Coding misstep forces new Firefox release

The open-source Firefox browser and Thunderbird e-mail client will be updated for the second time in a week because of code changes that have unintentionally stopped some third-party extensions from functioning correctly.

The updates will take Firefox and Thunderbird to version 1.0.6, while the Mozilla Suite will be updated to version 1.7.10, wrote representatives from the Mozilla Foundation on the group's developer news blog. Mozilla oversees the software's development.

"There is a very real chance that some of the general security improvements in last week's 1.0.5 update may impact a number of extensions that worked with 1.0.4 and earlier, and we want to identify and address as many of these as possible before we release 1.0.6," the representatives said.

Because of the impending update, the Mozilla Foundation has asked developers to temporarily halt work on localizing the software for non-English language markets, a move that has drawn criticism from some adherents.

"We are getting lots of e-mails from Firefox users in Poland asking us about why isn't Firefox 1.0.5 available in Polish," wrote one developer in the localization newsgroup.

"A few days more, and it's gonna be a big public relations disaster for Firefox outside the U.S.A.," the developer added.

"Tens of millions of users are still using 1.0.4 while critical security bugs are already published after en-US (U.S. English) 1.0.5 release," the developer wrote.

Calling for the foundation to release its software in all supported languages simultaneously, the developer said that by delaying the foreign language versions, Mozilla was wasting the work done by developers promoting the foundation's brands in local markets.

Test versions of the updated software are available, and the foundation has asked third-party developers to make sure their extensions work. Fighting phishing on foreign shores The swapping plays on HP gears up for layoffs Amazon faces growing pains Online PIs draw privacy complaints Previous Next

"Extensions that interact with Web content and events may be the most susceptible to these changes," the foundation representatives wrote. "Mail-handling extensions such as (secure e-mail extension) Enigmail for Thunderbird and the Mozilla Suite should also be tested heavily."

A Mozilla Foundation representative was not immediately available to comment on the changes.

Then you should do a bit more research into Linux and security issues ;-).

I'm an IT security professional. I've been working as such for Fortune 100 companies for the past 5 years.

I've done my research. Microsoft has more serious security problems. It takes longer to fix them, if ever. Microsoft has a history of suing people who find bugs in their software and report it to Microsoft.

All of these facts are well established.

So I take it you aren't honoring your comittment to leave for 1 week.

I've made no such commitment. Once again, your perceptor is broken.

Oh well, I knew it was too good to be true.

Like Microsoft security guarantees, eh?

You just don't seem to be able to grasp this concept: When you constantly criticize the quality of IE or Windows -- and then downplay Linux or FireFox or other OSS flaws -- you're essentially making an implicit declaration that OSS offers fundamentally better quality.

I've never seen him downplay legitimate flaws in OSS. Please link evidence of this.

As I've pointed out countless times to you and others, software defect rates for the overwhelming majority of projects are the same (defect/KLOC) -- regardless of whether the development methodology is open source or closed source.

You pointed out one study. That same study ignored the effect of viruses and worms, the major vector for Windows security issues.

All current studies with reasonable parameters routinely show that Windows has more serious security and stability issues than Linux.

I know that you are paid to try to disprove these things, but facts are stubborn things.

I've certainly interacted with a sizable number of OSS zealots

As opposed to the paid Microsoft zealots?

Sad when you have to pay people to put a good spin on your product. Linux boosters, by and large, advocate Linux and OSS for free.

You do, at least, acknowledge that OSS tools have some bugs

That has never been the issue, no matter how much you and your ilk try to spin it that way.

We Linux advocates regularly discuss the types and severity of bugs in various kinds of software, lock-ware and open source. We've never claimed that OSS has no bugs. We simply stated that it has fewer serious bugs.

I think you have a case of transference. It's like pulling teeth to get one of you Microsofties to admit that Windows has any bugs at all.

Even Bill Gates said that Windows has no significant bugs. I guess where your master goeth, there goeth thou, eh?

