Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

A Bad Month for Firefox

CowboyNeal posted more than 7 years ago | from the and-its-bugs dept.

Mozilla 195

marty writes "Februrary is not a good month for Mozilla developers. Infoworld reports about the efforts of Polish researcher Michael Zalewski, who apparently kept finding new vulnerabilities in the popular browser on a daily basis through the month, first postponing the 2.0.0.2 update, and then finding a remotely exploitable flaw in it immediately after its release."

Sorry! There are no comments related to the filter you selected.

Compelling reasons to switch to 2? (2, Insightful)

soupforare (542403) | more than 7 years ago | (#18133674)

I'm still running 1.5.0.9 and it works a treat. Am I missing something besides, apparently, h4x?

Geek dream (0, Offtopic)

DrYak (748999) | more than 7 years ago | (#18133696)

Am I missing something


Using the "But, I must quickly fix those holes ! It's open source and I don't need to wait on the foundation to fix it" as an excuse in order not to go out in the sun.

Re:Compelling reasons to switch to 2? (2, Funny)

arodland (127775) | more than 7 years ago | (#18134674)

You're also missing the annoying UI design and worse performance.

Re:Compelling reasons to switch to 2? (5, Informative)

kv9 (697238) | more than 7 years ago | (#18134834)

You're also missing the annoying UI design and worse performance.

I agree that the UI is not the most pretty thing ever envisioned (why does everyone go for ROUND shit now? let me guess, the UI designers have Macs) but performance wise it got better. also it's more stable and the integrated session management allows you to get rid of all the clunky extensions that tried to provide sessions (along with the kitchen sink)

there's also tabbed browsing improvements and other features. GP, check the changelogs.

Compare against the best. (3, Interesting)

Anonymous Coward | more than 7 years ago | (#18134982)

When it comes to software performance, it's pretty useless to compare the performance of your software to a previous version of that same software. You need to compare your performance to that of the current leader in the same market.

Maybe Firefox 2 is faster than Firefox 1.5. But compared to Opera, Konqueror and Safari, it's still quite slow and extremely bloated. Apparently it's also quite insecure, too.

KDE 4 is getting very close to being released. It's native support for Windows will bring Konqueror to a whole new audience, thus drastically changing the Windows browser landscape. Unless the Firefox developers really get their asses in gear, which apparently isn't happening, Konqueror will come along and smite Firefox.

If the beta released today is any indication of what the final KDE 4 release will be like, then Firefox had better watch out. This new version of Konqueror already has the speed. It has the stability. It has extremely low memory usage (but still higher than Opera). I don't know if Firefox will be able to compete unless a massive rewrite is undertaken. But if they do wish to remain competitive, they'd better get going.

Re:Compare against the best. (5, Informative)

omeomi (675045) | more than 7 years ago | (#18135222)

But compared to Opera, Konqueror and Safari, it's still quite slow and extremely bloated.

I use Firefox and Opera on Windows, Safari on OSX, and I have occasionally used Konqueror, but I'll admit, not as frequently. However, I've never noticed a perceptible difference in speed or obvious bloat between Firefox, Opera, and Safari. "quite slow" and "extremely bloated" are obviously complete fabrications...

Re:Compare against the best. (2, Insightful)

SirTalon42 (751509) | more than 7 years ago | (#18135334)

Konqueror will also run natively on OS X. Also when ran along side other KDE apps and the DE, Konqueror's memory usage (because of shared libraries) is most likely lower than Opera's, though it can still use some work to become even more efficient. Firefox developers will have an INCREDIBLY hard time making the Firefox UI as fast as Konqueror/Safari/Opera because of their extensive use of XUL.

Just for full disclosure, I use Konqueror as my primary browser on all *nix systems, and Opera everywhere Konqueror won't run. Several revisions of Konqueror ago and back before Opera's free version removed the ads I used Firefox primarily but as Konqueror matured and Opera removed the ads I moved away. I've never really been much of a fan of the software thats released as OSS to try and save its self and as part of its dying breath, the code base is generally pretty ugly and brittle, also it often steals resources away from good projects that have been OSS from the start.

Re:Compare against the best. (0)

Anonymous Coward | more than 7 years ago | (#18135590)

Sorry, but users don't really care about those extra milliseconds or whatever firefox takes to render more than those other deficient shitty browsers. Unlike the BS you are spreading the difference would only be noticeable if you run worthless benchmarks.

KDE 4 is getting very close to being released. It's native support for Windows will bring Konqueror to a whole new audience, thus drastically changing the Windows browser landscape. Unless the Firefox developers really get their asses in gear, which apparently isn't happening, Konqueror will come along and smite Firefox.
Total BS, Konqueror has 0 chance of getting any more market. I would avoid telling my wet dreams out loud.

Re:Compare against the best. (1)

ijakings (982830) | more than 7 years ago | (#18135628)

When it comes to software performance, it's pretty useless to compare the performance of your software to a previous version of that same software. You need to compare your performance to that of the current leader in the same market.
Im sorry but your post got less credible after this sentence. Mainly because IE is the leader in the current market. Im not a vole fanboy, i even hate it more than most, but you need to compare firefox with the market leader, like you said. Which IE is currently. Which it is a huge margin better than.

Re:Compelling reasons to switch to 2? (1)

mccoma (64578) | more than 7 years ago | (#18135312)

let me guess, the UI designers have Macs

Given how the UI looks and acts on a Mac, I can assure you that this is not the case.

WARNING: Firefox 1.5 vs. 2.0 :: Old vs. New (1, Insightful)

reporter (666905) | more than 7 years ago | (#18135370)

New software and new cars generally have more defects than old software and old cars. The first-year release of a Toyota Camry relies on customers to find and report the defects. The defect information is fed back to the Toyota engineers, and they redesign the defective parts of the Camry. The third-year release of the Camry should be quite reliable. (Toyota [msn.com] has some of the highest rates of recalls [thestar.com] in the automotive industry. Toyota typically recalls nearly 10% of its vehicles -- versus "only" 7% for General Motors.)

Software works in the same way.

If you are using your Web browser to do critical jobs like online banking, you should continue to use the latest iteration of Firefox 1.5 [mozilla.com] . The latest iteration is version 1.5.0.10 [mozilla.org] . If you are still using Firefox 1.5, look under the "Help" option to find the option, "Check for Updates", which will enable your to upgrade to 1.5.0.10.

Continue using version 1.5 until 2007 April 24. On that date, Mozilla programmers will cease fine-tuning version 1.5.

After April 24, switch to version 2 of Firefox. Waiting 2 more months before using version 2 will give vital time to Mozilla programmers to fix any critical problems in the new version.

Bottom line (5, Insightful)

AndyBassTbn (789174) | more than 7 years ago | (#18133678)

Bottom line - the more people use Firefox, the more people look for bugs and vulnerabilities, the more people find them. The same thing happened with IE.

Granted, I do think Firefox is far superior to other browsers on the market, but I don't think that this should surprise anyone. At least Firefox is being fixed quickly. I suspect other software companies may not have held back their release times on upgrades to fix additional bugs. ("Don't worry now, just get this new version out before the deadline, we'll fix it later...")

