digg

Join DiggAbout

Donkeys and Elephants and Delegates,oh my!
Check out the most popular Elections 2008 content on Digg.

Security Flaws Discovered in Firefox 3.0

news.softpedia.com — Vulnerabilities could affect over 14 million computers.

Bury
show profanity settings
expand all
  • maing, on 06/22/2008, -39/+6I'm in!
  • jaobedoza, on 06/22/2008, -52/+12that's why i didn't install right away. there are always bugs!
    • ccheath, on 06/22/2008, -3/+12you're still vulnerable see my quote from the mozilla security blog below
    • yojiffyskippy, on 06/23/2008, -9/+5Bug is an understatement. I've used Firefox forever and never had a problem. I installed V3 and it crashed twice in the first day. On day #2 it wouldn't even launch. Instead, it went straight to the "Firefox had to close" dialog. I went back to V2.
      • ventralnet, on 06/23/2008, -1/+12strange... v2 gave me a lot of crashes but 3 is solid. Did you enable add-ons that it said weren't compatible with v3?
        • chanop, on 06/23/2008, -0/+11ventralnet makes a good point. I had an addon that wouldn't work with firefox 3.0, and ff3 was crashing a lot and acting strange first couple of days until I completely uninstalled all addons that were unavailable for ff3. Works like a beast now
      • Xiata, on 06/23/2008, -2/+6Backup your bookmarks, delete your profile from application data, and recreate your profile.

        Did you really expect your v2 profile to work 100% with v3? Unless you have a plain extension-less install that's a pretty silly to assume they built a flawless migration script for 3.0.0.
        • reformation, on 06/23/2008, -0/+2No its not - mine works perfectly and I expected it to.
        • timsline, on 06/23/2008, -1/+3Yes, I expect my profile to work 100% between versions. Why wouldn't it?
        • GeeNeeYes, on 06/23/2008, -0/+0i expect it to work without any excuse
    • MarkBroadhurst, on 06/23/2008, -1/+4There are always bugs because nothing is 100% secure.
    • GeeNeeYes, on 06/23/2008, -0/+0true
  • ccheath, on 06/22/2008, -6/+146"TippingPoint ZDI notified Mozilla of a vulnerability in Firefox that impacts versions 2.x and 3.0. This issue is currently under investigation. To protect our users, the details of the issue will remain closed until a patch is made available. There is no public exploit, the details are private, and so the current risk to users is minimal."
    • frontporsche, on 06/23/2008, -0/+87It's suspicious that they notified Mozilla 5 hours after release, when TippingPoint had had access to the beta version of Firefox 3 for months.
      • frontporsche, on 06/23/2008, -1/+53I see one possible reason: ZDI pays the researcher based on how widely the product is distributed, thus encouraging researchers to wait before reporting problems. http://www.zerodayinitiative.com/about/benefits/
        • 1legend, on 06/23/2008, -2/+7Makes perfect sense.
        • specialK16, on 06/23/2008, -9/+1benefits criteria desc

          benefits criteria q1

          benefits criteria q2

          benefits criteria q3

          benefits criteria q4

          benefits criteria q5


          benefits sign up


          This is like the 10th site that is not working with Opera 9,5 for me.

          ***** THING SUCKS
      • Rikkochet, on 06/23/2008, -1/+7The bug also exists in Firefox 2 according to the article.
        • Sil369, on 06/23/2008, -1/+4OMGZ WE'RE DOOMED - DOOMED I SAY!!!11one
      • yeskia, on 06/23/2008, -6/+1It is also possible they waited to see that if the bug would continue to exist in the shipped version of FF3.
      • chris9902, on 06/23/2008, -5/+1you answered your own question. They had a BETA.
      • DeviateSeptum, on 06/23/2008, -0/+3I guess they knew that right after the FF3 release would gain them the most publicity.
    • questionable, on 06/23/2008, -3/+26Responsible disclosure is always preferred over full disclosure.

      Of course, if Mozilla doesn't fix the flaw in a timely fashion, then they should release it to the public to cause people to apply pressure to Mozilla.
      • ufia, on 06/23/2008, -24/+4Ever reported a bug to Mozilla? Chances are it just gets ignored, unless a catastrophe happens and 12 million users are affected. Especially now that the developers are too busy turning Firefox 3 into a MSIE look-alike piece of *****. Seems like I'm gonna have to stick with Firefox 2 until Firefox 4 comes out and then see if they got a clue.
        • ChzPlz, on 06/23/2008, -2/+4"TippingPoint ZDI notified Mozilla of a vulnerability in Firefox that impacts versions 2.x and 3.0."

          Guess you better go back to Firefox 1.x. Have fun.
        • elipabst, on 06/23/2008, -0/+9They have one of the fastest turn around times for releasing patches of all the major vendors. You really think Microsoft or Apple are better?

          Also, FF2 is vulnerable to this as well according to the article and Secunia.
        • PopcornDave, on 06/23/2008, -0/+8Maybe you'd best stick with lynx so you won't have any problems.
      • Hunkadoodle, on 06/23/2008, -4/+15"Of course, if Mozilla doesn't fix the flaw in a timely fashion, then they should release it to the public to cause people to apply pressure to Mozilla."

