March 30th as the release date for 3.6.2). The BSI advisory was dated March 19th (4 days before the story broke on slashdot; and 4 days before the actual release of 3.6.2).

So, you're saying, it was retaliation by BSI against Firefox, for publishing a release date the firefox crew themselves published the day before?

On March 19th - with the projected release date 11 days away, it seems it was perfectly in order for BSI to recommend use of an alternative for those 11 days:

    "empfiehlt das Bürger-CERT die Nutzung alternativer Browser, bis die Mozilla Firefox Version 3.6.2
        veröffentlicht ist."

This has nothing to do with fear-mongering - but simply that during a potential danger period, people might want to watch out. Their article clearly stated it only affected 3.6, and their article stated that their advisory is temporary 'until 3.6.2 is released'.

How is that retaliation?

Responsible reporting (2, Insightful)

AmiMoJo (196126) | more than 4 years ago | (#31580220)

The German government seems to be being quite responsible here. There is an issue with Firefox, and most users probably don't know about it because they don't regularly read tech news sites.

The government is simply trying to keep people informed about this rather important topic, and has done so in a reasonable and proportional way. Not every warning put out is a damning condemnation of flawed security that mandates switching to Lynx you know.

Re:Responsible reporting (1)

value_added (719364) | more than 4 years ago | (#31580336)

The German government seems to be being quite responsible here. There is an issue with Firefox, and most users probably don't know about it because they don't regularly read tech news sites.

No, it's an attempted government takeover of the IT sector. Do you really want a government bureaucrat telling you what you can or can't do, what sites you can visit, or what browser you should use? I say let the free market decide. This country was founded on the ideas of personal responsibility, freedom and liberty, ideas that were enshrined by the Founding Fathers in the ...

Oops. Sorry. Wrong country.

I'll come in again.

Re:Responsible reporting (2, Informative)

mysidia (191772) | more than 4 years ago | (#31580348)

Yeah... that's actually encouraging, it means they are actually providing meaningful distinctive advise/suggestions, and not merely copy and pasting vendor vulnerability lists and activating pretty 'alert level' colors...

not like the US government, who yanked up what used to be the wonderful somewhat independent [but gov sponsored] organization called 'CERT', absorbed them into the department of homeland security, and turned them into US-CERT a mere vacant shadow of their former selves, just another clearinghose that lists every bloody little Windows vulnerability the earth has ever known, nothing too interesting, nothing too distinctive or useful anymore.

That is, ever since, CERT's usefulness has plummeted by orders of magnitude, nowadays they typically just parrot all the major commercial vendors' security advisories, even ridiculously minor ones --- I suppose this is great if you are a Windows user, it should convince you to switch, but for the rest of us it sucks.....

CERT has made what, 1 activity incident report based on actual events or compromises, intrusion patterns, intrusion details, or reports on new types of threats since 2001?

Governments don't know what to do about security, I guess... their efforts at 'reporting' just degenerate into vulnerability listing, and other mundane non-intelligence-requiring activity.

Either that or they think it's too dangerous to tell the public what direction attacks/bad guys seem to be heading.

Re:Responsible reporting (1)

ZeRu (1486391) | more than 4 years ago | (#31580350)

But I don't want my Government telling me what software I should have (or have not) on my computer, even if they think it's a friendly warning. Next thing they'll advise what food to eat, what clothes to wear or what haircut to have.

As George Orwell said - Government thinks for you so you don't have to!

the way to go (1)

l3v1 (787564) | more than 4 years ago | (#31580228)

Well, the Germans, by releasing this warning about the same time the expected Firefox update came out only proves that their eariler recommendation for choosing Firefox was the right one.

Re:the way to go (-1, Flamebait)

Zoidbot (1194453) | more than 4 years ago | (#31580396)

The exploit has been in the wild over a month. That is NOT the "way to go".

Security needs to be built in from the foundation, not patched in as you go.

Firefox is the bodged and patched up house built by cowboy builders. Opera is the luxury apartment built by skilled contractors.

The German warning still stands, if you use Firefox, you are using a browser that has unsecure foundations and at any point you are open to attack as soon as somthing crops up (the fact it's got a decent marketshare also means it's worthwhile to make exploits).

If you want security, then Firefox is a RELLY bad choice, which is ironic, as most of their usebase came from frightening IE6 users into moving to something "safer" (IE8 is far more secure than Firefox these days)..

http://www.opera.com/browser/ [opera.com]

Re:the way to go (0)

Anonymous Coward | more than 4 years ago | (#31580562)

LOL. Nice try, troll.