If you read the next post, i thought your post was from N3BI3, so calm down.

You're entitled to your opinion based on your research; however, I think it is flawed as Linux has many security bugs (they just aren't as widely reported or they are downplayed). Also you're discounting the fact that more people are hacking MS because it has the largest user base. Hackers try to get notoriety and you get that by knocking out the most machines possible.

Based on install base Linux has many times more bugs than windows. And I'll predict it has many more yet to be discovered (if they ever pass up Microsoft we'll see more exploits than ever).

Sorry to jump in. But, I am also one of the OSS proponents and I'd have to say that its not the flaws that are the main concern between the two, its the solution. Remember the infamous "Ping of Death" attack? Linux was patched within 3 hours, how long did it take for MS to have an update for it? I would actually go so far as to say two releases of FireFox in one week could be a good thing. It shows the speed at which they can resolve a problem.

Were all versions of linux easily patched? Could a regular home user patch the system? Also are you saying 100% of Linux patches are fixed within 3 hours? If not, your comparison is faulty; however, if you are...do you agree to leave for 1 month if I can find where a linux patch took more than 3 hours to release?

Sorry to jump in.

No worries. You have some interesting things to say.

But, I am also one of the OSS proponents and I'd have to say that its not the flaws that are the main concern between the two, its the solution. Remember the infamous "Ping of Death" attack? Linux was patched within 3 hours, how long did it take for MS to have an update for it? I would actually go so far as to say two releases of FireFox in one week could be a good thing.

Patching faster is not necessarily a good thing. Look at the problems illustrated in this article. The FireFox devs rushed fixes into production before they were ready, and that's going to create problems for their users.

Similarly, not all problems are of sufficient criticality to demand a fix immediately. For example, 14% of reported vulnerabilities in FireFox 1.x haven't been patched -- and probably never will be.

It shows the speed at which they can resolve a problem.

I have three points to make about your comment. First, just because somebody issues a patch doesn't mean that it's going to get installed by end-users -- and an unpatched system is still vulnerable even if a patch exists. Second, the overwhelming majority of malware doesn't take advantage of zero-day exploits. There were patches available for Slammer, Blaster, many other serious security threats months before they were released into the wild. Third, this may seem counterintuitive, but patches actually make it easier for malware writers to create exploits.

Slow Down the Security Patch Cycle

"For example, the patch for the SQL Slammer worm was released six months before the exploit was launched. This long delay enabled blame to be placed on lax systems administrators for not properly patching systems. This entirely misses the point. It enabled some to place the blame on Microsoft Corp. or allowed critics to claim the superiority of some other system that supposedly doesn't need patches. Again this entirely misses the point. Code-exploit developers are becoming much more sophisticated about using the reverse-engineering method to quickly develop exploits. Recent developments show that code exploiters can reverse-engineer a patch in hours, not days or months.

Despite their detractors, patch management isn't only a Microsoft problem. Every system, including Linux and proprietary Unix systems that are built with C/C++, are faced with the buffer overflow security issue. Speeding up release of patches, without improving the underlying process, won't help; it only gives the code exploiters the information they need more quickly. Ultimately, more systems will be developed using managed code (for example, Java and C#). This will narrow the problem to the bootstrap code those systems rely on without every application developer needing to be hypervigilant about buffer overflows."

You're entitled to your opinion based on your research; however, I think it is flawed as Linux has many security bugs (they just aren't as widely reported or they are downplayed).

Linux has as many or more reported security bugs. That's because it's open. Microsoft's model is closed so we may never know how many security issues are found internally and then fixed.

But that doesn't really matter to the issue at hand. The issue, whether Linux or Microsoft is more secure, has almost nothing to do with the number of bugs. It has to do with the number of severe bugs. And Microsoft loses, time and again.

Also you're discounting the fact that more people are hacking MS because it has the largest user base. Hackers try to get notoriety and you get that by knocking out the most machines possible.