        Sounds like extortion to me.
        • AlekseiVasiliev, on 06/23/2008, -0/+4Extorting a patch out of them, yes. It's not like they are demanding money.
        • xino, on 06/23/2008, -0/+1It sounds more like they want it to get fixed before it becomes a big problem.
        • Kral, on 06/23/2008, -0/+1If you find a security bug, there's a chance someone else has found that same bug. Allowing the vendor to sit on it just lengthens the window for it to be exploited by the bad guys. If they're not going to fix it in a reasonable amount of time, you should tell everyone so they can take steps to protect themselves.
    • ebrandsberg, on 06/23/2008, -0/+22This isn't an issue that came with version 3--it was present in 2.x as well. As such, pretty much all firefox revs are impacted, not just the 14M that have been downloaded since 3.0 was released. It is suspicious that this came up right after 3.0 was released though--someone was fishing for publicity on this.
    • silfiriel, on 06/23/2008, -3/+2why the ***** is this on the front page?
      have you people heard about software updates?
      but the article and who ever wrote it, are guiltless, it's the diggers that should pay more attention what they are digging and burying...
  • toe_head2001, on 06/23/2008, -33/+306And how many computers are affected by flaws in IE?
    • vsujohn2, on 06/23/2008, -19/+9Only computers with IE as the main browser.
    • Melodik, on 06/23/2008, -9/+45Computers affected because they use IE are more affected because of inane user stupidity than anything else.

      LET THE BROWSER WARS COMMENCE.
      • MavRevMatt, on 06/23/2008, -4/+45Begun the browser wars has.
      • pHreaksYcle, on 06/23/2008, -2/+12LET THE BROWSER WARS COMMENCE.

        Unless commence now means "continue", you're wrong...

        Browser war has been happening since Netscape etc...
      • urbano35, on 06/23/2008, -0/+1Because of course every computer owner on the planet knows exactly which sites are harmful. >_>
    • Ronsardinho, on 06/23/2008, -5/+19Why do you feel the need to make this an IE vs. Firefox issue? The point of the article is not to bash Firefox and promote IE; it's simply to report a flaw in Firefox 3.0.

      I've used Firefox 3 since its beta version and I love it. However, I appreciate being informed of flaws so I can protect myself accordingly.
      • AnotherJewboy, on 06/23/2008, -1/+1IE being the incumbent and monopolist(maybe not perfect but a monopoly nonetheless) means that any bashing of Firefox is a promotion for IE.
        • Pittance, on 06/23/2008, -0/+2Obviously not a monopoly is FF 3.0 had 8million downloads on its release day. The market is obviously welcome to newcomers, or at least to non-microsoft products.
      • bosssmiley, on 06/23/2008, -0/+4Get your filthy pragmatic common sense away! We don't want it here! ;-)
      • thunderforce, on 06/23/2008, -0/+1So far 0 flaws have been found in IE8... don't you think this is great news???
        Yes... I KNOW it hasn't been released... (or even started being developed)
        But it's still true.... IE8 has less flaws than Firefox 3 :D
    • fudged71, on 06/23/2008, -7/+1greater than 4000+5000
      :(
    • ssavoy, on 06/23/2008, -5/+21OVER 9000!!!!
    • estvir, on 06/23/2008, -6/+13And how many times are people going to pretend that flaws in other products (MacOS, anything Linux, Firefox, etc) can be solved by going "Hey, but Microsoft as problems too!"?
    • Muyoso, on 06/23/2008, -4/+8I dont know why anyone is digging him up. Comparing this to IE is completely invalid. The reason we are all using firefox is because of the deficiency of IE. Firefox was supposed to be better, and held to a higher standard.
      • skyroket, on 06/23/2008, -0/+1He's just shutting down the 3 IE fanbois - that are still somehow in existance - before they can post.
    • reformation, on 06/23/2008, -1/+7This story isn't about IE so who cares?
      • thanakar, on 06/23/2008, -0/+1But it is. People were encourage to switch to Firefox because it is more secure, but guess what, it has it's own share of flaws and has the browser gets broader use, you can be sure even more will be found.
    • thanakar, on 06/23/2008, -0/+3As more people start using Firefox more security flaws WILL be found. The only reason IE is targetted so much is because it is in much wider use. Why waste time with Firefox when you can target more users on IE? There is no such thing as a secure software package, period.
    • megamod, on 06/23/2008, -0/+1Is it ironic that I opened this link using firefox 3.0? What if it was a trap, a link to the virus itself if you may?

      *Insert Star Wars it's a trap macro here*
    • mwalker05, on 06/23/2008, -0/+1probably less than are at risk under the windows safari that apple snuck on everybody's computer and still hasn't patched known security issues in months.
    • jabberwolf, on 06/23/2008, -0/+1ACTUALLY. so scrutinized is EI, its the safest browswer out there!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  • fudged71, on 06/23/2008, -41/+249RE:RE:RE:RE:RE:RE: Hotmail Users Caution. URGENT

    Hotmail is getting sold by microsoft to a group of hackers in zimbabwe! Digg this message up, and shout to all of your friends.
    If you send to 40 friends in the next month, come back and your thumbs up icon will turn BLUE.
    That's right, BLUE, *****. You know what that means? You will still have virus protection!
    I have a degree in both Software Virology, and in Human Psychology. THIS IS REAL.


    let's just say, I fear more for all the stay-at-home mothers, grandmmothers, and children, and their Internet surfing habits. These security holes are great to inform the public about, but with the open source updates that Mozilla has, I'm sure they will find a way to patch this up pretty quick.
    Viva la Fox

    • vsujohn2, on 06/23/2008, -12/+43What the *****?
      • pHreaksYcle, on 06/23/2008, -1/+31:P If you don't get it, you haven't been on teh_internetz in a while. :P
        • elipabst, on 06/23/2008, -0/+23Shhh, he still thinks I'm a royal heir to the throne of Nigeria!
        • pHreaksYcle, on 06/24/2008, -0/+1In collaboration with the immature young people on Digg:

          LOLCATZ LOL CHICKEN ROFLCOPTER
      • fudged71, on 06/23/2008, -0/+6I know, it wasn't exactly a typical digg comment, eh?
    • ryanlerch, on 06/23/2008, -16/+5how do you mark a comment as spam?
      • thecheatah, on 06/23/2008, -0/+7I think it was a joke. Come on guys!

