Firefox 3.0.9 released
| From: | Samuel Sidler <ss-AT-mozilla.com> | |
| To: | announce-AT-lists.mozilla.org | |
| Subject: | Firefox 3.0.9 available for download | |
| Date: | Wed, 22 Apr 2009 08:05:00 -0700 | |
| Message-ID: | <C772EF11-C218-44E0-B7C5-9B8EE4168AD9@mozilla.com> | |
| Cc: | "dev. planning" <dev-planning-AT-lists.mozilla.org> |
As part of Mozilla Corporation's ongoing security and stability update process, Firefox 3.0.9 is now available for Windows, Mac, and Linux for free download from http://getfirefox.com/. We strongly recommend that all Firefox users upgrade to this latest release. If you already have Firefox 3.0.x, you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting "Check for Updates?" from the Help menu. For a list of changes and more information, please review the Firefox 3.0.9 release notes at: http://www.mozilla.com/firefox/3.0.9/releasenotes/ Please note: If you're still using Firefox 2.0.0.x, this version is no longer supported and contains known security vulnerabilities. Please upgrade to Firefox 3 by downloading Firefox 3.0.9 fromhttp://getfirefox.com/ . (follow-up: mozilla.dev.planning / dev-planning@lists.mozilla.org) _______________________________________________ announce mailing list announce@lists.mozilla.org https://lists.mozilla.org/listinfo/announce
Posted Apr 22, 2009 17:48 UTC (Wed)
by frlinux (guest, #27370)
[Link] (18 responses)
Posted Apr 22, 2009 17:51 UTC (Wed)
by sbergman27 (guest, #10767)
[Link] (17 responses)
Expect yet more piles, and piles, and piles, as long as you keep patting them on the back for silently including vulnerabilities and then publishing fixes for them publicly.
The FF devs get more accolades for fixing the piles of vulnerabilities than they would have if they had been more careful in the first place. And that's not good.
Posted Apr 22, 2009 19:33 UTC (Wed)
by elanthis (guest, #6227)
[Link] (11 responses)
Projects that large and with such frequent updates and feature additions is going to have bugs, no matter what your development practices are. Many of those bugs will have security implications. Fact of life.
Posted Apr 22, 2009 20:41 UTC (Wed)
by sbergman27 (guest, #10767)
[Link] (10 responses)
Irrelevant. Don't attack the messenger. It would be far more informative to compare its security record to that of other browsers.
Firefox had more vulnerabilities in 2008 than IE, Safari, and Opera *combined*.
http://news.cnet.com/8301-1009_3-10190206-83.html?tag=new...
Oh, yes, they issued fixes. But that only supports my original point. They have no incentive to reduce the vulnerabilities released because they receive lavish praise for each vulnerability for which they issue an after the fact patch. (More vulnerabilities than all the other major browsers combined", remember.)
It will be interesting to see how the upcoming FOSS browsers based on the clean code base of WebKit compare against FF and others based on the ponderous, creaky, and apparently not particularly secure old Gecko code base.
Posted Apr 22, 2009 21:00 UTC (Wed)
by pr1268 (guest, #24648)
[Link] (5 responses)
Firefox had more vulnerabilities in 2008 than IE, Safari, and Opera *combined*. Likely due to the open-source nature of Firefox. I can't imagine how many vulnerabilities are lurking in the proprietary browsers that the software vendors just don't want anyone to know about. Or, perhaps the vendors don't even know of the existence of said vulnerabilities. (An Eric S. Raymond quote comes to mind here.)
Posted Apr 22, 2009 22:48 UTC (Wed)
by sbergman27 (guest, #10767)
[Link] (4 responses)
How soon we forget. Remember when Mike Zalewski demonstrated that the Firefox devs weren't bothering to do basic input validation on html, and that Firefox could be trivially crashed (with buffer overflows) in seconds using just an automated script that generated random, broken, html. That incident alone blows Eric's theory right out of the water. Why, in the six years preceding, did *none* of the supposed "many eyeballs", which you are invoking to support your argument today, notice this gross violation of basic security practice which permeated the entire Firefox code base? It took *years* for the FF guys to work through the resulting family of security bugs in their bugzilla.
To make matters even more embarrassing, IE could withstand hours and hours of anything Michael's script could throw at it. Microsoft obviously already had an internal program in place for testing for such vulnerabilities.
