PDA

View Full Version : ATTN Firefox Users!


penguinz
04-18-2005, 09:55 AM
Mozilla flaws could allow attacks, data access

Multiple vulnerabilities that could allow an attacker to install malicious code or steal personal data have been discovered in the Mozilla Suite and the Firefox open-source browser.

Details of the nine flaws were published on Mozilla's security Web site over the weekend.

Ian Latter, senior security consultant at Internet security specialist Pure Hacking, said most of the vulnerabilities are based on the way the applications handle JavaScript.

Read the full story HERE (http://www.bit-quest.com/mozillaflaws.php).

jcroft
04-18-2005, 09:56 AM
Isn't this pretty old? Pretty sure the current version of Firefox has fixed these bugs...

morphius
04-18-2005, 09:58 AM
Basically just upgrade to the version released a couple days ago, and this issue is fixed.

Ta da!

htismaqe
04-18-2005, 10:00 AM
Must...resist...urge...to...ask...

I...thought...Firefox...was...impenetrable...

ROYC75
04-18-2005, 10:02 AM
I seem to recall that many here was harping that they were secure. Fact is it's more secure than IE because of the lack of users and less stuff being written and explored about it.

In time, firefox and Mozilla users alike will be bitching about it like IE .

Personally, why bitch about any of them, the hackers and evil people will continue to do shit to any browser out there once they get the chance.

Spicy McHaggis
04-18-2005, 10:05 AM
Microsoft probably has its IT boys working round the clock to come up with viruses for Firefox.

htismaqe
04-18-2005, 10:05 AM
I seem to recall that many here was harping that they were secure. Fact is it's more secure than IE because of the lack of users and less stuff being written and explored about it.

In time, firefox and Mozilla users alike will be bitching about it like IE .

Personally, why bitch about any of them, the hackers and evil people will continue to do shit to any browser out there once they get the chance.

That's basically what it boils down to.

htismaqe
04-18-2005, 10:07 AM
Microsoft probably has its IT boys working round the clock to come up with viruses for Firefox.

ROFL

jcroft
04-18-2005, 10:08 AM
Must...resist...urge...to...ask...

I...thought...Firefox...was...impenetrable...

Anyone who said that was just being stupid. Firefox's architecture makes it less likely to cause problems than IE, but all software has bugs...

penguinz
04-18-2005, 10:10 AM
And patches are released quicker than for IE.

Cochise
04-18-2005, 10:56 AM
Security flaws I can recall...

Firefox - a few
Internet Explorer - 19237362683198371238127312893712381273817

|Zach|
04-18-2005, 11:03 AM
Security flaws I can recall...

Firefox - a few
Internet Explorer - 19237362683198371238127312893712381273817
ROFL

morphius
04-18-2005, 11:03 AM
That's basically what it boils down to.
The difference is that the issue is already fixed, if it was MS they would first bury their heads in the sand for 6 months after a someone reported the flaw to them, then when it is open to the public they would bitch about how the people who leaked it are the real issue, and then if you are lucky they might fix it 3 months later...

irishjayhawk
04-18-2005, 11:05 AM
It is opensource, so people already know the way in and out. There is no "hacking". Thus, patches are fixed in no time. I think it was...a week?...after 1.0.2 was released that 1.0.3 came out replacing those bugs etc.

IE takes months to fix bugs.

irishjayhawk
04-18-2005, 11:06 AM
Security flaws I can recall...

Firefox - a few
Internet Explorer - 19237362683198371238127312893712381273817
Exactly! ROFL

htismaqe
04-18-2005, 11:33 AM
Security flaws I can recall...

Firefox - a few
Internet Explorer - 19237362683198371238127312893712381273817

Users...

Firefox - a few
Internet Explorer - 19237362683198371238127312893712381273817

htismaqe
04-18-2005, 11:34 AM
The difference is that the issue is already fixed, if it was MS they would first bury their heads in the sand for 6 months after a someone reported the flaw to them, then when it is open to the public they would bitch about how the people who leaked it are the real issue, and then if you are lucky they might fix it 3 months later...