        Get it? "Spam"? Double meaning?
    • DeathGod321, on 06/23/2008, -4/+29re:RE:RE:RE:RE:RE:RE: Hotmail Users Caution. URGENT

      Hey fudged71,
      I got your message and I am SHOCKED!
      More importantly, I'm after that blue thumbs up icon.
      :)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
      I guess this counts as one! 39 more to go.....

      -With Love,
      Bridge Master Bertha

      >Hotmail is getting sold by microsoft to a group of hackers in zimbabwe!
      >Digg this message up, and shout to all of your friends.
      >If you send to 40 friends in the next month, come back and your thumbs up icon will turn BLUE.
      >That's right, BLUE, *****. You know what that means? You will still have virus protection!
      >I have a degree in both Software Virology, and in Human Psychology. THIS IS REAL.


      >let's just say, I fear more for all the stay-at-home mothers, grandmmothers, and children,
      >and their Internet surfing habits. These security holes are great to inform the public about,
      >but with the open source updates that Mozilla has, I'm sure they will find a way
      >to patch this up pretty quick.
      >Viva la Fox
      • fudged71, on 06/23/2008, -0/+16RE:re:RE:RE:RE:RE:RE:RE: Hotmail Users Caution. URGENT

        Thanks DeathGod321,
        I don't actually know what this is... I just sent it along because it said so! XD
        (¯`v´¯)
        `*.¸.*´
        ¸.•´¸.•*¨) ¸.•*¨)
        (¸.•´ (¸.•´ .•´ ¸¸.•¨¯`•
        _____****__________**** ______
        ___***____***____***__ *** ____
        __***________****________***____
        _***__________**__________***__
        _***____HEART_FULL_OF______***_
        _***________LOVE__________***_
        __***____________________***___
        ___***__________________***____
        ____***_______________***_____
        ______***___________***_______
        ________***_______***_________
        __________***___***___________
        ____________*****_____________
        _____________***_____________
        ______________*_____________

        >Hey fudged71,
        >I got your message and I am SHOCKED!
        >More importantly, I'm after that blue thumbs up icon.
        >:)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
        >I guess this counts as one! 39 more to go.....

        >-With Love,
        >Bridge Master Bertha

        >>Hotmail is getting sold by microsoft to a group of hackers in zimbabwe!
        >>Digg this message up, and shout to all of your friends.
        >>If you send to 40 friends in the next month, come back and your thumbs up icon will turn BLUE.
        >>That's right, BLUE, *****. You know what that means? You will still have virus protection!
        >>I have a degree in both Software Virology, and in Human Psychology. THIS IS REAL.


        >>let's just say, I fear more for all the stay-at-home mothers, grandmmothers, and children,
        >>and their Internet surfing habits. These security holes are great to inform the public about,
        >>but with the open source updates that Mozilla has, I'm sure they will find a way
        >>to patch this up pretty quick.
        >Viva la Fox
        • LeviTheSmith, on 06/23/2008, -2/+3Best thread ever. I've also put money into this Nigerian ladies bank account so she can afford a lawyer to sue all them extremists.
        • digitalpencil, on 06/23/2008, -0/+2^^ epic. it's moments like this i wish i had a thumbs up x2 button.
      • DeathGod321, on 06/23/2008, -0/+20Just a followup:
        http://img131.imageshack.us/img131/8933/67025950ff ...
        It worked, bitches.
    • chanop, on 06/23/2008, -0/+34Is there someplace I can wire money to stop this hotmail problem?
    • joshualamgroup, on 06/23/2008, -4/+3damn, i'm not affected. i use gmail :)
    • ssavoy, on 06/23/2008, -1/+5When can I expect my check for $100 from Bill Gates?
      • fudged71, on 06/23/2008, -1/+4I laughed for days at that email. Sent by a college friend. ridiculous
        • containimated, on 06/23/2008, -0/+2I forwarded it to Maynard James Keenan.
  • mrblue182, on 06/23/2008, -8/+151"A vulnerability in Firefox that impacts versions 2.x and 3.0"

    It's not new.
    • Roller7, on 06/23/2008, -10/+2It's only 2.0.x and 3.0
      • zwaldowski, on 06/23/2008, -4/+8How is that different? 2.0.x is all versions on the 2.0 branch, and 3.0 is the only one.

        dumb-ass /ˈdʌmˌæs/ [duhm-as] –noun Slang: Vulgar. A thoroughly stupid person; blockhead. Also, dumbass. Origin: 1970–75; Americanism
    • specialK16, on 06/23/2008, -0/+2Maybe they just found it.
    • jamespw, on 06/23/2008, -0/+3Every software has flaws. There is no perfect software in the world.
      • aoe2bug, on 06/23/2008, -0/+3hello world?
        • Puttzy, on 06/23/2008, -0/+2Not perfect. Since you used punctuation you implied a sentence structure. Yet it did not start with a capital. Rewrite, and re-release version 1.0.1 and we'll see.
      • KungFuJesus, on 06/23/2008, -1/+2OpenBSD?
      • narehart, on 06/24/2008, -0/+0chrono trigger
    • midriscoll09, on 06/23/2008, -4/+1Immediately after i downloaded FF3, my e-mail was phished and someone posted on about 100 of my facebook friends' walls advertising a way to "smoke super potent, legal buds" :/
    • dukeochutney, on 06/23/2008, -0/+1non-alarmist article - http://www.theregister.co.uk/2008/06/19/firefox3_b ... from a few days ago.
  • mexicanpower, on 06/23/2008, -51/+7Firefox 3 ended up a huge disappointedment in my opinion, I'm not surprised. I don't use any of the new features so it was a pointless upgrade to me.
    • MozzieTS, on 06/23/2008, -22/+3why is this being buried. It's true
    • boydrew, on 06/23/2008, -3/+47yeah...i hate program upgrades that take less memory to run and that are more stable and reliable....what a waste of my time...
      • yojiffyskippy, on 06/23/2008, -6/+2More stable? Really. I never had a crash in FF2 and FF3 crashed twice on the first day I was using it. After another day it launched straight to the "Firefox had to close" dialog box. I had to go back to FF2. Not a big deal. FF2 is fine as long as I close it (actually kill it) occasionally and restart it.
    • haxcorner, on 06/23/2008, -3/+6I didn't really notice anything new other than the funky address bar... It starts a whole lot faster for me than FF 2 and it uses exorbitantly less memory. FF3 is using 130k right now and FF 2 used around 250k on average, though it wasn't uncommon to hit 500k before I had to kill the process and restart it.