Posted Apr 23, 2009 2:36 UTC (Thu)
by jeleinweber (subscriber, #8326)
[Link]
Posted Apr 23, 2009 12:44 UTC (Thu)
by niner (subscriber, #26151)
[Link]
Posted Apr 24, 2009 0:55 UTC (Fri)
by pr1268 (guest, #24648)
[Link] (1 responses)
How soon we forget. Remember when Mike Zalewski demonstrated that the Firefox devs weren't bothering to do basic input validation on html Wow, this is a sobering revelation of the quality of code (or lack thereof) in Firefox. But, my earlier post wasn't meant merely to defend Firefox, but rather the open-source nature of its development and the (assumed) security benefits proposed by Eric Raymond. But, I agree with the tone of your post in that this level of coding sloppiness is unacceptable. If not only for the security and reliability of the running program, then for the perceived FUD that the proprietary software companies could theoretically use against open-source development in general.
Posted Apr 24, 2009 3:50 UTC (Fri)
by jordanb (guest, #45668)
[Link]
Open Source *can* be a source of greater assurances about system security due to greater access for legitimate auditors but the assumption that there are many people looking isn't always valid. Plus, crap code can be produced large quantities in either side of this industry. I've seen nothing about the Mozilla Corporation or Firefox that suggests that it's anything other than a code-churning organization and a horribly written product.
"Open Source" isn't magic pixie dust that turns offal into prime cuts.
Posted Apr 22, 2009 23:26 UTC (Wed)
by nix (subscriber, #2304)
[Link] (2 responses)
Posted Apr 23, 2009 0:30 UTC (Thu)
by sbergman27 (guest, #10767)
[Link] (1 responses)
Anyway, I doubt that any browser of any sort has a stream of vulnerabilities as voluminous as that of Firefox. And yet the FF Faithful go on denying the issue. Amazing, really.
Posted Apr 23, 2009 11:05 UTC (Thu)
by BlueLightning (subscriber, #38978)
[Link]
Posted Apr 23, 2009 2:44 UTC (Thu)
by roc (subscriber, #30627)
[Link]
Posted Apr 22, 2009 21:42 UTC (Wed)
by alankila (guest, #47141)
[Link] (1 responses)
This makes it sound like adding vulnerabilities was a deliberate, conscious choice. I don't think this is reasonable position to take.
Posted Apr 22, 2009 23:31 UTC (Wed)
by sbergman27 (guest, #10767)
[Link]
Conscious choice as in "let's put in this and that vulnerability and then patch it later"? Probably not. Conscious choice as in "let's give priority to 'cool features', not worry that much about security, and then patch security problems as they are reported"? Far more likely. The way users applaud whenever the FF devs patch a hole, where is the incentive for them to do any better? I don't see any.
Posted Apr 23, 2009 22:12 UTC (Thu)
by gerv (guest, #3376)
[Link] (2 responses)
Perhaps you'd care to outline the concrete development practice changes which would constitute "being more careful"?
There are three things you need to consider for a meaningful security metric - severity, exposure window and complete disclosure. Without all of those, you can't make a meaningful comparison of risk.
The exposure window for most Firefox security problems is 0 days - because we find them internally or they are reported to us by white hats. The "complete disclosure" part means that we don't just fix such bugs silently, as other vendors do, but issue advisories about them. This is one reason bug-counting methodologies of security comparison just won't fly.
Gerv
Posted Apr 23, 2009 22:35 UTC (Thu)
by sbergman27 (guest, #10767)
[Link] (1 responses)
So how do you explain the fact that Konqueror's security record is so much better than Firefox's? You think they are concealing security problems?
Posted Apr 24, 2009 11:44 UTC (Fri)
by roc (subscriber, #30627)
[Link]
Do criminal gangs and security researchers spend a lot of time and energy trying to find security vulnerabilities in KHTML? They do for Firefox.
Firefox 3.0.9 released
Firefox 3.0.9 released
Firefox 3.0.9 released
Firefox 3.0.9 released
I would love to see your work on a project that massive without any security vulnerabilities.
"""
Firefox 3.0.9 released
Firefox 3.0.9 released
Or, perhaps the vendors don't even know of the existence of said vulnerabilities. (An Eric S. Raymond quote comes to mind here.)
"""
If you don't remember all this, just google for "zalewski mangle". And prepare for some very uncomfortable reading.
withstanding random input
Firefox 3.0.9 released
IE. Well, they had to learn, too.
Firefox 3.0.9 released
Firefox 3.0.9 released
Firefox 3.0.9 released
fewer than FF.)
Firefox 3.0.9 released
Firefox 3.0.9 released
Firefox 3.0.9 released
Firefox 3.0.9 released
Firefox 3.0.9 released
This makes it sound like adding vulnerabilities was a deliberate, conscious choice. I don't think this is reasonable position to take.
"""
Firefox 3.0.9 released
Firefox 3.0.9 released
The "complete disclosure" part means that we don't just fix such bugs silently, as other vendors do, but issue advisories about them. This is one reason bug-counting methodologies of security comparison just won't fly.
"""
Firefox 3.0.9 released