Mozilla confirms critical Firefox bug

It's not just this vulnerability. Over the last few releases, they are piling up. However, that being said, I agree that dropping a browser won't do a bit of good. EVERY browser has had and will continue to have problems. The harder malware writers work, the more we find out just how vulnerable we really are. IE, Firefox, Chrome, Opera, all of them have a great big bulls-eye on them. Some more than others of course.

 

While I agree with you in principle, one could just as well argue the opposite - that extensions can make a browser safer. Due to its 'democratic' character, Firefox is pretty well documented - so even less advanced users can have a fair amount of control over what's going on under the hood and prevent bad things from happening. So, to add even more subjectivity to this already highly subjective discussion: with Firefox and NoScript, I feel very safe

 

I completely agree with you that, if chosen wisely, and if the user reads the documentation and understands it, extensions CAN enhance security. About the only two I trust are Noscript and AdblockPlus. Their overall reputation is well-earned, and, since script attacks are (I believe anyway), the most prevalent, Noscript is a very powerful weapon. Even if, yes, sometimes it annoys slightly.

 

Obviously is ridiculously stupid to believe that by passing to a new version you'll be safe. You'll be probably safe from that hole but believe me there are and there will be hundreds.

I have never said that users should drop Firefox. I have only invited them to reconsider their opinion about Firefox and the level of trust. Firefox is not the safer browser and this should be known.

 

And you're right also, there ARE hundreds of holes yet discovered. That goes for ANY browser though. It's simply the nature of the beast, humans screw up.

 

Great post

Do you know when we will get the final 3.6.2?

 

True, true!!! And there are thousands of humans out there looking for those holes. I have come to accept the fact that no browser is or will be 100% secure so make my browser choice on usability. I use other methods for protection...#1 which is common sense.

 

Before the end of the month. Build 3 is pretty good already; not a single issue here so far

 

Every Linux distro I have used comes bundled with two browsers. Gnome distros have Epiphany and KDE distros have Konqueror, and then they all come with Firefox. But, I don't want to get off on the Linux vs Windows thing.

At any rate, my point was that IE and Opera are closed-source and do not disclose the vulns found in-house or vulns found by independent researchers (who choose not to publish the vuln publicly). Firefox does not have this luxury -- it discloses all vulns, whether found in-house or not. Therefore, it is illogical to suggest Firefox is less secure than IE or Opera because it has more published vulns. Also, let us not forget the time to patch. I know Firefox typically always beats IE in time to patch, and probably beats Opera too.

And, no I am not trying to defend Firefox -- I personally think Chrome is the most secure browser by design right now.

 

Every vulnerability found be it by Firefox or an independent source shows that when it comes to the number of hacks, Firefox is worse, as for Opera, its Secunia record speaks for itself.

As regards the Linux versus Windows browser debate, it should be up to the user to decide whether or not he or she wants a closed source program, Opera, Chrome are free offerings so there should be no such restriction.

 

Something I don't understand (which isn't unusual God knows!), is why if this
vulnerability has been known for some time (I've been using 3.5.8 past month)
that the auto-update feature will still update to 3.6 if you let it, thereby perhaps
making unaware user vulnerable. I guess a lot of people might not know to
look for the nightly-builds and beta versions? Or will it update to 3.6.2 now?

 

Thank you Ron. Yes, I suppose what I'm saying is that now that Mozilla have officially accepted the situation (since 18th), then maybe they should have
withdrawn the dl to version 3.6 via the 'check for updates' option, since it
appears to be a serious vulnerability. Just a recommendation to get version
3.6.2 in their blog seems insufficient?

 

If your running 3.5.8, just wait for 3.6.2. Uncheck auto updates.

 

And what do you base your claim biggest security "fraud" ever on?
How about some numbers rather than just idle assumptions?

And there's no need to sandbox or virtualize anything. Malware card is overplayed. Nothing special changed yesterday or a year ago or will change in a year from now. Browser, vulnerability, yawn, what's next?

Mrk

 

It's there:

http://www.mozilla.com/en-US/firefox/all.html

 

every browser will have vulnerabilities. the main point is the response time to fix them. bottom line is use whichever browser you like. just dont use older versions of browsers.

 

Thanks Ron just updated.

 

Both... Laptop - & - Desktop .. Automatically Updated To... Firefox 3.6.2

 

I got the update too

 

Sorry for not replying earlier.

Biggest security "fraud"...yes...I consider as the worse thing somebody can do is mis educate for its own benefit. This way undermines the present and the future.

Firefox for years has promoted itself via its own pages as the safest browser. They were lying. The have turned on the mozilla-friends "botnet" and have spread the lie. Bloggers, techies, respected web gurus and even respected news networks have partecipated to mis educate the world. What have they managed? To create millions of users that consider firefox safer. The result: the "shields" for many of these poor guys are lower. Tell me why the phrase: "Are you still using IE? Get firefox is safer" sounds so common. There are no numbers to report here. There are the facts. The facts are here in front of everyone who has eyes to see.

Let me say another thing. Google, major economic source for mozilla foundation...has created its own browser, Chrome. Surprise? Not for me. Google has created Chrome for many reasons, many of these converge to their "world domination plan", but it was also a message and a thing...let's take some distance from Firefox...although they had a really close partnership. So Google has created Chrome and surprise surprise...sandboxing.
http://blog.chromium.org/2008/10/new-approach-to-browser-security-google.html

They have made the difference and that is the scope of a corporation when they put their people to work on a project. Actually I'm not a fan of Google at all, but I have to admit that they made something a bit different and they have shown the way...browsers have to become more secure and not only by early or late patching.

Yes.

The security of all us users-consumers. For me is important.

 

Again, you've given me your opinion about what you think this fraud is. I want numbers. I am a man of science and believe in facts. Show me figures and examples where Firefox is insecure - or just less secure than IE. Very simple. Once you provide me with proofs, the discussion will have merit. Until then, it's just your opinion.

And the number of vulnerabilities means nothing. Whoever counts them shows ignorance of basic analytics. Just like 66 parking tickets do not measure up to speeding through red light or a drive-by - in a car.

Mrk