Re:the way to go (0)

Anonymous Coward | more than 4 years ago | (#31580572)

Opera is the luxury apartment built by skilled contractors...

who are all union members, except for the two undocumented workers who do the jobs the union guys don't want to do, and that Italian guy who's on the payroll but doesn't really do any work. And oh yeah, the contractors are not authorized to make any changes unless project management approves them, and the union leaders are agreeable, and OSHA finds that proper safety precautions are in place, and the local building inspectors find that the changes are all up to code, and the accountants are certain that the projected increase in costs due to the changes won't cause a budget shortfall. Meanwhile raw sewage is still overflowing into the basement because someone screwed up when installing the backflow valve, but rest assured that the proper paperwork has been filed and if approved a work order to rectify the situation should be ready in no more than two months.

Re:the way to go (2, Informative)

jim_v2000 (818799) | more than 4 years ago | (#31580700)

Opera 10.51 Changelog [opera.com]

"Security
Fixed
Fixed an issue where the HTTP Content-Length header could be used to execute arbitrary code; see our advisory (http://www.opera.com/support/search/view/948/).
Fixed an issue where XSLT could be used to retrieve random contents of unrelated documents, as discovered by crazypops; see our advisory (http://www.opera.com/support/search/view/949/)."

OH SNAP SON! So much for those skilled contractors and their superior skills.

First (4, Funny)

Beelzebud (1361137) | more than 4 years ago | (#31580262)

First they came for IE, and I didn't speak up because I didn't use IE.

Then they came for Firefox, and I didn't speak up because I didn't use Firefox.

Re:First (4, Funny)

pagaboy (1029878) | more than 4 years ago | (#31580368)

Then they came for Windows ME...

Re:First (1)

Bugamn (1769722) | more than 4 years ago | (#31580574)

And I was quite happy, I must say.

Google Chrome. (0, Flamebait)

cordivae (1771322) | more than 4 years ago | (#31580306)

It rocks. Just sayin.

Re:Google Chrome. (1)

Beelzebud (1361137) | more than 4 years ago | (#31580330)

Firefox rocks too, and it doesn't serve as ad tracking software for Google.

Re:Google Chrome. (1)

RobbieCrash (834439) | more than 4 years ago | (#31580340)

That's true, as long as you turn off Google as the default search, disable cookies, and don't use any other Google services. Which, you can do in Chrome too.

Re:Google Chrome. (3, Informative)

muckracer (1204794) | more than 4 years ago | (#31580818)

> That's true, as long as you turn off Google as the default search, disable cookies

And don't forget about LSO cookies (Flash directory), that do NOT get deleted by FF's cookie deletion on exit. Extra add-on is needed (BetterPrivacy) to do so.

Oh...and MozDevs...please restore the 'Clear History on Exit' window on browser exit. Thanx!

Re:Google Chrome. (1)

heffrey (229704) | more than 4 years ago | (#31580492)

I think you'll find that Chrome's record with regards security is no better than IE8 or FF.

Also, as far as rocking, I still can't get over the way it rides roughshod over installation standards and copies program files to your user profile. Until they get that sorted I won't touch it.

German government warns: (2, Funny)

dushkin (965522) | more than 4 years ago | (#31580314)

* against the use of Opera!
* against the use of Chrome!
* against the use of internets!

Re:German government warns: (1)

gaelfx (1111115) | more than 4 years ago | (#31580786)

OK, we're computer literate folks around here (mostly), can't we figure out a better way to set up a warning system?

GLOBAL string name=browser.name.random();

c.out"German government warns against the use of " name;

You have been warned.

Firefox (-1, Redundant)

Anonymous Coward | more than 4 years ago | (#31580342)

3.6.2 released

Beta/Nightly (1)

Bert64 (520050) | more than 4 years ago | (#31580376)

Surely anyone who is concerned about this vulnerability could simply run one of the nightly builds until the official update is released?

Re:Beta/Nightly (1)

sowth (748135) | more than 4 years ago | (#31580528)

Or just stay with the 3.5.x series [mozilla.org] . Problem is, I don't see where they even link to it on their website. Even the 3.5.8 release notes [mozilla.com] page seems to link to 3.6 for downloads...

Older versions have unpatched vulnerabilities? (1)

buchanmilne (258619) | more than 4 years ago | (#31580394)

The article says:

It is only the current version that is affected, but given that prior releases have different vulnerabilities, reverting to an older version of the browser is ill-advised.

However, the older releases page [mozilla.com] states that 3.5 will receive security updates until August 2010.

