L
Lius
using Win98SE on a P4 is like using a car instead of a bicycle to the next block
to get some groceries
to get some groceries
C
casioculture
Jari said:
The "very critical Firefox-holes" is actually one, not two. In my
opinion nothing more than a minor teething problem for a very young
browser, compared to IE which should've been very mature by now and got
over its security scares, but is far from it. Besides, the Mozilla
foundation responded immediately and let everyone know on day zero and
before anything got in the wild, posted instructions on what people
should do (tick off allowing websites to install software; couldn't be
simpler), even took the rather extreme protective measure of disabling
its update site, and is working on a fix. Compare this with Microsoft
where security vulnerabilities go on for months without an adequate
response.
D
Duddits
Yes, I just love how you can get extensions for practically anything!
I've never had a browser that was so in tune with my needs. I'm still
missing out on a thing or two, mainly how easy it is to save webpages
in IE with the source URL automatically dumped within the html code of
the saved page. So I just have an extension for opening a page in IE
when I need to save pages <g>. FF rocks.D
Have you tried ScrapBook for saving pages?
http://amb.vis.ne.jp/mozilla/scrapbook/
regards
Dud
N
null
Using WIN 98SE on my AMD Duron 1.8 ghz with a good video board and DSL
service finally gives me the kind of fast machine I actually enjoy
using on the internet. My Win ME machine with a 900 mhz PIII is also
nice to use, but with only 128 meg RAM it's noticeably slower loading
apps.
MS always bogs down decent hardware with their latest software. Using
their latest sw is like trying to set a world record running 100
meters with people throwing garbage cans in front of you
Art
http://home.epix.net/~artnpeg
D
Dick Hazeleger
casioculture said:
Like the "Mozilla IFRAME" vulnerability the next day? Look, I follow
software vulnerability and security reports on a daily basis; usually
they aren't issued on Sunday... the critical security holes (actually
it were three more... read Secunia's site...) report was - and by two
independant, so it appeared to me that this really was important!
Now, let's agree that ANY software can have security issues; IE, Opera;
and FF too, shall we?
Question: When would you believe that FF has a *major* security issue?
When it is announced by G.W. Bush (either one of the two) on the US
PBS, or what??? My goodness, those who write FF's code are humans, not
gods... and as the saying goes: To err is human!!! Time to wake up and
understand that!
I agree that the Moz. folks respond much faster than the folks from
Redmont, and that IE had many, many security related problems... all
true, but... FF is just a program, it ain't religion, nor a cult...
just a program, and programs have bugs which can be security related.
I probably will get fried to a crisp over this, since the "Hail the
Almighty FireFox" attitude here, if so... then so be it!
Regards,
Dick Hazeleger
FF, IE and Opera user (disadvantage of being a webmaster
A
André Gulliksen
Maybe. But common sense alone still helps a lot more than any anti-whatever
you care to try, and possibly more than all of them combined.
H
Harvey Van Sickle
On 11 May 2005, Dick Hazeleger wrote
-snip-
Have you tried K-Meleon? It's a bit geeky, but I've been using it as
my default for a number of months now, having switched from FF. (It
does almost everything I need, other than the occasional need to rely
on IE for the usual suspects sites, and it's extremely configurable if
you're not afraid of editing the occasional .ini file.)
Anyway, one of the main reasons I started looking around -- having used
Phoenix/FF from around version 0.7 -- was that the rabid fringe end of
the FF groupies seemed to be taking over. It was refreshing attitude
to find that the attitude the KM developers and the users was "my
browser is not my religion".
(FWIW, KM is gecko-based, but it works largely through macros rather
than XML (?XUL? brain-fart time -- whatever that language that FF
uses...), so it's less vulnerable than FF to certain types of exploit.
That's not my main reason for using it, but it's a good feature.)