I've NEVER been bitten by MS not releasing a fix on time. Why? Because I've generally secured to the point that such vulnerabilities don't affect me...

Saulbadguy
04-18-2005, 11:39 AM
Once IE comes pre-packaged with all the features I want, i'll switch back to them. Although few and far between, i've experienced problems with certain websites using Firefox.

htismaqe
04-18-2005, 11:51 AM
Once IE comes pre-packaged with all the features I want, i'll switch back to them. Although few and far between, i've experienced problems with certain websites using Firefox.

tab-browsing is the biggie...if you want it, it's firefox...if you don't care (like me) then IE works ok...

Cochise
04-18-2005, 11:53 AM
I've NEVER been bitten by MS not releasing a fix on time. Why? Because I've generally secured to the point that such vulnerabilities don't affect me...

I think most of the people who are affected by these security problems simply don't take any reasonable steps to prepare. They probably have their computer plugged right into the cable modem, no firewall, no router, never update their OS or browser, visit shady websites, leave their computer on (connected) to the web all the time, use Kazaa and other notorious spyware farms, etc.

morphius
04-18-2005, 11:55 AM
I've NEVER been bitten by MS not releasing a fix on time. Why? Because I've generally secured to the point that such vulnerabilities don't affect me...
I just don't care what browser someone uses, I just like that their is options again. When all things are equal, I will chose the multiplatform application over the MS only option, but thats because I hope to move to linux at home at some point in time.

Saulbadguy
04-18-2005, 12:06 PM
I just don't care what browser someone uses, I just like that their is options again. When all things are equal, I will chose the multiplatform application over the MS only option, but thats because I hope to move to linux at home at some point in time.
Its a pain in the ass for web developers, though.

From what I understand, Firefox sticks with the fully compliant HTML spec, and MS does not. I don't know much about that, but thats what i've heard from my developer buds/co-workers.

htismaqe
04-18-2005, 12:14 PM
I think most of the people who are affected by these security problems simply don't take any reasonable steps to prepare. They probably have their computer plugged right into the cable modem, no firewall, no router, never update their OS or browser, visit shady websites, leave their computer on (connected) to the web all the time, use Kazaa and other notorious spyware farms, etc.

Yep.

And in those cases, using Firefox ain't gonna help them one damn bit.

penguinz
04-18-2005, 12:14 PM
Its a pain in the ass for web developers, though.

From what I understand, Firefox sticks with the fully compliant HTML spec, and MS does not. I don't know much about that, but thats what i've heard from my developer buds/co-workers.
:thumb:

htismaqe
04-18-2005, 12:16 PM
Its a pain in the ass for web developers, though.

From what I understand, Firefox sticks with the fully compliant HTML spec, and MS does not. I don't know much about that, but thats what i've heard from my developer buds/co-workers.

No, it's not a pain in the ass for developers.

Internet Explorer is FULLY compliant with all of the major standards, namely HTML 4.0 and SSL/TLS.

The problem IS the developers themselves. They want to write flashy little applets in Java, or ASP code, or Flash movies.

That's NOT IE'S FAULT.

jcroft
04-18-2005, 12:17 PM
Its a pain in the ass for web developers, though.

From what I understand, Firefox sticks with the fully compliant HTML spec, and MS does not. I don't know much about that, but thats what i've heard from my developer buds/co-workers.

You're on the right track.