      That being said - if Opera had the add-ins that I use on a daily basis, I'd probably use that more often than Firefox.
      • PopcornDave, on 06/23/2008, -3/+1Yeah, that address bar is a pain in the ass as it stands. I hope somebody patches that quickly.

        That said, I've found FF3 to be hands down more stable than FF2. I read web comics daily and I'm opening 68-70 tabs at once. FF2 used to have problems handling that, but FF3 hasn't so far.

        As far as crashing on me, I think it's crashed once on XP SP2 but not yet on Vista.
      • solistus, on 06/23/2008, -0/+2I'm gonna guess you mean MB and not k. If you can get firefox to run on 130 kilobytes of RAM, I'm sure everyone would love to know how ;)
        • haxcorner, on 06/23/2008, -0/+1Yea... I was a bit tired. MB is correct.
    • Melodik, on 06/23/2008, -1/+1Ba-zing!
  • RBrenner14, on 06/23/2008, -39/+8I use Internet Explorer 7.
    • wayyy, on 06/23/2008, -6/+12You also fail.
    • mexicanpower, on 06/23/2008, -14/+1Same, I ended up going back to IE7 after being massively disappointed with Firefox 3. It's basically Firefox 2, but Mozilla took the "2" and replaced it with a "3".
      • Ajajadude, on 06/23/2008, -0/+9You're amazingly ignorant of what the new version updated. Sorry if you expect changes that revolutionize web browsing with every update.
      • manitoba98xp, on 06/23/2008, -1/+5It's not an earthshaking change, but it's not nothing. The Awesome bar, identity improvements, memory fixes, new UI, etc. all warrant a new version.

        But if you still prefer IE7, I can't blame you. There are many excellent options nowadays (although I do, of course, prefer Firefox myself).
      • solistus, on 06/23/2008, -0/+1Wait, so you're saying the new (free, open source) update to your browser seemed exactly the same as the one you were already using, and this caused you to switch to a different one?

        *ERROR, ERROR, DOES NOT COMPUTE* (head explodes)
        • skyroket, on 06/23/2008, -0/+1He said he went BACK TO IE7. I'm assuming his knowledge of FF2 was from previous testing during his IE6 days, and not that he used it as his primary browser.
        • solistus, on 06/24/2008, -0/+1He doesn't actually specify what he used before the current gen of browsers. I was assuming he used to use FF2 at some point, otherwise it would be incredibly arrogant on his part to assert that there's nothing new about FF3 when he didn't even use its predecessor. Maybe I gave him too much credit?
    • bduddy, on 06/23/2008, -13/+4OK... people... I get disagreeing, but digging someone down just because they use a different browser than you? That's just stupid.,
      • prophetpimp, on 06/23/2008, -2/+3using a different browser is ok but using IE is being retarded.
    • drgmdp, on 06/23/2008, -1/+3congrats. diversity is a fun thing.
    • fudged71, on 06/23/2008, -0/+1hey, bud... whatever floats your boat.
      as long as you don't complain if/when you get that life-altering virus/adware/spyware
      • solistus, on 06/23/2008, -0/+1I'm all for bashing IE, but life-altering? Unless you have some very important documents on your computer or something, if getting a virus (let alone friggin' adware) is life-altering, you need serious help.
    • splorpdotorg, on 06/23/2008, -0/+4On purpose?
  • jnava121, on 06/23/2008, -18/+5what a security flaw? no thats never happened with microsoft or apple !!!!! noooooooOOOOOOOOO!!!!!

    • yojiffyskippy, on 06/23/2008, -2/+3Too bad they let Microsoft set the standard. Companies should strive to be better than Microsoft and not strive to be just as bad as Microsoft. Likewise, users should demand/expect better than Microsoft and not settle for "just as good as Microsoft".
      • PopcornDave, on 06/23/2008, -0/+1The fact that they're looking in to it and we won't have to (probably) wait for patch Tuesday makes them better than MS I'd say.
  • zxcasd, on 06/23/2008, -24/+8i use Opera...... and FF3........
    prefer Opera and Opera portable(www.kejut.com/operaportable)........ though i have to use FF sometimes

    //me prepares to be dugg down by FF fanboys
    • ninxmz, on 06/23/2008, -0/+3That's one ***** up URL.
    • Hunkadoodle, on 06/23/2008, -0/+4Well, you'll probaby be dugg down because your comment doesn't have anything to do with the article.