This has been disproved many, many times. Just because there are more Fords in the world than Bentleys doesn't mean that either one is a) better b) safer c) more economical.

The raw numbers mean nothing.

Based on install base Linux has many times more bugs than windows.

Reported bugs. Let's not forget that Win2K shipped with nearly 65 thousand bugs, according to Microsoft. But they never listed exactly what they were.

And I'll predict it has many more yet to be discovered (if they ever pass up Microsoft we'll see more exploits than ever).

I predict that there will be many more Linux bugs that will come to light. And there will be many more Windows bugs too. And no matter the number, the Windows bugs will continue to be more serious.

This isn't a numbers game, it's because of the architecture of Windows which lets Internet reachable services run as the system user.

It's a design flaw.

You make some excellent points. Security is a process and not a product, its something that you just have to do.

Code-exploit developers are becoming much more sophisticated about using the reverse-engineering method to quickly develop exploits. Recent developments show that code exploiters can reverse-engineer a patch in hours, not days or months.
I've heard this, its an interesting concept. However, one who takes security seriously shouldn't be too concerned, its the rest of world who don't that bother me. At this point MS did good with the windows update thingy that checks daily and there are linux equivalents like the Red Hat update tool and about every distro has their own. (not implying a better solution, but equal) At the university I attend we have both OSes and both are updated nightly.

Every system, including Linux and proprietary Unix systems that are built with C/C++, are faced with the buffer overflow security issue. Speeding up release of patches, without improving the underlying process, won't help; it only gives the code exploiters the information they need more quickly.
This annoys me. Really. C can be written with checks to prevent this. There are libraries that are out there to prevent this so the developer doesn't have to. And most importantly, the OS could be written to do such things as make the stack non-executable leaving only the "return into libc" attacks... and that is thwarted by randomly relocating the libc in memory so any attempt is a shot in the dark. The odds of actually getting a libc call to the right function several times as 'sploits requires is just astronomical. I have run simulations on my computer many many many times and not once have I suceeded.

An auto company that installs motors that fail and kill the occupants won't last long. Why then do people still allow vendors to write software in a way that is unsafe and does fail costing millions (billions?) each year. C'mon coders, no more strcpy(), ok?

Security is a process and not a product, its something that you just have to do.

Agree completely. Some people seem to think that software is "done" when, in fact, it's constantly evolving in response to bugs and threats.

I've heard this, its an interesting concept. However, one who takes security seriously shouldn't be too concerned, its the rest of world who don't that bother me.

Well, I mostly agree. Researchers and vendors need to move forward regardless of the time-to-exploit. But I think it's a false standard to assume that patching within a few hours makes much difference unless it's truly a nasty remote exploit. IE and FireFox flaws are generally mitigated by the fact that a user has to visit a malicious site in order to trigger them. Viruses, spyware, etc can generally be avoided by following reasonable behaviors, such as not clicking on unsafe and unverifiable email attachments, running a firewall, running with a reduced privilege account, etc. I've never had any need for a virus scanner, and I expect that fewer people will need to do so when Longhorn comes out (See Longhorn Locked Down to Fight Hackers.

This annoys me. Really. C can be written with checks to prevent this. There are libraries that are out there to prevent this so the developer doesn't have to. And most importantly, the OS could be written to do such things as make the stack non-executable leaving only the "return into libc" attacks... and that is thwarted by randomly relocating the libc in memory so any attempt is a shot in the dark.

Yeah, this is a serious problem and, while there are some things that can be done to reduce the threat of buffer overflow attacks (Data Execution Protection -- DEP), clearly the best way to avoid this problem is to prevent buffer overflow bugs at their source: namely, write solid code, don't trust input, and use SAL parameter annotation. Using annotation allows special tools to do static and dynamic analysis on your code -- either scenario-based or more laborious exhaustive path analysis -- to root out buffer overflows and other problems in the code. It is my understanding that MS is making very heavy use of these kinds of tools on all system components in Longhorn; which, hopefully, will yield fewer security problems.