-snip-
Have you tried K-Meleon? It's a bit geeky, but I've been using it as
my default for a number of months now, having switched from FF. (It
does almost everything I need, other than the occasional need to rely
on IE for the usual suspects sites, and it's extremely configurable if
you're not afraid of editing the occasional .ini file.)
Anyway, one of the main reasons I started looking around -- having used
Phoenix/FF from around version 0.7 -- was that the rabid fringe end of
the FF groupies seemed to be taking over. It was refreshing attitude
to find that the attitude the KM developers and the users was "my
browser is not my religion".
(FWIW, KM is gecko-based, but it works largely through macros rather
than XML (?XUL? brain-fart time -- whatever that language that FF
uses...), so it's less vulnerable than FF to certain types of exploit.
That's not my main reason for using it, but it's a good feature.)
B
Bob Adkins
I beg to differ. I can configure FireFox in 1 day. It takes 2 days to go
through all the config in Maxthon.
-- Bob
B
Bob Adkins
I love how Maxthon can do just about anything without messing with tedious
extensions.
-- Bob
A
Aaron
I beg to differ. I can configure FireFox in 1 day. It takes 2 days to
go through all the config in Maxthon.
Yes, that's why Maxthon sucks
If I want features, I prefer adding features I use, rather than
complexity for its own sake.
?
=?ISO-8859-1?Q?=BBQ=AB?=
But you just said it takes you two days to configure Maxthon; sounds
tedious to me.
F
Fuzzy Logic
Total crap. There were 3 critical security issues with Firefox in March that
were known by the developers for close to 3 weeks before the alert and a
patch was released. Sample code was available:
http://secunia.com/advisories/14654/
https://bugzilla.mozilla.org/show_bug.cgi?id=285438 (March 11)
https://bugzilla.mozilla.org/show_bug.cgi?id=284627 (March 3)
https://bugzilla.mozilla.org/show_bug.cgi?id=285595 (March 10)
No users alerts were released until the patch was released on March 23. So
you were vulnerable for weeks but Mozilla decided you really didn't need to
know about it. Of course when Microsoft does this everyone has a tantrum but
apparently Mozilla can do no wrong?!
F
Fuzzy Logic
I beg to differ. I can configure FireFox in 1 day. It takes 2 days to go
through all the config in Maxthon.
-- Bob
Avant takes about 2 minutes and is similar (I'd say better) to Maxthon.
?
=?ISO-8859-1?Q?=BBQ=AB?=
Wrong again.
That compares very favorably with Microsoft's record of leaving
vulnerabilities unpatched for months even though there are exploits in
the wild.
You mean the patches that were proposed for testing on the dates you
give below? Surely you don't want them releasing untested patches.
Not even Microsoft do that.
Indeed. It's a shame these latest ones were leaked before the Mozilla
developers could finish closing the hole.
Longer than that -- all versions prior to 1.0.2 were
vulnerable -- though no one was exploiting the vulnerabilities, since
they were not published and no one malicious had found out about them.
You didn't need to know about it. Would you actually prefer that
Microsoft and the Mozilla Foundation publicize vulnerabilities before
patching them? If so, why?
That is completely wrong. When Microsoft quickly patch holes before
publishing them, no one has a tantrum. A main reason for all the
vulnerabilities being published before being patched by Microsoft was
that when Microsoft were notified privately, they took no action. They
seem to be better about this now that they have competition.
You keep saying that, despite the fact that no one here has claimed
Mozilla is perfect.
F
Fuzzy Logic
What about telling the users they are vulnerable and a workaround (if
available) until the patches are ready?
It's a shame that you were vulnerable but nobody bothered to inform you so
you could take appropriate action.
What do you mean by not published? It may not have been common knowledge but
the above links give sample code and are readily accesible by anyone who
want's to take advantage of the vulnerabilities.
That's like saying your car has faulty brakes but you don't need to know
about it until we have a fix!
If the developers know of a vulnerability I want to be informed of it
regardless of wether or not a patch/workaround is available. Especially if
it's a 'critical' vulnerability. This gives ME the choice of wether or not I
wish to expose myself to a potential threat.