      As far as Opera goes, I do tend to root for the underdog. And I've heard good things...
  • vacax, on 06/23/2008, -28/+11I use Opera.
  • jnava121, on 06/23/2008, -3/+22any system open to the world wide web is vulnerable.... hmmm.... there is always a way in , if there is a way out... ????
  • fLUx1337, on 06/23/2008, -4/+52The problem with this, is the people who find the flaws deliberately wait until its gone gold to release the information. I guess its for more publicity - no story with this title would have got onto the front page while FF3 was in beta!
    • poprocksandsoda, on 06/23/2008, -19/+4No the problem is the Mozilla org racing half-baked insecure software to the market when there's clearly no real market-driver to gettign a 3.0 browser on the market. They should sit back and let this it roll in beta form a little longer.
      • frontporsche, on 06/23/2008, -1/+7It's been in beta for quite a while. How much longer would you suggest?
        • poprocksandsoda, on 06/23/2008, -6/+9Well since I know this ... the first beta of FF3 hit on Nov 19, 2007 ... the final release of course being June 17, 2008. That's only 8 months.

          IE 7 on the other hand first went beta on July 27, 2005 and the final release came October 18, 2006. That would be 15 months ... which is nearly twice as long.

          Mod me down, but at least I'm basing my opinion on facts and not a glee for open source.
        • elipabst, on 06/23/2008, -1/+7Well look how long they spent "beta testing" Vista and that didn't work out too well did it?
        • breser, on 06/23/2008, -1/+7And you'd think that the 6 years that Microsoft had between XP and Vista that they could make a good OS without bugs and all sorts of issues. I suppose Microsoft should have kept Vista in beta for a little longer. You think 7 more months would have done it?

          Seriously, there's no way of knowing if 7 more months would have exposed the issue we don't even know what the issue is.
        • poprocksandsoda, on 06/23/2008, -0/+1What does any of your comments have to do with the IE team?
        • solistus, on 06/23/2008, -1/+1Yeah, and they sure did a bangup job with IE7, huh? I'm guessing you aren't aware of the fact that they just found *another* critical security exploit (critical being Microsoft's designation, not my own embellishment) in IE7 and released the patch just a couple weeks ago. http://www.crn.com/security/208403195

          Apparently there's more to good software development than the number of months in beta! *gasp* There's also more to judge a browser on than exploits, and if you get into standards compliance... Let's just say it is absurd and embarrassing that, while the IE team once again promised that "compliance mode" would actually be compliant now, it's still nowhere close. They fixed about half the IE6 CSS/XML bugs, but introduced almost as many new ones. And they STILL insist on using non-standard Javascript. JScript is just close enough that many devs don't even know it's technically its own scripting language, but just different enough to cause complex projects to break in horribly hard-to-track-down ways. I'm a web developer, so I'm a little extra bitter when it comes to IE.

          Then again, if MS ever got its act together, the amount of work to be done in my field would drop dramatically overnight. I guess I should thank MS for ensuring my job security.
      • solistus, on 06/23/2008, -0/+21. Market driver? WTF are you talking about? Firefox is free and open source. Its upgrades have very little to do with market pressures.

        2. Rushing out half-baked insecure software? First of all, if you read the ***** article you would know this bug exists in FF 2.X as well, so this is not the result of them 'rushing' anything. Second, FF3 was in beta for ages. You have no idea what you are talking about. Third, a single exploit requiring user interaction is hardly shocking. You do not even want to know how many exploits at least as serious as this one exist for IE. The difference is that this one isn't even known to the public and the devs will probably have it patched before it is, whereas IE exploits fester for months, sometimes years before getting fixed.

        In short, you should RTFA and/or get a clue about browsers before bashing the Mozilla team for their fine work.
        • poprocksandsoda, on 06/23/2008, -1/+1Firefox earns the Mozilla org nearly 100 million dollars a year in click-thru revenue. Are you oblivious to reality?

          http://www.calacanis.com/2006/03/06/firefox-mozill ...

          Ah to be so naive about the world ...
        • solistus, on 06/24/2008, -1/+1ROFL, you should read your own source better. At the very top, in bold print, the author admits that this is 100% hearsay and he has no idea if it's actually true. But even more damning to your attempt at snark is where he explains that all the profits of the technically for-profit Mozilla Corporation go straight to the not-for-profit Mozilla Foundation.

          My point stands. FF3 was not released for market reasons. Even if your example was true as you meant it, and Mozilla was releasing Firefox to make money, what ***** "market drivers" could you possibly have meant in your original post? If their profit model is based entirely off Google Ads, I can't imagine what market forces would make a difference. They could release FF4 in a couple months and still get millions of hits. At any rate, this is irrelevant because of the two damning facts you neglected to mention that came from your own source. You also completely ignored the bulk of my post, so I guess you're admitting that you're an idiot for your "rushing out half-baked insecure software" claim.
        • poprocksandsoda, on 06/25/2008, -0/+1Love how you think using the word ***** somehow makes your response intelligent. Let's get this straight ... they reported 60 million on search revenue in 2005 ... so what's your counter?
        • solistus, on 06/26/2008, -0/+1My counter? Did you even read my post or just decide to critique my language? The profits go straight to a non-profit. Since you obviously didn't read or comprehend my comments about YOUR SOURCE, I will copy-paste some of YOUR SOURCE for you. This time, read it before pretending it supports your theory:

          "From what I've read all the profits from the for profit Mozilla flow into the non-profit Mozilla foundation. No idea why they had to create this type of structure but I heard an interview with Mitchell Baker who explained that there is nothing nefarious going on. She says all the IP is still owned by Mozilla Foundation and no one can ever make money off of Mozilla.com(I wonder if the folks who work at Mozilla.com get stock options, or if the company would ever go public?). Frankly, there are so many great people working at/associated with Mozilla so I'm sure it's all good."

          You also didn't respond to the big chunk of my post (you know, the one that used the naughty word... lol), in which I pointed out that it has absolutely no bearing on what I was saying whether or not FF is released for profit. My claim that you accused me of being naive with your ***** source for was that, as a free and open-source product, there are no market drivers that would be relevant.