It's not so much about HTML. Most modern browser render HTML fine. It's really more about CSS and the DOM. Firefox, Safari, Opera, and most every other major modern browser attempts to render CSS to the spec, and perform DOM behaviors as spec'd, too. IE, though, chooses to implement the DOM in it's own way in many cases. IE 6, when it came out, was pretty advanced as far as it's CSS support. However, it hasn't received an update to it's CSS rendering engine since it first came out (which was what, four years ago?). Now, it is way, way behind the other browsers, which makes it difficult to deal with. Microsoft has said they don't plan any significant updates to the CSS rendering engine for Longhorn and IE7, either -- they don't have time, because they need to focus on security flaws. Basically, IE is holding web developers to technology circa about 1998. The CSS spec and DOM have been in place for years, but until IE implements them in their entirety and to the spec, it will always be a hassle, because we web developers have to go back through our code and add exceptions just for IE. If IE was compliant with the specs, code would be virtually guaranteed to work in all browsers.

IE is a fine browser, as long as you don't want the web to advance any beyond where it is today.

jcroft
04-18-2005, 12:18 PM
No, it's not a pain in the ass for developers.

Internet Explorer is FULLY compliant with all of the major standards, namely HTML 4.0 and SSL/TLS.

The problem IS the developers themselves. They want to write flashy little applets in Java, or ASP code, or Flash movies.

That's NOT IE'S FAULT.

Sorry, you are 100% wrong here. IE is not fully complaint with any version of XHTML, or any version of CSS.

We're no talking about Java, ASP, or Flash -- we're talking about the basic W3C standards. IE is NOT complaint. I'll be happy to provide proof if you require it.

htismaqe
04-18-2005, 12:19 PM
You're on the right track.

It's not so much about HTML. Most modern browser render HTML fine. It's really more about CSS and the DOM. Firefox, Safari, Opera, and most every other major modern browser attempts to render CSS to the spec, and perform DOM behaviors as spec'd, too. IE, though, chooses to implement the DOM in it's own way in many cases. IE 6, when it came out, was pretty advanced as far as it's CSS support. However, it hasn't received an update to it's CSS rendering engine since it first came out (which was what, four years ago?). Now, it is way, way behind the other browsers, which makes it difficult to deal with. Microsoft has said they don't plan any significant updates to the CSS rendering engine for Longhorn and IE7, either -- they don't have time, because they need to focus on security flaws. Basically, IE is holding web developers to technology circa about 1998. The CSS spec and DOM have been in place for years, but until IE implements them in their entirety and to the spec, it will always be a hassle, because we web developers have to go back through our code and add exceptions just for IE. If IE was compliant with the specs, code would be virtually guaranteed to work in all browsers.

IE is a fine browser, as long as you don't want the web to advance any beyond where it is today.

Is CSS a STANDARD, or is it an agreed-upon convention, like Java?

Saulbadguy
04-18-2005, 12:20 PM
No, it's not a pain in the ass for developers.

Internet Explorer is FULLY compliant with all of the major standards, namely HTML 4.0 and SSL/TLS.

The problem IS the developers themselves. They want to write flashy little applets in Java, or ASP code, or Flash movies.

That's NOT IE'S FAULT.
Like I said..I'm not too sure about it, because i'm not a developer.



It's not so much about HTML. Most modern browser render HTML fine. It's really more about CSS and the DOM. Firefox, Safari, Opera, and most every other major modern browser attempts to render CSS to the spec, and perform DOM behaviors as spec'd, too. IE, though, chooses to implement the DOM in it's own way in many cases. IE 6, when it came out, was pretty advanced as far as it's CSS support. However, it hasn't received an update to it's CSS rendering engine since it first came out (which was what, four years ago?). Now, it is way, way behind the other browsers, which makes it difficult to deal with. Microsoft has said they don't plan any significant updates to the CSS rendering engine for Longhorn and IE7, either -- they don't have time, because they need to focus on security flaws. Basically, IE is holding web developers to technology circa about 1998. The CSS spec and DOM have been in place for years, but until IE implements them in their entirety and to the spec, it will always be a hassle, because we web developers have to go back through our code and add exceptions just for IE. If IE was compliant with the specs, code would be virtually guaranteed to work in all browsers.