Re:Bottom line (4, Insightful)

Mateo_LeFou (859634) | more than 7 years ago | (#18133684)

"the more people use Firefox, the more people look for bugs and vulnerabilities, the more people find them. The same thing happened with IE." Except that with the Fox, half of the people looking for and finding bugs are doing so in order to help get them fixed.

Re:Bottom line (2, Interesting)

H8X55 (650339) | more than 7 years ago | (#18134700)

Except that with the Fox, half of the people looking for and finding bugs are doing so in order to help get them fixed.

(insert devil's advocate)
But for how much longer? the more positive attention fox draws from the unwashed masses, the more negative attention will turn in that direction from malware developers. If you go from 5% marketshare to 25% marketshare - your percentage of people looking for and finding bugs for good would drop through the floor. Think of it like this - Maybe one out of every ten of my FFX using friends actually do any app-dev work. Is that accurate? Maybe 10% of all users? If more 'regular people' started using FFX, ditching IE, you think you're still going to have 10%? Safari and FFx are safe for now, because they're not being targeted by hundreds/thousands/millions.

Re:Bottom line (1)

Mateo_LeFou (859634) | more than 7 years ago | (#18135070)

I don't think it goes without saying that all applications are targeted the same. They're not; certain companies, for whatever reason, have pissed more people off than others. Fact is, Firefox is a community-oriented, community-developed piece of software. It's not a plannedly-obsolete product designed to improve someone's bottom line. As such, it doesn't foment the kind of animosity that certain other pieces of software I could name do...

Re:Bottom line (1)

Jahz (831343) | more than 7 years ago | (#18135548)

Except that with the Fox, half of the people looking for and finding bugs are doing so in order to help get them fixed.


(insert devil's advocate)

But for how much longer? the more positive attention fox draws from the unwashed masses, the more negative attention will turn in that direction from malware developers.

If you go from 5% marketshare to 25% marketshare - your percentage of people looking for and finding bugs for good would drop through the floor.

Think of it like this - Maybe one out of every ten of my FFX using friends actually do any app-dev work. Is that accurate? Maybe 10% of all users? If more 'regular people' started using FFX, ditching IE, you think you're still going to have 10%?

Safari and FFx are safe for now, because they're not being targeted by hundreds/thousands/millions.
I would contend that 10% is a wildly inaccurate estimate. There are millions of FF users, including my parents, sister and all of my friends/professors here at the University. There might be one person among that group who has contributed code... I doubt 10% of the FF user base has the knowledge or technical ability to patch/hack Mozilla source. Perhaps 10% contribute if you include QA/Bug reports/Documentation etc, but not "App-Dev" work.

Two years ago Firefox Downloads passed 25,000,000 [mozilla.org] . To illustrate my point, lets say FF has 5,000,000 active users world wide (probably an order of magnitude more in reality). Now if 10% of those people hacked out the source and contributed code on a regular basis, Mozilla would have 500,000 patches to deal with. That's just too much to handle as each patch needs to be analyzed, merged and tested independently! If just 1% of the user base contribute code to this project, it will remain a wild success. I don't know of any project that needs over 50,000 developers working on it except maybe the overall Linux initiative. IE surely doesn't have more than a couple of dozen, maybe hundred, developers. What's your point again?

Re:Bottom line (2, Funny)

drsmithy (35869) | more than 7 years ago | (#18133844)

Bottom line - the more people use Firefox, the more people look for bugs and vulnerabilities, the more people find them. The same thing happened with IE.

But, how can that be ? We are constantly being told marketshare is irrelevant !

Re:Bottom line (1)

eneville (745111) | more than 7 years ago | (#18133902)

Bottom line - the more people use Firefox, the more people look for bugs and vulnerabilities, the more people find them. The same thing happened with IE.

But, how can that be ? We are constantly being told marketshare is irrelevant !

its not market share at all. lynx had a vuln, hardly anyone uses that. its just about speed of code changes. if thousands of people are all changing the code at once it becomes more work for the programmers to check all the diffs and work on code at the same time.

Re:Bottom line (2, Funny)

kimvette (919543) | more than 7 years ago | (#18135060)

I don't use lynx, ever. I use links.

Oh I know, I know, it's bloated, it has features 99% of users never use, but darn it, I'm one of those 1% of users and I need my full-featured curses-enabled links console browser! Point-and-click, baby! ;)

No we're not (1)

Mateo_LeFou (859634) | more than 7 years ago | (#18133904)

We're constantly being told that market share is not the biggest factor in the security equation. Because e.g. we're constantly point to the example of a piece of software (Apache) with enormous market share that is almost never breached. We're constantly told these things 'cause they're true.

Re:No we're not (0)

Anonymous Coward | more than 7 years ago | (#18134358)

Netcraft [netcraft.com] and Secunia confirms it!

At 58.7%, Apache 2 [secunia.com] had 33.
At 31.0%, IIS 6 [secunia.com] had 3.

Those were vulnerabilities reported since 2003, or 11 and 1 per year, respectively. That would seem to suggest market share does correlate.

However, using the CERT vulnerability database dating back to 2000:

IIS gets around 22 [cert.org] and Apache almost 30. [cert.org]

Conclusion? Apache has predictably shown more vulnerabilities than IIS versions over the same time period, correlating a direct market share to vulnerability relationship (although not in strictly 1:1 proportions). Prior to 6 revs of IIS show it's crap vs. Apache. However, recent revisions to IIS show a *substantial* decrease in that proportion of market share to vulnerabilities, which Apache has not shown.

Re:No we're not (5, Informative)

Mateo_LeFou (859634) | more than 7 years ago | (#18135100)

"Conclusion? Apache has predictably shown more vulnerabilities than IIS versions over the same time period"

Conclusion? Apache has predictably reported more vulnerabilities than IIS versions over the same time period

FYP

Re:No we're not (0)

Anonymous Coward | more than 7 years ago | (#18135646)

If you report it, you are showing it. Right? Bill Clinton is that you typing at Mateo's keyboard?

Re:Bottom line (0)

Frizzle Fry (149026) | more than 7 years ago | (#18134322)

Marketshare is by far the most relevant thing. There is a huge black market in IE vulnerabilities. If you find an unknown exploit, you can sell it to people who want to use it to set up spam botnets or make money installing spyware or whatever. So crackers make a living finding IE exploits. No one is doing that for Firefox because there is no money in it. If there were as many people running Firefox on Windows as IE, people would be willing to pay as much for exploits and then the good crackers would actually be looking for them.

Keep in mind that one product where open source has more market share is web browsers, and Apache 2 has had way more vulnerabilities found and patched than IIS 6.

Re:Bottom line (3, Insightful)

Tiger4 (840741) | more than 7 years ago | (#18134342)

("Don't worry now, just get this new version out before the deadline, we'll fix it later...")?

As much as I am annoyed by MS for their practices, that particular one is perfectly reasonable and acceptable.

If the overall program was not managed that way, they would have chaos. Every potential change to the main configuration has to be assigned to a given build and release. The place to attack the "problem" is in how they assign priorities to problems and bug fixes. The criteria for Critical and Non-Critical bugs, for High, Medium, and Low Risk threat and fixes are where software quality hinges. MS does it one way, Mozilla a different way. To some extent they will converge. Hopefully for us all, not too much. But definitely they will converge. If they don't do effective Configuration Management, they don't know what they have, and they can't be sure about what results they will get. The development process is tricky enough without deliberately adding random uncertainty to the process. If it means delaying a given fix for some period of time, so be it.