?
=?ISO-8859-1?Q?=BBQ=AB?=
What about it? Note that Microsoft don't do that either, unless
someone else publishes the vulnerability before they have a patch
ready.
Why is this a shame? Nothing was exploiting the vulnerabilities.
I mean that no one was making info about them publicly available.
The above links were not readily accessible until after the the
vulnerabilities were patched.
You can't have it both ways. You noted repeatedly that the info was
withheld from the public, and you were quite critical of that. Now
you want to claim (incorrectly) that the info was publicly available
so you can criticize that.
Not as bad as some of your analogies, but that one is bad enough for
me not to waste time dealing with it. I'll just point out that
Microsoft also, ahem, try to kill people by letting them drive
unaware with faulty brakes.
Too bad. Neither mozilla.org nor Microsoft are going to inform you
about unexploited vulnerabilities.
And it would give malicious hackers the choice to exploit the
vulnerabilities. The need to keep that choice from them clearly
overrides your wants. Luckily, despite your unhappiness with it,
the policy also does not expose you to any exploits.
M
Mike Andrade
Sheesh, you're just stupid aren't you?
S
Sparky
Fuzzy said:
Fuzzy;
This problem is way past what any individual merely "wants."
Organizations which find vulnerabilities regularly delay the posting of
discoveries and proof-of-concepts. This has grown out of years of
formal/informal coordination among affected companies, AV companies,
Gummint agencies and the like.
Delays in posting vulerabilites allow affected companies time to confer
w/their engies, the org that found it and any security agencies. The
idea is to patch the vulnerability before it hits "the wild." Most
often this works.
For every nice guy like you who wants to know about vulnerabilities
A.S.A.P, there's a black-hat itching to turn it into the lastest
skript-kiddie patch. For all the potential faults with the current
"agreement" on how to handle vulnerabilities, it beats the alternatives.
regards,
Sparky
F
Fuzzy Logic
That we know of.
I wasn't aware of that.
And they have and should be be condemned for such practices.
I'd be curious to know how they know they haven't been exploited.
The fact is I am exposed. There is a known vulnerability (who knows is the
big question). I would like to be able to determine wether or not I wish
to take that chance or consider other options. This decision unfortunately
doesn't appear to be mine to make. Security by obscurity is not a good
practice.
?
=?ISO-8859-1?Q?=BBQ=AB?=
If there were exploits in the wild, we'd know. That's what the
security sites you like to quote are for, e.g. secunia.
Your credibility is strained. If you thought those pages had been
accessible, why would you have complained about the info on them
being withheld?
In case you really were not aware of how it works, I'd suggest
learning more about how bugzilla.mozilla.org works before
criticizing it. Here's a link to the bugzilla entry on the recently
leaked vulnerabilites. Since there are other security bugs
discussed there, you and I and the malicious hackers don't get to
see it. Once any security issues dealt with in the entry are
patched in a Firefox release, you'll no longer be denied entry.
Only when they didn't bother with patching the holes. As I pointed out
before, Microsoft does not take heat for withholding disclosure of
vulnerabilites while they work on fixes as long as they work on them
in a timely manner, as the Mozilla developers do.
Exploits of unpatched vulnerabilities show up quickly on security
sites, newsgroups, mailing lists, etc. Once the proof-of-concept
exploits for this latest Firefox vulnerability were out, how long
did it take for it to show up at secunia? How long after that did
it show up here?
The fact is that you are not exposed to anything at all in these
cases.
And the important answer is: the developers fixing it know, but not
the people who would use it maliciously. That answer is why users
are not exposed to any exploits in these cases.
There are a few "full disclosure" zealots who agree with you.
Luckily, they don't seem to be able to find the vulnerabilites
before the white hats do.
OTOH, if the vendor drags its feet long enough, the people who found
the vulnerabilities usually announce them publicly, so you get your
wish; this has happened often to Microsoft.