So who is right..rufus or jcroft? I do know that MS rarely updates Internet Explorer, save for a security hole here and there.

Saulbadguy
04-18-2005, 12:21 PM
Speaking of Java...why do java apps run so much faster in Linux, over Windows?? :hmmm:

htismaqe
04-18-2005, 12:21 PM
Sorry, you are 100% wrong here. IE is not fully complaint with any version of XHTML, or any version of CSS.

We're no talking about Java, ASP, or Flash -- we're talking about the basic W3C standards. IE is NOT complaint. I'll be happy to provide proof if you require it.

Thanks. That's exactly what I was looking for. I'm a networking guy, not a web developer.

Can you provide some links? I'd like to read up.

morphius
04-18-2005, 12:21 PM
Its a pain in the ass for web developers, though.

From what I understand, Firefox sticks with the fully compliant HTML spec, and MS does not. I don't know much about that, but thats what i've heard from my developer buds/co-workers.
MS does this with everything they can and has for years. I remember doing some early javascript and having to write the same thing 5 different way before it worked in MS, yet each way worked with Netscape. Its just a mess.

jcroft
04-18-2005, 12:21 PM
Is CSS a STANDARD, or is it an agreed-upon convention, like Java?

It is the ONLY standard recognize by the W3C for presentation on the web. Usually when people talk web standards, CSS is precisely what they are referring to.

Here, look:

http://www.webstandards.org/about/

jcroft
04-18-2005, 12:23 PM
Thanks. That's exactly what I was looking for. I'm a networking guy, not a web developer.

Can you provide some links? I'd like to read up.

The web standards project is your best bet for "reading up:"

http://www.webstandards.org

Here's a nice browser support chart that shows how much farther ahead Firefox and Opera are over IE as far as standards support.

http://nanobox.chipx86.com/browser_support.php

Saulbadguy
04-18-2005, 12:23 PM
Thanks. That's exactly what I was looking for. I'm a networking guy, not a web developer.


Same here. Well, not so much a "networking" guy, but a Directory services guy. I'm just repeating what I hear from our Web architect.

htismaqe
04-18-2005, 12:24 PM
MS does this with everything they can and has for years. I remember doing some early javascript and having to write the same thing 5 different way before it worked in MS, yet each way worked with Netscape. Its just a mess.

Javascript isn't a standard, though. That's my point.

However, it does appear that W3C has a proposed standard for a scripting language at the link that Jeff posted...

jcroft
04-18-2005, 12:26 PM
Javascript isn't a standard, though. That's my point.

However, it does appear that W3C has a proposed standard for a scripting language at the link that Jeff posted...

No, javascript is not a standard. But the DOM is, which is basically ECMAScript, the standard version of Javascript.

The DOM/ECMA is, for all intents and purposes, Javascript -- it's just a version that has been standardized on.

morphius
04-18-2005, 12:26 PM
Javascript isn't a standard, though. That's my point.

However, it does appear that W3C has a proposed standard for a scripting language at the link that Jeff posted...
It was an example, I don't think I really need to dig up all off MS's breaking of standards, 'cause I think we both know at least a couple.

htismaqe
04-18-2005, 12:26 PM
The web standards project is your best bet for "reading up:"

http://www.webstandards.org

Here's a nice browser support chart that shows how much farther ahead Firefox and Opera are over IE as far as standards support.

http://nanobox.chipx86.com/browser_support.php

Cool. Thanks!

I haven't kept up on W3C dealings...too busy trying to keep up with IETF and ICANN, SANS, and all the rest...

htismaqe
04-18-2005, 12:29 PM
It was an example, I don't think I really need to dig up all off MS's breaking of standards, 'cause I think we both know at least a couple.

I can think of many examples where Microsoft adheres to standards too, though. There's just alot of misinformation out there...

Honestly, I have far more instances of Cisco not adhering to standards...

jcroft
04-18-2005, 12:37 PM
I can think of many examples where Microsoft adheres to standards too, though. There's just alot of misinformation out there...