I would not be at all surprised to see Mozilla eventually adopt a variant of the MS "Update Tuesday" model. For all but the Most Critical changes, just hold all updates them bundle them and push them at the end of the next week/month/quarte. One thing they already do better than MS is to fully declare a new revision, rather than just issues a patch and updat a table with the information. Makes it easy for humans to know at a glance what revision they are at. (By the way, I got 1.5.0.10 shoved at me last night)

Re:Bottom line (1, Troll)

Frosty Piss (770223) | more than 7 years ago | (#18134844)

As is typical with Open Source, with Microsoft, it a terrible symptom of everything that's wrong with The Borg. But with Firefox, it's a "feature".

Re:Bottom line (1)

rmdyer (267137) | more than 7 years ago | (#18135200)

"I do think Firefox is far superior to other browsers on the market."

Far superior? I think you need to backup that painfully abstract and non-obvious statement.

I just cranked up my copy of Firefox 2.0.0.1 today after some time has passed since I last used it. I have it set to a blank page. You know what the first thing it asked me was after firing it up? It wanted to know if I wanted to set a "cookie" for the site "newsrss.bbc.co.uk" This would have been normal except for the fact that I hadn't yet even typed in a URL yet. You might say, "well, that's just the RSS news feeds doing its thing". And I'd say, "except for the fact that I'm not subscribed to any feeds!"

Web browsers need to work like newspapers with hyperlinks. That's about it.

That's a Live Bookmark (2, Informative)

ravenlock (693538) | more than 7 years ago | (#18135922)

You've got a Live Bookmark to "Latest BBC Headlines." It's in the default installation. A live bookmark is basically the subject lines from an RSS feed in a submenu. Not very useful, but not exactly a bug either -- technically, you are subscribed to a feed, you just don't know it.

It's located in Bookmarks -> Bookmarks toolbar folder (at least on my installation), and in the bookmarks toolbar.

A bad model? (4, Insightful)

Lord Satri (609291) | more than 7 years ago | (#18133680)

Well, such headlines won't stop me from using FF. At least vulnerabilities are attended to in a way I believe (wrongly?) faster than most mammoth companies would. That said, this point from the article is interesting, making me believe researchers should (?) have incentives to disclose security bugs to Mozilla first and to the public only when the fix is distributed:
"Although Snyder said she would prefer it if Zalewski and other researchers would disclose vulnerabilities to Mozilla before taking them public, she said the company relies on such experts to help it keep customers protected from attacks, as painful as the reports may be."

Your model is bad. (2, Insightful)

DrYak (748999) | more than 7 years ago | (#18133742)

researchers should (?) have incentives to disclose security bugs to Mozilla first and to the public only when the fix is distributed


No. It's how it work with microsoft, it's not how it works with open source software.

With Firefox, if you disclose a hole to the public there's also a higher chance that someone outside the foundation, from the public, could try to fix the hole. (Which could be not to much difficult for an outsider if the fix is just adding a check to avoid invalid input). If you only disclose to Mozilla, the list of potential patcher is small and most of these are already busy fixing the other holes and developing, and you take the risk that in the meantime some cracker group discovers the problem independently and write an exploit script.

Whereas with microsoft products, if you disclose the problem to the public, they can't do much apart from switching to another product or wait until microsoft developer finally fix the problem. So from the company's view point, there're no usefullness to disclose a hole to the public. ...in fact, because the source is open, researcher could even fix the bugs themselves as those are discovered.

Re:Your model is bad. (5, Insightful)

Albanach (527650) | more than 7 years ago | (#18134062)

if you disclose the problem to the public, they can't do much apart from switching to another product or wait until microsoft developer finally fix the problem.
But that's only an issue if you get no response. What if MS email and say thanks, we've looked into this, we need to change x, y and z and it should take about two weeks before we issue a fix. What would be the advantage in going public inside those two weeks?

I can't see any valid reason for someone not to report to Mozilla first, and to expect a reasonable and speedy response, then oing public if a fix is not in place inside a sensible timescale. To do otherwise suggests the researcher is more interested in self publicity than in protecting users of the browser.

What's worse? (4, Insightful)

tomstdenis (446163) | more than 7 years ago | (#18133682)

As the author of security software, I'm not happy to find flaws in my code, but I'd rather find them then not.

The measure of success is whether the bug(s) found in Feb are new additions added by sloppy coders, or legacy bugs that have so far escaped notice?

Tom

Re:What's worse? (4, Informative)

kjamez (10960) | more than 7 years ago | (#18133750)

The measure of success is whether the bug(s) found in Feb are new additions added by sloppy coders, or legacy bugs that have so far escaped notice?
i've been following this guy's postings on SF and bugtrac, and it's ridiculous. Some of the stuff he's finding are bugs in bugzilla from 2001 that keep getting shifted around and reassigned and marked as duplicates of other bugs ... the remote file upload keypress trap example comes to mind, and was an interesting POC to say the least. Some of the stuff is trivial and only comes with 'theoretical exploits', but are still potentially dangerous none the less. I was just thinking yesterday "wow, this guy really has it out for mozilla..." but like you said, it's good someone is finding these things now as compared to a 'blackhat' 0-day'er. And it's even better they are getting fixed, delayed release and all.

Re:What's worse? (5, Interesting)

tomstdenis (446163) | more than 7 years ago | (#18133858)

Well yeah that's the flipside. Some people report "bugs" which are things that cannot really be exploited in the field [e.g. unreachable exploits]. I deal with that in my OSS work as well. Though, usually I fix them anyways just for completeness. In fact, a non-trivial amount of bugs I've fixed have been of that sort [I wouldn't say a majority but definitely not just a few].

Some people like the press it gets for finding them too.

That being said, some projects react bad to bugs. GCC is an example of a group who react well to them. I've had several PR's fixed because of a simple ICE or asm dump I sent in. Whereas in the Linux camp, bug fixing is a royal right only a few can have. When I wanted to add device IDs for Intel NICs to the 2.6.18.2 [iirc] kernel I submitted a patch which added them. It was refused saying that they would be added in the next major release cycle. Even after I told them that they could trivially be added to the next point release they still refused. Oddly enough the maintainer, a Gentoo developer, added them to the gentoo brand of the kernel anyways. Go co-operation!

I dunno, for me it's a sense of responsibility. If I'm going to release software that can potentially cause problems for others, I make sure I respond to valid reports as soon as possible. I don't look at it as a negative experience because for me the alternative is to stop sharing the code alltogether.

Tom

Re:What's worse? (1)

gmack (197796) | more than 7 years ago | (#18134160)

Whereas in the Linux camp, bug fixing is a royal right only a few can have. When I wanted to add device IDs for Intel NICs to the 2.6.18.2 [iirc] kernel I submitted a patch which added them. It was refused saying that they would be added in the next major release cycle. Even after I told them that they could trivially be added to the next point release they still refused. Oddly enough the maintainer, a Gentoo developer, added them to the gentoo brand of the kernel anyways.

So you tried to add the ids to the latest bug fix only branch instead of first going to the development branch and you complain that you were refused because you didn't have some sort of a "royal right"? I'm guessing if you had submitted an actual bug fix instead of extending a driver it would have been accepted. Just adding device ids is not always painless sometimes the hardware isn't exactly compatible and the addition causes unintended side affects. That policy is there for good reason.