          Your latest post ***** PROVES this (yeah, I said '*****' again, and no, I don't think it makes my response intelligent... I think all the logical arguments you have failed utterly to refute make my responses intelligent). You just cited reported revenue from 2005, a year in which THERE WAS NO NEW X.0 FIREFOX RELEASE, only incremental updates to 1.X! This is exactly what I mean when I say that market drivers would still have nothing to do with their revenue model, which is not based on selling a product or service and is purely a function of clickthrough rates. They made almost as much in 2005, with no new releases for Firefox, as the admittedly entirely hearsay number your source was throwing around.

          So, since you seem to be too lazy to read and respond to arguments in those complicated 'paragraph' things, I'll give you an ordered list of all the reasons you're wrong that you haven't responded to yet:

          1. Firefox is not distributed for profit. All the profits of the Mozilla Corp go straight to the Mozilla Org, which is a non-profit that releases free software. This is devastating, game over kind of material here.

          2. Even if it is for profit, meaning the source you presented us is wrong, there are still no relevant market drivers. My post, which you blasted for being 'naive' and 'refuted' with your terrible source that undermines your own argument, never claimed no money was changing hands, only that FF itself is free and, as my OP said, "its releases have little to do with market pressures." This is evidenced by your revenue figure from '05, when they didn't release a new browser. Millions of users will visit their site for updates regularly whether they have a new 'major version release' or not, so even if they are for profit, their profitability has little to nothing to do with their release schedule. At any rate, there is certainly no market condition (save a sudden sharp tanking of Google Ad compensation rates, which has not happened) that would cause them not to want to make a major release

          3. All of this is really a sidenote. This discussion is about your post criticising FF for "racing half-baked software to the market." I have written multiple posts that you have ignored entirely explaining why this is a stupid comment. You can look elsewhere for my discussion of development times and bugs between different browsers for the example of IE, which has a much longer beta period typically than FF and a much worse track record.

          4. You may wanna sit down here. This was in TFA and my original response to you, but you still haven't noticed apparently: THIS BUG WAS IN FIREFOX 2 AS WELL! This undercuts the entire premise of your original claim. Firefox 2 has been out for 2 years now. Even if you were right about FF3 being rushed unwisely (you are not), your original point would still be completely wrong because this bug was NOT added during FF3 development.
  • duffblue, on 06/23/2008, -18/+9You have to be some kind of idiot to download something on launch and not expect problems.
    • kingdomdude, on 06/23/2008, -4/+214 million "idiots" say you can take a hike, fart sniffer.

      P.S. ... its also in FF2.
  • Melodik, on 06/23/2008, -3/+118I use a DOS-based web browser that renders everything in ASCII. I am the most secure!
  • leerayIG88, on 06/23/2008, -10/+4aaiieeeeee!
  • aqzman, on 06/23/2008, -8/+14Although I'm not a FireFox user and won't be affected by this; it's good this exploit was discovered early on, and discovered by "the good guys".

    Knowing the team at Mozilla, they'll have this hole patched by pretty swiftly.
    • WiZZLa, on 06/23/2008, -5/+6Yes, like the other unpatched holes in 2.0...

      http://secunia.com/product/12434/
      • solistus, on 06/23/2008, -1/+4Wow, thanks for showing me that aside from this flaw (submitted 6-19-08 to Secunia), there are only 3 reported and unpatched vulnerabilities in the whole browser! Of these, 2 are marked "not critical" (lowest possible threat level) and 1 is "less critical" (second lowest level). The MOST severe one is that a sophisticated phishing form could theoretically trick Password Manager into autofilling the username and password stored for another form hosted on the same domain. Sounds real severe. A possible mis-autofill... If a phishing page happens to be on the *same domain* as a trusted page you've stored login credentials to.

        Compare to IE, with 9 unpatched vulnerabilities ranging from not critical to moderately critical: http://secunia.com/product/12366/
    • pHreaksYcle, on 06/23/2008, -1/+2Couldn't have said it better myself.
    • thehemi, on 06/23/2008, -0/+4The flaw affects 2.0.x versions, too, so I'm not sure "early on" is an appropriate description. It just happens to coincide with the release of 3.0.
  • computerusr, on 06/23/2008, -31/+6Firefox=fail.
  • MattBot5000, on 06/23/2008, -20/+23Buried as obvious.. Any browser is going to have security flaws; FF3 is not perfect, nor does it claim to be.
    • HigherLogic, on 06/23/2008, -24/+8It doesn't help that the current tagline on their site states that "Firefox has security, speed and new features that will change the way you use the Web. Don’t settle for anything less." Ordered from most to least secure:

      Opera 9.x - 0% unpatched
      Firefox 2.x - 17% unpatched
      IE 6.x - 18% unpatched
      Safari 3.x - 20% unpatched
      IE 7.x - 32% unpatched
      Firefox 3.x - 100% unpatched

      Security? Speed? New features? You're right, why _would_ I settle for anything else...than Opera.
      • MattBot5000, on 06/23/2008, -2/+21Okay, so they found one security flaw and that makes FF3 the most unsecure browser? You're kidding, right?
      • clharlem149, on 06/23/2008, -1/+8wait, whose ass did you pull these numbers out of?
        • HigherLogic, on 06/24/2008, -0/+1Secunia. It's ok, I'd be upset too.
      • solistus, on 06/23/2008, -1/+2The % unpatched on Secunia is irrelevant. What matters is how many unpatched vulnerabilities there are, how severe they are and how quickly they are patched once found. FF3 has 4, and this new, not yet publicly known one is the only severe exploit. IE7 has 9, some of which are pretty severe, and that's after almost two years of regular security updates. FF3 had most of its exploits patched before it left beta.