Honestly, I have far more instances of Cisco not adhering to standards...

In the case of the web, Microsoft's gameplan seemed to go something like this:

1. Copy Netscape's rendering engine, since they owned the browser marketplace.
2. Add additional features to IE that Netscape didn't have in order to win converts.
3. Market for mass conversion to IE, basically killing off Netscape 4.
4. Embrace standards, especially in IE 5 for Mac and IE 6 for Windows, in order to appear more web-friendly than Netscape 6, which had pretty shady standards support.
5. Eliminate Netscape 6 by being more "standards-friendly."
6. At this point, IE holds a nearly 100% marketshare.
7. No need to embrace standards anymore -- Microsoft IS the standard.
8. Make your own standards from here on out (Active X, MS's over version of Java, proprietary CSS attributes, etc.)
9. Firefox. Oh shit.
10. ????

Bottom line -- Microsoft embraces open standards when it's convenient for them, but shuns them if they feel like they can create a closed standard and people won't bitch. They desire control.

htismaqe
04-18-2005, 12:42 PM
Bottom line -- Microsoft embraces open standards when it's convenient for them, but shuns them if they feel like they can create a closed standard and people won't bitch. They desire control.

Just to be fair, that's not unique to Microsoft. That's EVERYBODY.

Saulbadguy
04-18-2005, 12:45 PM
In the case of the web, Microsoft's gameplan seemed to go something like this:

1. Copy Netscape's rendering engine, since they owned the browser marketplace.
2. Add additional features to IE that Netscape didn't have in order to win converts.
3. Market for mass conversion to IE, basically killing off Netscape 4.
4. Embrace standards, especially in IE 5 for Mac and IE 6 for Windows, in order to appear more web-friendly than Netscape 6, which had pretty shady standards support.
5. Eliminate Netscape 6 by being more "standards-friendly."
6. At this point, IE holds a nearly 100% marketshare.
7. No need to embrace standards anymore -- Microsoft IS the standard.
8. Make your own standards from here on out (Active X, MS's over version of Java, proprietary CSS attributes, etc.)
9. Firefox. Oh shit.
10. ????


You forgot: ....Profit!

jcroft
04-18-2005, 12:45 PM
Just to be fair, that's not unique to Microsoft. That's EVERYBODY.

Well, it's MOST everybody, anyway. It's at least most major companies. I'm not sure it applies to Firefox and the open source community, though...

andoman
04-18-2005, 04:36 PM
tab-browsing is the biggie...if you want it, it's firefox...if you don't care (like me) then IE works ok...

You can drop on Crazy Browser for tab-browsing if you don't like Firefox. I think it runs on top of IE.

tk13
04-18-2005, 04:45 PM
Security flaws I can recall...

Firefox - a few
Internet Explorer - 19237362683198371238127312893712381273817
First time you made this post it was "Firefox - 0" then you had "Firefox - 1", and now "Firefox - a few"... don't worry, in due time I'm sure you can catch up... ;)

Ultra Peanut
04-22-2005, 07:04 AM
tab-browsing is the biggie...if you want it, it's firefox...if you don't care (like me) then IE works ok...I used to wonder what the big deal was with tabbed browsing, but once I tried out Firefox, anything other than tabbed browsing seems backwards.

Toss in sweet-ass extensions like SessionSaver, and I was on Firefox like Barry Zuckercorn on a transsexual prostitute in the City of Industry.

Simplex3
04-22-2005, 07:53 AM
Interresting, our web server is seeing more and more Firefox even though the percentage of Winblows users stays the same...

61.3% - IE
23.1% - Firefox
10.8% - Safari

KC Jones
04-22-2005, 09:03 PM
Javascript isn't a standard, though. That's my point.

However, it does appear that W3C has a proposed standard for a scripting language at the link that Jeff posted...

If you ever confuse Java and javascript again I will crush your head

j/k :D