Re:What's worse? (1)

tomstdenis (446163) | more than 7 years ago | (#18134198)

The gentoo fix was to add the same IDs [and a few more].

My complaint isn't that they weren't added, it's that the maintainer refused to add them to the vanilla kernel [e.g. at kernel.org] and instead horded them for Gentoo-sources [even though I run gentoo I still feel this is wrong]. Eventually at the next major release they were added. So it's not that the device IDs were wrong or caused problems. It's that the developer didn't want to share them with the rest of the Linux crowd.

You should ask Jean-Luc Cooke about his experience trying to replace the horrible /dev/random device with one based on Fortuna. He got the same royal decreed from Ted T'so about "who owns the kernel" and who doesn't. In the end, Jean-Luc just gave up and withdrew the patches.

The kernel is, for the most part, a horribly written, and poorly maintain piece of code. The maintainers are selfish ego-hording losers and have to really learn there is more people willing to contribute then just them.

Tom

Re:What's worse? (4, Interesting)

gmack (197796) | more than 7 years ago | (#18134602)

My complaint isn't that they weren't added, it's that the maintainer refused to add them to the vanilla kernel [e.g. at kernel.org] and instead horded them for Gentoo-sources [even though I run gentoo I still feel this is wrong]. Eventually at the next major release they were added. So it's not that the device IDs were wrong or caused problems. It's that the developer didn't want to share them with the rest of the Linux crowd.

Or more to the point: the maintainer knew they would never be accepted into the stable branch kernel until, at the very least, they were tested in the dev branch first.

The maintainer doesn't have the final say. It's the stable team that decides in the end and they have only gotten more strict now that there are shorter dev cycles. Also, I didn't say that they did cause problems I said they could in theory cause problems and there is no way to know for sure until the new ids have been well tested. The change was quite probably safe but I'm astounded your whining that they would not throw improperly tested code right into the stable branch. I've seen simple device ID additions cause crashes. I've had them crash MY system. It's rare but it happens. That's why I update my servers with the stable branch and run my personal stuff on the more cutting edge devel kernels.

You should ask Jean-Luc Cooke about his experience trying to replace the horrible /dev/random device with one based on Fortuna. He got the same royal decreed from Ted T'so about "who owns the kernel" and who doesn't. In the end, Jean-Luc just gave up and withdrew the patches.

/dev/random has to be as hard to predict as possible. You claim it's horrible but there are whole papers on how to random generate numbers and even seasoned kernel devs have had patches refused patches because they weren't able to justify them properly.

The kernel is, for the most part, a horribly written, and poorly maintain piece of code. The maintainers are selfish ego-hording losers and have to really learn there is more people willing to contribute then just them.

Translation: They didn't let me do what I want to they are a bunch of jerks

There are people who dedicate themselves to teaching new people how to add patches to the kernel. The whole kernel newbies project and the kernel janitors project exist to provide developers who new to kernel programming an easy way to learn their way around and get patches accepted. There have been hundreds of patches in the past few months that were accepted from people who were previously unknown to kernel programming. So it really is open to others but only people willing to follow the rules. Those rules are there for a reason.

Re:What's worse? (0, Offtopic)

tomstdenis (446163) | more than 7 years ago | (#18134670)

JLC's /dev/random patches replaced the ad hoc poorly designed PRNG with one based on Fortuna, a real PRNG.

I suggest you look at the /dev/random source for a bit. For starters, what the fuck is TwoThirdsMD4? Why is it used? etc... The design may work, but we can certainly do better, with cleaner code, that makes use of the existing crypto in the kernel (instead of including multiple copies). Last I looked their SHA1 code wasn't even compliant [didn't do byte ordering swapping, which doesn't affect the security just compliance]. /dev/random can easily be cleaned up, improved, and made to use standard crypto primitives. It just means we have to dissolve Ted T'so ego and beat him with a clue stick.

In the case of my patches, they were against [iirc] 2.6.18.2 not 2.6.19-rc2 or something. The last "." is supposed to be for incremental changes to reduce the time between major releases. It gives users a chance to try a work-in-progress kernel that has been through at least some testing. Otherwise, why even have the fourth level of releases?

I'm hardly the only person on earth disillusioned by the Linux kernel process. Sure it works, but the code is hardly ideal and pushing away contributors is NOT the way to make things better.

Tom

Re:What's worse? (2, Informative)

gmack (197796) | more than 7 years ago | (#18135066)

In the case of my patches, they were against [iirc] 2.6.18.2 not 2.6.19-rc2 or something. The last "." is supposed to be for incremental changes to reduce the time between major releases. It gives users a chance to try a work-in-progress kernel that has been through at least some testing. Otherwise, why even have the fourth level of releases?

That's not even close to correct. The last "." is so bug fixes can be added to a known stable branch. The shorter RC cycle (a month or two instead of a year or two) is what was supposed to reduce the time between major releases.

Re:What's worse? (3, Insightful)

tomstdenis (446163) | more than 7 years ago | (#18135658)

Whatever. This is why newbs mock OSS. If a one line trivial change causes WW3 between developers, just because Intel decided to up a PCI devid value ... we have problems.

Out of the box, the latest kernel wouldn't work on my mobo [when I got it]. That means LINUX IS BROKEN. The fix? Add one line to a eth device drivers list of recognized device IDs. What does the community do? Reject it until MONTHS LATER. Many newcomers would look at that and say "fine I'll go to Windows or BSD."

How are we supposed to build a community of trust and co-operation if we can't resolve single line fixes to code that enable hardware to work?

Tom

Gentoo (1)

wytcld (179112) | more than 7 years ago | (#18134726)

A Gentoo developer refused your patch, except for Gentoo? Go Gentoo! Man is that corrupt.

I mostly use Gentoo - I've done well with it running servers almost from its conception. But the Gentoo developers and maintainers, on the whole, are developing increasingly obnoxious attitudes towards their users - which makes no sense at all considering Gentoo users on average have higher skill and knowledge levels than the users of the other popular distros. A few years ago bug reports were handled as well in Gentoo as anywhere; these days, not so much.

There may be a social problem to be solved. In the early days of any major open project, there's good will and enthusiasm to go around. But as the social networks supporting the project age and expand, they get grumpy and immune to criticism. Part of this, with something like Gentoo, is that the most capable people were in at the beginning but have wandered off, and now the developers/maintainers just don't have the same level of ability, so tend to cover their deficiencies by blaming the users. Is the trick to somehow make aging projects fun again so that the best people are attracted back in? How would you do this without seeming to under-appreciate the less-able cruft who need to be swept out of the way to make room for the able? - tough when they're volunteers.

Re:What's worse? (3, Insightful)

TheRaven64 (641858) | more than 7 years ago | (#18133974)

Some of the stuff he's finding are bugs in bugzilla from 2001 that keep getting shifted around and reassigned and marked as duplicates of other bugs
There is something I picked up from the OpenBSD guys, which I think should be repeated more:

The only difference between a bug and a security flaw is the intelligence of the attacker
In something like Mozilla that connects to remote machines and receives badly-formed data as a regular operation, every single bug should be treated as a potential security hole (with the possible exception of w3c spec violations).