So, since 3.5 was not affected by this specific vulnerability, what vulnerabilities are unpatched in the current 3.5 release (3.5.8)?

If the Beeb or the German government knows something Firefox doesn't know, maybe they should tell us so that people still using/shipping (in the case of most linux distros) 3.5 can upgrade to 3.6? Or, if they *don't* know better, maybe they should stick to fact and not conjecture ...

Re:Older versions have unpatched vulnerabilities? (1)

sowth (748135) | more than 4 years ago | (#31580472)

This is what I was wondering, however the firefox site does point to the experimental 3.6 version last time I checked. When I upgraded to 3.5.8, I had to find the ftp site to download it. WTF? I know they want testers, but seriously, that is crap.

The mozilla project isn't so immature they need lots of people testing their new experimental code. I could see them putting a note on the main page saying "Hey, some of you try out our experimental version 3.6, it has new wiz bang technologies! (not ready for production use)" This is what is wrong with software development today.

I don't want to be accessing my bank's site with experimental software which is more likely to have security problems. Craxy. (Cue Mad Hatter with his eyeballs rolling around in his head.)

Re:Older versions have unpatched vulnerabilities? (1)

Spad (470073) | more than 4 years ago | (#31580518)

Because reverting to older versions increases the chances of accidentally getting part of, say the 3.5.x branch, that isn't 3.5.8 and does have unpatched vulnerabilities. Remember that we're not really talking about /. users here - we already know about the current vulns, patches, workarounds and alternatives - but "regular" users of Firefox who are used to just clicking on the "Firefox x.x Free Download" link on the getfirefox.com frontpage.

Good news for free software (1)

doublegauss (223543) | more than 4 years ago | (#31580426)

Contrary to Slashdot etiquette, I did read TFA. To me, the most extraordinary piece of news is that the BBC (not quite a geek-oriented news source) makes no mention at all of Firefox being FLOSS. This is excellent news. It means becoming mainstream. The Gandhi quote springs to mind.

Re:Gandhi?!! (1)

lePooch (1553929) | more than 4 years ago | (#31580596)

Gandhi had a quote with regards to Open Source going mainstream? ...are we talking about the the same Gandhi here? Pastoral Hindu Cotton-loom ascetic Gandhi?

And the risk is??? (1)

bradbury (33372) | more than 4 years ago | (#31580510)

If I'm reading this correctly, the vulnerability is in WOFF fonts (what is a WOFF font?) and possibly allows some heap corruption. How do these various "exploits" actually get the Firefox code to execute out of the heap? I.e. one presumably has to either scribble on some known call-back function address in the heap, or somehow scribble on the stack (so Firefox/Seamonkey functions return to the exploit code in the heap) and isn't the data in the heap non-executable (at least under Linux)? I would expect that anyone trying to exploit vulnerabilities such as this would be causing the browser to abort (due to SEGV's or other severe faults) and would drive users away from accessing such pages.

So are these many "exploits" one hears about mostly sound and fury or are there serious risks? [In contrast to say something like an SQL injection attack where a person with reasonable knowledge of SQL could compromise insecure servers.]

Re:And the risk is??? (1)

andrea.sartori (1603543) | more than 4 years ago | (#31580654)

A WOFF font is a font that barks at you while you type. The heap corruption exploit causes it to mess with "local business search" on your smartphone.

Re:And the risk is??? (0)

Anonymous Coward | more than 4 years ago | (#31580762)

If I'm reading this correctly

It seems to me like you're not reading much, you just like the sound of your own posts. If you read the bug report http://secunia.com/advisories/38608 or Mozilla blog http://blog.mozilla.com/security/2010/03/18/update-on-secunia-advisory-sa38608, it clearly states that this particular exploit could result in remote code execution by an attacker.

It's a buffer overflow exploit, simple as. You should add "buffer overflow exploit" to your vocabulary, right beside SQL Injection Attack. Seems to me you don't know much about security, but love to spout on about vulnerabilities like your an expert.

Re:And the risk is??? (2, Informative)

ewrong (1053160) | more than 4 years ago | (#31580774)

A WOFF font is a Web Open Font Format font.

http://hacks.mozilla.org/2009/10/woff/ [mozilla.org]

It's basically an extension of the @font-face rule with it's own compression and meta tagging. Please don't tell my designers about it.

Government Warns against Using the Internet (1)

Liambp (1565081) | more than 4 years ago | (#31580526)

The Government warned today issued a warning against using the internet because of security issues.

The office for Information Security reported the discovery of a major flaw that allows bad people to use the internet too. Citing incidents of users who have already been spammed, scammed, hacked, phished, botted, keylogged and otherwise abused the office has issued a strong recommendation to stop using the web altogether until this vulnerability is patched.