        Opera has very few exploits reported on Secunia because it has a tiny user base and uses a unique codebase (meaning bugs are not likely to be cross-applicable between it and other browsers). Claiming Opera has no security holes is like claiming OSX has no security holes. Yes, I use OSX and yes, it is very secure, but every piece of software can be exploited somehow; it's just a question of what ingenious methods are thought up and tested. Many exploits are found by accident.
  • ZER0JACK, on 06/23/2008, -11/+2http://oshi.co.nr
    FAIL
    • pHr34kY, on 06/23/2008, -0/+8FF3 trapped that one pretty quick.

      YOU FAIL!
    • Synapse84, on 06/23/2008, -0/+7http://i32.tinypic.com/33wl3c7.jpg
      i'm sorry, was that site trying to do something? :P

      what it tries to do:
      <script>
      for (i=0;i<=1000000000000;i++){window.open("mailto:foobar","");window.open(window.location,"");};
      </script>
  • PHiZ187, on 06/23/2008, -13/+5Next headline: The power of open source fixes FireFox vulnerabilities in 10 minutes.
    • myranttoyou, on 06/23/2008, -2/+3OSS may detect defects quicker, but it doesn't make fixing them faster. I'd like to hear how that isn't the case. Like some schmuck on the internet will fix this before the Mozilla Foundation.

      IE defects get found right away, as there are more people hunting for them. Does that mean IE defects get fixed quicker?
    • Rocco03, on 06/23/2008, -1/+1"There are no new updates available. Firefox may check periodically for new updates."

      Still waiting.
    • sc0rpi0n, on 06/23/2008, -0/+1C'mon, don't talk like Mozilla points to where the flaw is. Without that information, how does the open source community fix it?
    • timsline, on 06/23/2008, -1/+110 minutes? I hope not. Any fix should be well tested before being released.
  • hoodedrobin, on 06/23/2008, -2/+50They did this to make MONEY...

    Mozilla team pays you if you find a zero day exploit... That is why they waited for the first day of FF3 to be released so they could make MONEY...

    Do some research, they have known about this exploit probably since ff2 being as this is related to both FF 3.x and 2.x
  • kansai22, on 06/23/2008, -12/+26Opera WTF
    • natenovs, on 06/23/2008, -1/+6you mean, FTW?
    • ParanoydAndroid, on 06/23/2008, -0/+12lexdysic much?
    • khsheehan, on 06/23/2008, -0/+0WTF? FTW or WTF?
    • Nosferaxx, on 06/23/2008, -0/+0Good stuff.
    • judgedeath2, on 06/23/2008, -3/+2Opera FTW indeed. Still uses about 10% less RAM than FF3, and has lots of cool features.... without needing to download plugins.

      Speed dial and mouse gestures FTW.
      • kwilliam, on 06/23/2008, -1/+2Opera for Linux is awesome. It takes a half-dozen extensions or more to replicate it's functionality in FF3. (Secure Login, All-In-One-Sidebar, Duplicate Tab, Fast Dial, FireGestures, InFormEnter, Smart Stop/Reload, Tab Scope, Tabs Open Relative, Undo Closed Tabs Button) Admittedly, All-In-One-Sidebar is superior to Opera's Sidebar, and Tab Scope is superior to Opera's thumbnails. But if you look at the recent slew of "Which Browser is the Fastest" articles, Opera 9.5 (and Safari, oddly enough) still beat FF3 in several categories, and Firefox doesn't index the contents of webpages in it's search history like Opera 9.5 does.
  • AvidPreatorian, on 06/23/2008, -2/+4it'll will be patch rapidly, im not worried. if you are, you're probably also worried about being struck by lighting.
  • hinchb, on 06/23/2008, -4/+50NoScript.
    • comrade693, on 06/23/2008, -0/+2Without knowing what the vulnerability is, NoScript may or may not help you. Yes, the most common exploits use JS, but not all have to.
      • Abomonog, on 06/23/2008, -0/+1No script blocks all script sources, not just java based scripting.
  • TheWindBlows, on 06/23/2008, -9/+1This doesn't surprise me Fx (Fx not FF) 3 is built onto the code of firefox 2 its just thousands of intergrated patches and a change of rendering engine layouts. This is the issue of Firefox in general Firefox 2 is just a bunch of code patched on Firefox 1.

    The best way to design a browser is to have radical changes every major version change and then for people who don't wan't just improvement have a sub version that will keep standard compliance.

    Example : Version 1 code is quite different from Version 2's code but there is a Version 1.1 available that makes use of version 2's rendering engine.

    This is idea is kind of basic but in order for a browser to stay secure it needs to be constantly evolving and not just patching (just intergrated patches can also make a browser very bloated. yes there are hacks around it but, it is better to avoid it from the start.)
    • Xiata, on 06/23/2008, -0/+6Adding features to older versions when in all likelihood are completely incompatible with each other, by any means including feature dependencies, makes what kind of sense?

      What strange voodoo development world do you come from?

      I don't think you understand the depth of what changed. The changes between Firefox 2 and 3 aren't small changes. Furthermore, small changes have a lovely ripple effect which is already annoying enough to maintain.
      • TheWindBlows, on 06/23/2008, -0/+1I agree voodoo development is the best though, because it requires voodoo developers.
  • twiztidsinz, on 06/23/2008, -5/+2"In response to this security report, Mozilla Security Blog posted, "This issue is currently under investigation. To protect our users, the details of the issue will remain closed until a patch is made available. There is no public exploit, the details are private, and so the current risk to users"."