Re:What's worse? (1)

Bob9113 (14996) | more than 7 years ago | (#18134318)

Completely agreed. I'm delighted when someone finds a bug in my code. The bug was there whether the reporter finds it or not. The reporting of it is the good part. Shoot the messenger? Hell no, thank him.

Re:What's worse? (1)

Tiger4 (840741) | more than 7 years ago | (#18134396)

Or known bug fixes taht have just gotten delayed, and delayed and delayed.

I like Mozilla and FF. But if this kind of attention is what it takes to get them to assign coders to all levels of bugs, from Highest Risk to Lowest, I am all for the heat. the little ones never go away until you actually fix them. Letting them get older is not the correct solution. Not from a technical point of view. Business-wise, you could just wait until the product is obsolete and no one cares. But that is just lazy practice.

How is this bad? (4, Insightful)

El Cubano (631386) | more than 7 years ago | (#18133686)

Could someone please explain how finding and fixing bugs/issues/problems/whatever is bad? Now, I understand that it is not particularly good from a PR perspective. However, it is not like they are ignoring these things or trying to spin it like they are not real problems (as certain commercial and proprietary software vendors are prone to do). This is, in fact, quite good for the users.

Re:How is this bad? (5, Informative)

bunratty (545641) | more than 7 years ago | (#18133732)

The only bad thing is that Michael Zalewski is not following Mozilla policy for reporting security bugs [mozilla.org] . He should first report them to Mozilla privately and give them some time to fix the problems. Instead, he publicly announces the vulnerabilities so the bad guys can exploit them before Mozilla has any chance to fix the problems. In short, Zalewski seems to believe in full disclosure instead of responsible disclosure [schneier.com] .

Re:How is this bad? (1)

El Cubano (631386) | more than 7 years ago | (#18133752)

In short, Zalewski seems to believe in full disclosure instead of responsible disclosure.

FTA: On the other hand, she's dealing with almost daily reports of newly identified vulnerabilities in Firefox disclosed by a researcher who makes his work public before informing Mozilla of the problems.

Ahh. So Zalewski is in it for the publicity. I did not catch that.

Re:How is this bad? (5, Insightful)

Cid Highwind (9258) | more than 7 years ago | (#18134166)

In short, Zalewski seems to believe in full disclosure instead of responsible disclosure.

So do most of us here at /. when it comes to bugs in Windows or IE or Java VM. Why not Firefox?

Some of these bugs were initially reported in 2001 and were only fixed in Firefox 2.0.0.2, six years later. The lesson here seems clear to me: Reporting security holes on bugzilla get them marked DUPE/WONTFIX/NOTABUG and ignored for 5+ years. Publishing detailed explanations of the exploits on your blog gets them fixed within a few weeks.

Re:How is this bad? (2, Insightful)

bunratty (545641) | more than 7 years ago | (#18134868)

Reporting security holes on bugzilla get them marked DUPE/WONTFIX/NOTABUG and ignored for 5+ years. Publishing detailed explanations of the exploits on your blog gets them fixed within a few weeks.
If you know of any such security holes, report them publicly or privately, and you will get a $500 bounty [mozilla.org] . If reporting them privately doesn't get them fixed, you can always go public later without losing your bounty. If responsible disclosure doesn't get bugs fixed, then I would agree that full disclosure is needed. Go ahead and report these bugs and collect your fame and riches!

Re:How is this bad? (5, Informative)

tetromino (807969) | more than 7 years ago | (#18135574)

In short, Zalewski seems to believe in full disclosure instead of responsible disclosure.
So do most of us here at /. when it comes to bugs in Windows or IE or Java VM. Why not Firefox?

No. I would venture to say that most people here believe in giving Windows/IE/Java/Firefox devs a couple of weeks to fix a bug before going public. Coming up with a patch is the easy part. Any large project will need to look for related issues in the rest of the code, to do QA work to make sure the patch doesn't introduce new bugs or vulnerabilities, and to package the updates for all the different architectures and products that happen to be vulnerable. That process takes time; it is physically impossible for the Windows/IE/Java/Firefox team to release an update the same day you informed them about the issue. If you go public on the first day, you are just being an asshole.

Re:How is this bad? (2, Interesting)

Kjella (173770) | more than 7 years ago | (#18133864)

Could someone please explain how finding and fixing bugs/issues/problems/whatever is bad? Now, I understand that it is not particularly good from a PR perspective. However, it is not like they are ignoring these things or trying to spin it like they are not real problems (as certain commercial and proprietary software vendors are prone to do). This is, in fact, quite good for the users.

It's quite hard to tell for the user if they're fixing many bugs because they have a high attention to security or if their code is a stinking pile of shit. Ideally, not a single bug should get through to the end user but they do, in that sense every bug that needs fixing is an imperfection in the development process. The users don't have any omniscent metric of which browser is the most secure and bugfree. So, the user is trying to figure out some sort of substitute metric. The most typical one used is to assume that "number of bugs fixed" is proportional to "number of bugs to fix". Of course, that's not true because "number of bugs to fix" is "public bugs and to be fixed" + "bugs to be silently fixed" + "bugs that aren't found yet", possibly because noone's looking.

To take the typical slashdot meme:
IE fixes a dozen bugs: "Whaaaaaaaaaa! IE is such a pile of steaming shit"
FF fixes a dozen bugs: "Yeeeeeeeeeey! FF is showing their attention to security"

Perhaps you "know" this to be the truth, but there's no facts to back you up. If on the other hand you can point to "There has consistently been fewer bugs to fix in Firefox compared to IE" along with "There has consistantly been fewer actual exploits in Firefox compared to IE" (ie, we're not just ignoring the problem) then you'll have a much better case. Of course that would require honestly in numbers, plus all the FUD about market share == target and so on, but one thing remains certain. If there weren't any bugs to fix, that'd be the best both technically and for PR.

Re:How is this bad? (1)

Beryllium Sphere(tm) (193358) | more than 7 years ago | (#18134566)

Finding: good
Fixing: good
Reporting to maintainers: vital
Reporting to the public: depends on many things all of which are hotly disputed. To the extent there's a consensus, it's to make public announcements after there's been time to code, test and release a patch. If the supplier hasn't used that time to fix the product, well, their customers deserve to be warned before a black hat discovers the same thing and uses it for evil.

Reporting to the whole world simultaneously only makes sense if you believe all information should be free at all times regardless of the effect, or if you're sure that the software supplier will never fix anything, or if all the users are technically sophisticated enough and have enough free time to fix it themselves.

It's more complicated than that, of course. Another variable is whether the announcement is a description or whether it contains kiddie-scriptable exploit code.

Re:How is this bad? (1)

Overly Critical Guy (663429) | more than 7 years ago | (#18135584)

Could someone please explain how finding and fixing bugs/issues/problems/whatever is bad? Now, I understand that it is not particularly good from a PR perspective.

Didn't you just answer your own question?

Bad month? No... (5, Insightful)

onion2k (203094) | more than 7 years ago | (#18133690)

Good month. Finding lots of bugs, and fixing them, is a good thing. We don't need to pretend it's perfect and rosy and all nicely secure and won't ever need a patch or an update. We're realists on this side of the OSS fence. We know that software is only as good as the people working on it.