It is as yet unclear whether these exploits will be patched in the pending release of Web 2.1

in other news (1)

alienzed (732782) | more than 4 years ago | (#31580536)

China just plain doesn't want anyone using the internet.

deutchland deutchland uber alles -denn wir koennen (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31580620)

According to Moore's Law, semiconductor-based hardware is on a never ending treadmill of improvement. The process can't be stopped or slowed down--it's relentless. Meanwhile, the software that sits atop this hardware doesn't keep up. I'm not sure why, but it gets on my nerves.

The treadmill is horrible. Every computer company is forced to either upgrade constantly or lower prices (or both). Compare what you could get for $3,500 in 1985 with what you can get today for $1,000, even factoring in inflation, R&D, and the rest. The processing power of an Intel 286 was between one and three MIPS. Today's Core i7s do 7,500 to 75,000 MIPS (or more), depending on who is measuring. Of course this chip isn't in a $1,000 box yet, but it will be soon.

The fact of the matter is that the treadmill process has ironically ruined the business. Computing power has gone from something of value to a commodity. From 1975 to 1990, computers were valued transformative tools. They hit a brick wall when Windows 95 arrived, turning everyone into touchie-feelie mouse-oriented users. The GUI was a boon to sales since it simplified computer use, but it also began the commoditization process. After Windows 95 hit the streets, there was nothing much more to do beyond tweaking what you already had.

Here is the test: Get a hold of an old machine that still runs, say, Windows 3.0. See if you can run a program. The whole thing is clunky and, frankly, weird. Now see if you can operate a Windows 95 machine. Simple, right? It's not that different from Windows Vista or Windows 7. The GUI I/O is pretty much the same, save for the pretty pictures and 3D icons. The same holds true for Apple. An OS X user should find it very easy to operate the 1984-era Macintosh. This is not because it is inherently intuitive--it's not. (For further proof, watch Star Trek IV.) You can run it easy because things haven't changed that much.

The touchscreen tablets we'll be seeing in the coming months may deliver a new paradigm--but I doubt it. Right now it looks like we'll be stuck with "poke-and-slide." But like everything else in the consumer electronics space, the underlying technologies can't just be old ideas that have merely been tweaked, so we end up with a desktop computing scene that is essentially old software and ideas sitting on some of the most powerful gear imaginable.

It's as though auto racing had these modern drive trains and chassis for Formula One Racing, but no one could do much more with the body beyond tweaking a 1969 VW Beetle. And if asked to come up with a new design, no one could think of anything beyond the old model. This is where desktop computers sit right now, and I get the sense that it's not changing any time soon.

My biggest disappointment is with the Linux community. It could do much more than producing copycat GUIs for desktops. Perhaps there is a fantastic and unique GUI that is buried in the noise and cannot get any attention. But how hard is it to draw attention to yourself when you have something unique and new? Sure that "cube" interface was interesting--to a point. When it comes down to doing any actual work on the thing, it still boils down to the desktop. And that, ultimately, is the problem: the desktop. It's the original Xerox paradigm that was lifted by Apple and then Microsoft.

Years ago, I wrote a column complaining about this model, suggesting other workplace paradigms such as the "farm" or "airplane cockpit." They weren't much better. Someone needs to get creative.

There is no actual real world equivalent for the poke-and-slide GUI used by the best smartphones. I don't know about you, but after the novelty wears off, it's just not that exciting. Who can come up with something better? I'm betting nobody.

So here we are, sitting on a Ferrari chasis controlled by the desktop and poke-and-slide models. With a billion computer users, no one can dream up anything new? I am stunned by this creative rut.

In the mean time, poke, poke, poke, slide, slide, slide.

Skin heads are stupid, stupid people. Just like republicans.

Chrome also (0)

Anonymous Coward | more than 4 years ago | (#31580710)

The German government also warned about using Google Chrome when it first came out. I'm not sure what the status on that is right now.

Update the summary - 3.6.2 already released (0)

Anonymous Coward | more than 4 years ago | (#31580752)

Update the summary. Firefox 3.6.2 is already released and there's no reason to stop using Firefox. Update to latest version and that's it.

Power of free software. :)

And this is why I use IE (1)

Toreo asesino (951231) | more than 4 years ago | (#31580820)

Mozilla clearly have no idea about....... ....wait a minute....it's not a Microsoft product we're talking about?!

THIS IS SUCH A NON ISSUE! The German government are clearly over-reacting here.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>