Ok the week is over and I would like to post some thoughts on this:

There are serious security issues that need to be addressed, and they fall into two categories...

1) Software: Despite claims to the contrary OSS development is not a software methodology, OSS developers use the same development methods as the folks at Redmond and as such have the same ability to miss something. OSS is all about the way software is licensed it is *no* different than closed source in terms of how software is developed. Microsoft has serious security issues, and (IMHO) they are worse than say Linux or FireFox in the respective ares (desktop / browser) but may be better than some open source projects in others. Some closed source companies IBM (AIX) do far better in terms of security than Linux.

And this is where it get had

2) Feelings: The number of OSS users who believe their product is without fail is far smaller than say the number of Mac users who think their product is without fail (OSS vs Closed Source). The Number of OSS users who think there software is perfect is eponentionally smaller than the number of MS users who think *most* oss guys ride a high horse. The whole reason I ask from examples from my ping list is because they cant be found, but on every OSS thread like this there are a half dozen people telling us they see it all the time... well where? certainly not on FR!

I would like to point out on a thread about a misstep in OSS that *I* posted I was told that to post a similar thread about MS implies Linux perfection? Please think about how stupid that statement is. Why on Gods earth would you have to read through my history when your posting on a thread I started about bugs in Firefox *HELLO*! When MS users who are not here to troll (and I can name two big trolls right now who were absent most of this thread) lash out about the claims of OSS perfection by it worshipers they are betraying one simple fact, their insecure enough in their OS to read that into whatever is said.

Whenever I see such post "but but someone told me linux was perfect" I will continue to ask who and where becase its an a** stupid and untrue statement..

Hey spunky.. I started this thread about bad coding in FF, I also started other threads about problems with OSS products and criticized them about thinks like the out of the box settings they employ. At the same time I have said multiple times how nice 2000 is, how nice 2k3 is, how nice Excel is, and how Exchange is the best groupware out there. So please stop playing the crying little victim here nobody here exclusively persecute MS and praises all code released in OSS... Its all in your head (and rather lonely there I imagine)..

You are far quicker to give MS a pass than an OSS project for small bugs so if the Linux bots above fit into the Software bigot category so do you..

however, I think it is flawed as Linux has many security bugs (they just aren't as widely reported or they are downplayed).

They are also patched much faster than bugs in MS!

Also you're discounting the fact that more people are hacking MS because it has the largest user base.

Thats not discounted, its just not given the 100% weight than some OSS bashers would like it to have. If you wanted to bring down the entire internet just bring down a few key BSD servers! thats it.. As for linux I think bringing Amazon.com would get some noterarity.

Based on install base Linux has many times more bugs than windows.

Which distro? and whats installed with it? The problem is a 'linux install' includes webserver, mail server, ftp server, dns server, web proxy server, smb file server, nis server, ldap server, office, graphics package, code versionsing software, .....

Im just sick of it, you cant have a damn conversation around here without people who are either insecure, clueless, or just plain trolls jumping in and telling what the OSS community says all the time. And They will be damned if you actually expect them to back it up with something substantial like a link to a post where someone actually said that.

The nerve I must have to expect someone to back up a statement like "bus everyone tells me Firefox is perfect". Its such a sad black and white world when someone is so insecure that criticizing MS is the same as saying OSS is perfect..

If its one or two post who cares but its every dang thread I post so users of an OSS product can be aware there is something they might want to consider (in this case don't go to FF1.4, wait for 1.5 next week) starts with the usual suspects (and not so usual) starting crap up. while doing so crying that people do it on the MS related threads (look at the log in your own eyes first people!). It just makes me wish I had a big foam digital L.A.R.T. sometimes...

Then to top it off b2k who I have asked not to mail me (because when he does it usually consist of some vulgarity) pm's me as if he as won some great battle because I proved I can keep my word... As if we needed any more proof that some people are here to troll and the insecure ones that start with 'but everyone told me linux is perfect' do nothing but enrich the environment for them..

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.