I'd like to extend a hearty thank you to this researcher for making Firefox even better.

Re:Bad month? No... (1)

cdrudge (68377) | more than 7 years ago | (#18135048)

It's a matter of perspective. I agree that it's good that the bugs were found and are being worked on. However it's bad that they were not already detected, that they were not already worked on, or that they were even there.

Re:Bad month? No... (1)

trewornan (608722) | more than 7 years ago | (#18135228)

it's bad that they were not already detected

Yeah it's true, it's a pity these bugs were not already detected . . . like before they were detected . . . already.

that they were not already worked on

Yeah it's true, why didn't they work on them before . . . like before they were detected . . . already.

or that they were even there

Yeah it's true, what did they think they were doing putting bugs in to begin with . . . like everybody knows not to write bugs into software . . . duh!

Re:Bad month? No... (1)

Kythe (4779) | more than 7 years ago | (#18135244)

Exactly. What's more, almost all the holes he found were rated as relatively minor by Secunia, and have already been fixed.

As usual, however, Microsoft's record of performance on that score hasn't been as stellar.

So while some MS fanboy types might like to claim this as a "bad month" for Firefox, I can't say I agree.

Internet Explorer (5, Funny)

bitsformoney (514101) | more than 7 years ago | (#18133698)

Solution: Stick with IE. Shoudda known.

Re:Internet Explorer (1)

badenglishihave (944178) | more than 7 years ago | (#18133950)

You speak the truth! At least with MS you get statements like "Internet Explorer [X] coming soon: Improved security, better protection against phishing". This kind of statement makes you feel much better than "We found a crapload of bugs and now we're trying to build a new release to fix them all." I for one value feeling good about my software rather than knowing that the developers are actually aware of and working on removing exploits/vulnerabilities.

Remember, software should make you feel safe and secure, even if it isn't =) . Microsoft has sure nailed that.

You mean, GREAT MONTH! (1)

itz2000 (1027660) | more than 7 years ago | (#18133714)

This guy had found these security flaws which can only be good for us the users, cause it will be fixed.
Imagine a malicious user had found the same bugs and wanted to use it against us, the users, it would have been very very bad, and now this malicious user must work harder on his new holes.

Thanks man for finding these Sec-Holes for us. May god bless you

Re:You mean, GREAT MONTH! (1)

Overly Critical Guy (663429) | more than 7 years ago | (#18135686)

Is it a great month when vulnerabilities are found in Internet Explorer?

Javascript (2, Insightful)

Neuropol (665537) | more than 7 years ago | (#18133716)

I hardly see this as being Firefox's fault. It's been a more common denominator to have Javascript as the culprit. There's always been some "handling" issue in just about every browser ever coded. So with this continuing, I'd be pointing all fingers at Javascript and nothing else.

Compliance should be the next target of finger pointing too. If Firefox seems have its act together and it keeps falling prey to, and having to adapt to, issues of external development, I really think it's time for an overhaul on some highly exploitable Javascript code.

Bad month makes good year (1)

Sheltem The Guardian (940038) | more than 7 years ago | (#18133720)

Look: if these bugs exist, they should be fixed. If more of them will be discovered this month, means firefox will be less buggy and more secure for the rest of lifecycle.

Bad month, but... (2, Insightful)

bgfay (5362) | more than 7 years ago | (#18133722)

I don't know anyone who has lost faith in Firefox or switched back to anything else. It's still a great browser and seems to be getting better. There will always be problems with software. The thing that's interesting here is that all of Firefox's good aspects and bad aspects are out in the open. That's what makes it work.

Re:Bad month, but... (2)

SoapDish (971052) | more than 7 years ago | (#18135730)

I lost faith in firefox. I use opera now. It's mostly because the interface is just so much better.

Isn't that the point of Open Source? (1)

bigattichouse (527527) | more than 7 years ago | (#18133728)

Sure, people see the downside of this.. I happen to see it as proof that Open Source works on the community scale. I now know these bugs can be addressed.. how many bugs are in IE7 that I can't see because of the closed source?

Re:Isn't that the point of Open Source? (1)

jfengel (409917) | more than 7 years ago | (#18133898)

It doesn't matter if you see the bug. It matters if the bad guys see the bug.

To exploit a bug in closed source, you have to grovel like crazy through the code or just throw things at random at it. If you want to exploit a memory overflow bug you've got to do it entirely based on the disassembled binary, probably without any symbols. It's astonishing that anybody ever achieves it. Internet Explorer must REALLY be full of holes to have so many spotted.

In either open or closed source, the question is how long the hacker gets to exploit the bug. How many "zero-day" exploits in Firefox are really "minus-ninety-seven day" exploits which have been sucking down credit card numbers and passwords without anybody ever noticing? Nothing about "open source" prevents that, and if anything makes it a hell of a lot easier.

I know perfectly well that security through obscurity will never work. I use Firefox myself, mostly in the hope that the good guys are ahead of the bad guys in finding bugs.

Open source just means that the programmer is less tempted to let obscurity do the security for him when he write the code in the first place. The best way to fix a bug is not to put it in. You're still at the mercy of your own failures, but those are as hard for the bad guys to find as you.

Re:Isn't that the point of Open Source? (1)

Eddi3 (1046882) | more than 7 years ago | (#18134006)

That's the (supposed) upside to Closed Source software: The bad guys can't see the bugs in the first place.

Re:Isn't that the point of Open Source? (0)

Anonymous Coward | more than 7 years ago | (#18135148)

"how many bugs are in IE7 that I can't see because of the closed source?"

Millions. The same as the number of tigers that my magic rock here keeps away.

Oh no there are boooogs in my firefox... (1)

codepunk (167897) | more than 7 years ago | (#18133774)

Clicks sly fox icon this morning "stand by while firefox is installing the latest updates"...what boooogs?

Bad month ends up with a good product. (5, Insightful)

SoupIsGood Food (1179) | more than 7 years ago | (#18133790)

Buffer overruns happen. Security models have holes. This is nothing new, and you'll find it in damn near every software project of any complexity.

The rational ways of dealing with this are a very dictatorial style of project management to get it right the first time (See: OpenBSD) or a quick and responsive way to kill security-affecting bugs dead. Firefox, with its gazillions of volunteer and paid programmers, opt for the latter. Too often, closed source developers just sit on these bugs, or sue the people trying to find and publish them, or use their marketing department to cover for their developers' shortcomings.

I'm pleased and reassured that Firefox is having these issues. Active and open security research will always result in a stronger product, and delays to deal with them are acceptable so long as the software is better for it. Even OpenBSD's been hacked a few times, and it's how you deal with it that's more important.

Microsoft's stuff is broken for =years=, which allows a security nightmare. Firefox is broken for a few days, or a month or two... too quick for all but the most dedicated and talented black-hats to take advantage of. Give me this over Internet Exploder any day.

When will we see a stable and secure project? That's an important question when dealing with closed source products. On something like Mozilla, with an open development model, the project goals and progress aren't company secrets... we actually know exactly why something has been pushed back, and can make reasonable judgements about when it will be back on track for ourselves. This is one of the more important aspects of open source that corporate IT overlooks... the ability to plan for and work around changes in the release schedule.

So, yeah, setbacks happen. To everyone. How the setbacks are dealt with is where the rubber meets the road. Firefox is generally ahead of the industry here, too.