    Incomplete quotes FTW!
  • natmaster, on 06/23/2008, -9/+4Hype.
  • Xocide, on 06/23/2008, -17/+4Failfox strikes again!
    • vade79, on 06/23/2008, -2/+7Must stop putting "fail" in everything, obnoxious/annoying level exceeded.
  • verevi, on 06/23/2008, -18/+11And it crashes alot. I love Firefox, but damn this 3.0 crashes on my PC all of the time!
    • wuchadwi, on 06/23/2008, -6/+3That's unfortunate... hasn't crashed on my mac yet. FF2 crashed quite often though.
    • jynweythek, on 09/17/2008, -0/+6are you sure you have the final release version? i had the beta 4 version which was crashing too until I downloaded the official release.
  • byronne, on 06/23/2008, -9/+4Oh come on.
    FTA: "...user interaction is required such as clicking on a link in email or visiting a malicious web page."
    Well, duh.
  • ventralnet, on 06/23/2008, -2/+4Yea, when FF3 first starts up it should do a compatibility check... they have a beta for firebug for FF3 if anyone was wondering

    Pretty much my priority is
    2. firebug
    1. ietab

  • jamesfaction, on 06/23/2008, -17/+17This flaw is rated HIGHLY CRITICAL by Secunia. It's not surprising that the Mozilla folks want to downplay the risk though.

    I like FF3, but... Opera FTW.
  • switchman401, on 06/23/2008, -16/+3YAY for Safari. It's faster than FF anyways. And if not.... WebKit definitely is.
    • kwilliam, on 06/23/2008, -0/+1YAY for Opera. Still has the best security record. (Probably because so few people use it. *Sniff*)
      • GeeNeeYes, on 06/23/2008, -0/+0not just because of that but also because it is more focused on security
  • Rosco, on 06/23/2008, -1/+8They (Mozilla) have known about it for a few days now and are already working on it. They posted about it on the 19th.

    http://mozillalinks.org/wp/2008/06/mozilla-already ...

  • SharkAtlantis, on 06/23/2008, -7/+22I'm a firefox user and I don't understand why this story is on the front page..

    Every software has vulnerabilities.
    • warbird, on 06/23/2008, -5/+6Except Opera (as far as anyone know)
      http://secunia.com/product/10615/
      • thanakar, on 06/23/2008, -0/+1Opera is such a little used browser no one has taken the time to do a detailed examination on it to find security flaws. Why waste time on a no nothing, podunk piece of software?
        • GeeNeeYes, on 06/23/2008, -0/+0secunia is a professional organisation which takes time and effort to detect vulnerabilities.
    • timsline, on 06/23/2008, -1/+1"Every software has vulnerabilities."

      And if it was an IE vulnerability it would have made front page as well.
    • andresxv, on 06/23/2008, -0/+3Because, unlike IE, a Firefox vulnerability its actually news and Digg is a tech site (or at least used to be), where most people are FF users.
  • Borgcube636, on 06/23/2008, -12/+6Sweet! Now I can use IE7 again!
  • brotherfranciz, on 06/23/2008, -2/+17Ha, all the Firefox fanboys are getting so defensive. There is no need to be, this is a news article - it's just reporting on what was found, the article is not implying that Firefox is a ***** browser.
    • Stavrosian, on 06/23/2008, -0/+1My browser's dad can beat up your browser's dad.
  • YodaJones, on 06/23/2008, -2/+3***** the security flaws, how about making frigging java work on Firefox 3? On Ubuntu the java paths get FUBAR. Makes Firefox 3 look half baked.
    • natenovs, on 06/23/2008, -2/+3ubuntu. i think that's your problem.
    • specialK16, on 06/23/2008, -1/+1Ummm half-backed, that sounds so good.
  • sc0rpi0n, on 06/23/2008, -0/+13Official Mozilla Security Bug Bounty Program:
    "Found a critical bug? Don't disclose it to the public, instead report it to us. We'll give you $500 Cash Reward + one cool T-shirt."

    Reference: http://www.mozilla.org/security/bug-bounty.html
  • tama00, on 06/23/2008, -4/+4i swear everyone on digg jacks off the moment firefox team announces something.

    and if that offends you then good cause you should get back to work.
  • deadlyfluvirus, on 06/23/2008, -9/+1Nice, now how about we fix or replace Spidermonkey so we can actually have faster and more secure Javascript like Opera has? Firefox 3 javascript is now two times slower than Firefox 2, what in the world?!? Come on!
    • GavinZac, on 06/23/2008, -0/+1Firefox 3 is much faster with javascript. Less FUD please.
  • mdman, on 06/23/2008, -6/+1that was quick..
  • Fergy, on 06/23/2008, -1/+11Instead of digging some stupid softpedia article just digg Mozilla's security blog:
    http://blog.mozilla.com/security/2008/06/18/new-se ...
  • FyberOptic, on 06/23/2008, -10/+5lol I like how people always try to bring up Microsoft in times like this. How does Microsoft's security history change the fact that Mozilla has delivered quite a large number of severe vulnerabilities over the years? They outdid Microsoft in 2007 I believe.

    Just goes to show you that the propaganda of "Fastest, safest, best" that they have on their website is wrong on all counts.
    • Duositex, on 06/23/2008, -1/+2NUMEROUS times I've received the updates to fix discovered security holes BEFORE reading about them. YMMV but if I were you'd I'd stick to IE6 because you seem to deserve it.
  • PHiZ187, on 06/23/2008, -0/+1Mozilla has an unofficial policy of fixing vulnerabilities withing "Ten ____ing days."
    http://www.infoworld.com/article/07/08/06/Mozilla- ...
  • mnbayazit, on 06/23/2008, -7/+0Lawl! The interweb is dangerous! You mean I can get a virus if a download something and execute it?! No way!
  • kravex, on 06/23/2008, -2/+4Popularity breeds attacks, unfortunate rule of computers.
  • h4mx0r, on 06/23/2008, -0/+9Every browser has flaws, the question is how fast are they patched.
  • jlemaire, on 06/23/2008, -4/+1firebug
  • Fetching more discussions...
    Show 51 - 67 of 67 discussions
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.