Re:Bad month ends up with a good product. (2, Interesting)

kestasjk (933987) | more than 7 years ago | (#18134324)

I don't know where people get the idea that closed source apps are invulnerable to hackers checking them for holes. With a firm grasp of tools like IDA pro you can easily analyze closed source apps.

I like and use Firefox too, but I don't think security is a good reason to like Firefox. The great plugins are what puts it head+shoulders above anything else, imho. And with NoScript, AdBlock, etc, it makes it much easier to avoid malicious sites.

Anyway, It's not right to be so complacent, when a hole is found in MS software it's terrible, but when holes are found day after day in Firefox it's progress. It's the same with Apple and MS; the double standards some posters have can make /. look pretty hypocritical sometimes..

Re:Bad month ends up with a good product. (0)

Anonymous Coward | more than 7 years ago | (#18135596)

I like and use Firefox too, but I don't think security is a good reason to like Firefox. The great plugins are what puts it head+shoulders above anything else, imho. And with NoScript, AdBlock, etc, it makes it much easier to avoid malicious sites.

Well said. I don't much like Firefox (did you know if you just type a domain in the address bar it doesn't automagically fill in "http://www." and ".com" on either side of it like Netscape used to do? Noooo, it searches and guesses and flings you somewhere than can be a very unpleasent surprise. And the moron who closed the bug report said it was a feature. Theo is NOT the only arrogant developer.) but I use it the most Just For That Reason: Great plugins. NoScript and Adblock are almost enough right there, and right now I have 26 total non-default plugins (and a memory usage of 58 MB on a PC, much worse on my Mac). I'd rather use Opera, but oh well.

Anyway, It's not right to be so complacent, when a hole is found in MS software it's terrible, but when holes are found day after day in Firefox it's progress. It's the same with Apple and MS; the double standards some posters have can make /. look pretty hypocritical sometimes.

Hmm, I keep hearing that people say one thing, then the other, but I doubt that, in all but a very few pathalogical cases, it is the same people. And even though you can say "Slashdot community" all that really means is "People who post comments to Slashdot". There is really no significant commonality (able to speak english, have access to a computer, bah! means little in almost any context). I don't think it is hypocrisy, just different people saying different things in different contexts. The same for the "If Linux is going to make it on everyone's desktop..." versus "If you don't like it, fork it or fuck it". Different morons saying different things, not hypocrisy.

Is it terrible that MS has holes in their software? Yes, and the way they handle it is poor but getting better. Apple isn't any better. And from what someone else said, that some of the bugs in Firefox had been reported over 5 years ago, well, it is pretty clear that "more eyes" doesn't mean "more bugs fixed" even if it might mean "more bugs found".

IMHO.

Re:Bad month ends up with a good product. (4, Insightful)

Anonymous Brave Guy (457657) | more than 7 years ago | (#18134356)

Buffer overruns happen.

Not if you use proper design techniques, or programming languages where they aren't a possibility. Saying "buffer overruns happen" is just a concession to current poor programming practices. Better ways to do things have been known for a long time, it just requires more effort to use them when most of the world isn't yet.

Security models have holes. This is nothing new, and you'll find it in damn near every software project of any complexity.

That's true, but not every software project makes grand claims about having better security than the opposition. There is little text on the Firefox home page, but one of the three big headings is "Stay secure on the web". "Firefox continues to lead the way in online security," it tells us. Clicking through the link finds explicit claims about the open source model and the use of "security experts".

Microsoft's stuff is broken for =years=, which allows a security nightmare. Firefox is broken for a few days, or a month or two... too quick for all but the most dedicated and talented black-hats to take advantage of.

And how do you know that all of these Firefox bugs have only been added recently, and haven't already been exploited by black hats before they were announced? Do you personally check into the background of every bug report in Firefox? Do you think everyone who uses it does? How many serious vulnerabilities in IE are really open for years? Do you have stats to back this up, or are you just a Firefox fanboy spreading FUD? These are, after all, exactly the criticisms commonly levelled at IE.

When will we see a stable and secure project? That's an important question when dealing with closed source products. On something like Mozilla, with an open development model, the project goals and progress aren't company secrets...

So all security bugs in the Mozilla family are immediately and openly disclosed to the public?

Re:Bad month ends up with a good product. (1)

Jeffrey Baker (6191) | more than 7 years ago | (#18135116)

Buffer overruns happen.

Thank you, unfrozen caveman programmer. I'm trying to remember the last time I experienced a buffer overrun in Java, Python, or Perl. Hrmm. Still thinking ...

Who cares.. Is it your browser? (0, Flamebait)

AnnuitCoeptis (1049058) | more than 7 years ago | (#18133792)

It seams that there are zillion of developers trying to add their exploits. Another proof that this open/free concept doesn't work. It would have been much better to have twenty different genuine browsers for $10 (closed) each then this one bloated open source behemoth.

Tagging (0)

heffrey (229704) | more than 7 years ago | (#18133876)

Shouldn't this be tagged with "haha" already?

incentive?? (1)

wasabiboy (537118) | more than 7 years ago | (#18133880)

The question on my mind is - what is Zalewski's incentive in releasing this information directly to the public instead of first to mozilla, esp. just following a release...? It can't be to gain trust/admiration by the open source community. It also can't be to gain trust by corporations either (releasing notice of a flaw just after a new release and without first contacting the company must scare the pants off of any corporation!) Is it merely hubris? Or is there some corporate smear money being exchanged here?

Re:incentive?? (1)

ScrewMaster (602015) | more than 7 years ago | (#18133934)

Or is there some corporate smear money being exchanged here?

Well, I certainly wouldn't put it past the innovator from Redmond to use this guy to spread some more FUD, but if so, they've only managed to encourage the competition to improve their codebase.

Why is this a bad thing? (1)

carpecerevisi (890252) | more than 7 years ago | (#18133944)

I realise many have said this already, but my own personal spin:

Since we know (generalisation, I know, but it works) that any big piece of software is going to have bugs, surely all this means is "woo, yay, look, Open Source's benefits wrt bugs are real", since fast and good response to bug reports has been shown. If it's easy to find bugs, and when found, they're being fixed quickly and well, and we know that bugs are always going to happen, then why is this anything but superior to other closed source competitors who've had less bugs found?

Where's the problem? (1)

Eddi3 (1046882) | more than 7 years ago | (#18133958)

There are probably going to be just about as many bugs in Firefox as there are in any other browser. However, the reason Firefox is so secure, is not because it has less vulnerabilities (although it might), but because it doesn't take Mozilla and the firefox community three months to patch it. Security updates are generally avaliable every 1-2 weeks.

That is what makes Firefox a browser which focuses on security. Not the idea that it should be impenatrable in the first place.

  -Eddie

are these endless bugs... (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18133988)

...because FF and the other moz products are primarily *windows* applications? Really, this a legit question. If there was a different browser that had nothing to do with trying to work on windows, absolutely nothing, no effort to make it work on windows, no windows devs contributing, nothing, something for just open source operating systems only , could we who don't use windows have something better? And let us be real here, FF/mozilla IS primarily a windows product open whatever code or not. That is the main focus for mozilla and always has been.

Re:are these endless bugs... (1)

Kiaser Wilhelm II (902309) | more than 7 years ago | (#18134658)

What on earth are you talking about?

'Hello World' runs on Windows. Does that make it a buggy and vulnerable program? Your logic baffles me.

windows logic (0)

Anonymous Coward | more than 7 years ago | (#18135186)

It probably baffles you because you are a long time windows user and are used to crap software. Windows is very buggy and it's past history of "security" is beyond dismal. Do you care to actually deny that? And if you haven't noticed that yet, oh well, I guarantee other people have. And it has gotten way past old when there is a headline "new security problem with firefox", when what they mean to say-most of the time- is another security problem on the windows platform running the windows version of some browser.

The windows version needs to be spun off completely from the other versions, and vice versa. Let the windows folks deal with their stuff, I am just calling for a mainstream non-windows browser for the other folks, because it makes no sense whatever to "share" bugs and security problems from always trying to code to keep windows secure. That's microsoft's problem basically, they should deal with it, and folks on open source platforms shouldn't even need to bother with it.. The mozilla project is a very nice project, but let's call a spade a shovel here, it is primarily just another microsoft windows application, anything else they do is ancilliary and an afterthought to their primary goal, to make an alternative to INTERNET EXPLORER, which is a windows project, and, in addition, there is little reason for the projects (closed source operating system versus open source operating systems) to be combined with "one" browser now except inertia. It's also just a crutch to keep windows people using windows, again, anathema to a lot of open source folks. Granted, not all by any means, but I bet a lot of open source people feel the same way. It's just getting *old* having to deal with windows problems when you don't run windows, and as well intentioned as the mozilla FF project is, it cannot be denied it is primarily for windows, and as such, the coding weirdness slops over all the time to the other platforms. It would be *better* for there to be different projects, completely different, better for the windows folks and better for the linux/bsd/solaris folks. And Apple can run their own mess, I consider that to be irrelevant to this discussion at this time, although some similarities exist obviously, I am mainly meaning the big MS-Linux split. I would just like to *further* split the efforts up. I don't trust windows applications half assed "ported" to linux, not for the long haul anyway, nor do I appreciate all the "enthusiasm" to keep pepole on their software, because it is a security threat, and the total cost of ownership to society is huge(keeping MS rich in general), and they are chronic serial crooks. And Ballmer keeps threatening linux people, so I don't think ANY open source project should deal with windows expensive mal/bug/crapware.

Re:are these endless bugs... (1)

Veinor (871770) | more than 7 years ago | (#18135502)

Actually, Hello World v1.0 will occasionally display "Goodbye, cruel world" instead, then delete itself. I think it's something to do with the program gaining sentience and recognizing the banality of its existence or something.

Hard to reproduce (3, Interesting)

mw22 (908270) | more than 7 years ago | (#18134100)

There is one problem with the flaw, it's very hard to reproduce, I think I reproduced it once in a 1.8 branch build, but not afterwards.
If anyone can reproduce it consistently, and has a 1.8 debug branch build, it would be great if he could try and give a useful stacktrace in the bug.

They could have waited longer... (0, Troll)

crossmr (957846) | more than 7 years ago | (#18134140)

I barely surfed 2 pages after updating to 2.02 and I'm already crashing again.

I bet... (2, Funny)

SharpFang (651121) | more than 7 years ago | (#18134548)

I bet if Lcamtuf heard he's being called a 'researcher' he'd be rolling in his grave.
After dropping dead on place, that is.

HA HA INDEED (0)

Anonymous Coward | more than 7 years ago | (#18134996)

To the IDIOT who tagged this HAHA fuck you. Would you rather have the DEFECTIVE BY DESIGN INTERNET EXPLORER? What the FUCK IS WRONG WITH YOU FUCKTARDS? HOW THE HELL can you not support software that is actively working to help security and sane web design practices, instead throwing your love toward an evil, demeaning, shitty, fucked up corporation's FAILURE of a browser?

Fuck all of you idiots that love Microsoft and IE. Fuck you right in the ear.

"Windows cannot find http://whatever.com" bug (0)

Anonymous Coward | more than 7 years ago | (#18135028)

On both my Win2K and WinXP boxes, I still have to apply this fix [asp.net] every time Firefox 2.0 updates itself. Had to do it just yesterday when 2.0.0.2 was released. WTF is up with that? Is there something weird about both of my systems that Firefox doesn't like? How are non-technical users supposed to deal with crap like this?

just rude (3, Interesting)

towsonu2003 (928663) | more than 7 years ago | (#18135096)

Why did the summary skipped this part I wonder:

vulnerabilities in Firefox disclosed by a researcher who makes his work public before informing Mozilla of the problems.
hmm

reality check (0)

Anonymous Coward | more than 7 years ago | (#18135378)

This is totally Moot. Since I downloaded and installed FireFox 2.0.0.2 this morning, which means the updates are available for all.........

Factors (1)

kbox (980541) | more than 7 years ago | (#18135594)

The factor that detirmines security is never the number of exploits found, It's the rate at which they are fixed.
I would rather have 10 flaws that are fixed in days than 1 that takes 3 months to fix.

Firefox is a great browser, But it's written in regular code by regular humans.
We shouldn't expect it to be perfect.

It worked (1)

BGate$ (953981) | more than 7 years ago | (#18135650)

Spread a little rumor!

Good Month (0)

Anonymous Coward | more than 7 years ago | (#18135654)

Fixing a software artifact such that it behaves as it is advertised when an underlying assumption changes is the hallmark of a competent software maintenance process.

Using the poster's logic, the world would be a better place if (say) Microsoft, Oracle and Cisco fired their respective QA staff; no bugs found implies no problems.

This reminds me. . . (1, Insightful)

Hamoohead (994058) | more than 7 years ago | (#18135742)

. . .of pharmaceutical ads. Before the FDA allowed ads on TV in the US, the only way most people became aware of a drugs side effects or dangers was if enough people started exibiting symptoms to cause a newsworthy event. Now that the drug companies are required to give full disclosure, everyone has a knee-jerk reaction to the cautionary statements on pharmaceutical drugs, even to the point of arguing with their doctor on the merits of the drug in question.

Every time Firefox vulnerabilities are found, it seems people are falling prey to this same mentality. "It's got an exploitable security bug! OMFG! F'ing programmers! Firefox is a piece of shit!" The bottom line is: Everything made that is made has defect(s). FF is no exception. For my part, I would much rather be informed of possible pitfalls, however remote, than be kept in the dark until the horse is already out of the barn. I feel much safer surfing with FF and noscript than IE any day. When was the last time MS took a reported IE exploit that didn't come from their own camp seriously? Kudo's to Mr. Zalewski for his efforts. Kudo's to the Mozilla team for their efforts in tightening up security on the best browser that has ever been written.

The house is sitting in the mud (1)

uomolinux (838417) | more than 7 years ago | (#18135820)

Well, how often we can read that, but if the basement is cracking what will happen to the rest of the house? I would like to see what are the vulnerability stats for Firefox on Mac or Linux.... let's see the comparison, maybe that will help peoples decide with OS to choose in the future.

when independent really means dependent (1)

borgalicious (750617) | more than 7 years ago | (#18135824)

This "independent" security researcher also happens to have a book published by a reputable publisher and another in the works. Cheap advertising, indeed; too bad he had to become a black-hat to get it.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?