Asa Dotzler: Firefox and more

On Mac, you just drag the new Opera into the same folder (for nearly all users, it’s just the Applications folder) and allow the system to replace the old with the new. This is not onerous in any sense.

The ticked-by-default Safari checkbox was at worst an error of UI design, not a nefarious plot, and was, in any event, fixed.

There are *excellent* reasons not to publish the exact details of security flaws that are and are not repaired.

I like the Firefox update mechanism myself. My friend cannot stand it. That one’s a matter of opinion. So is your posting, of course, except that you have an axe to grind.

>On Mac, you just drag the new Opera into the same
>folder (for nearly all users, it’s just the Applications
>folder) and allow the system to replace the old with the
>new. This is not onerous in any sense.

Opera Mac users, all 7 of them :-) have a slightly easier time than the majority of Opera users (on Windows) when dealing with one of several steps it takes Opera users to get a new secure version. You still have to go to the Opera website, download a full release (and not just a tiny patch for the problem area,) and perform the install yourself. The evidence is pretty clear that this is more work than a decent number of browser users are willing to do immediately upon availability of a security update and that's why only a bit more than half!!! of Opera users were found to be up to date in the most comprehensive study available.

>The ticked-by-default Safari checkbox was at worst an
>error of UI design, not a nefarious plot, and was, in
>any event, fixed.

I call bullshit. This wasn't an error. This was completely intentional. Just like all their other software installers on Windows try to get you to install more apps than the one you asked for. They thought they'd be able to get away with it and when challenged and nearly put on the most well known list of malware, they backed down, some, and put a little divider in their update system to move new software installs a few pixels away from the actual security update _and_ leaving it checked by default.

It is not "fixed" and it was not an accident in the first place. To not recognize that is either willful ignorance or out and out stupidity. No security expert believes it was a mistake and none of them consider it "fixed."

>There are *excellent* reasons not to publish the
>exact details of security flaws that are and are not
>repaired.

Strawman. I never called on anyone to publish exact details of security flaws repaired or un-repaired. Don't put words in my mouth and please try to keep your arguments on topic.

I argued that users have no way of knowing what's actually fixed or how important an update is because other vendors don't actually disclose what they've really fixed.

None of the other vendors disclose the existence of flaws, detailed or otherwise, that they have discovered and fixed themselves. They only disclose the existence of fixed flaws that they are forced to disclose by third parties who would go public earlier if they weren't credited with the flaw discovery upon its fixing.

The alternative thought here is that the other software vendors don't actually have people capable of finding flaws in their own software and rely exclusively on independent security researchers. I find that hard to believe, but in reading all of their disclosures of fixed flaws, I don't see any credited to employees Apple, Microsoft, or Opera.

So, either they're incompetent or they don't actually tell you when they find and fix flaws themselves. Take your pick. I lean toward "not telling users" because that's the more generous explanation and I'm just kind like that.

>I like the Firefox update mechanism myself. My
>friend cannot stand it. That one’s a matter of opinion.

It's not a matter of opinion or likes or dislikes. It's a matter of basic security. A browser vendor is either effective or not. This study makes it pretty clear that Mozilla is a hell of a lot more effective than Microsoft, Apple, or Opera and they credit, rightly, the superior Firefox update mechanism.

- A

So why aren't mozilla update/patch that firefox 3 vulnerability i saw on secunia?

>The ticked-by-default Safari checkbox was at worst an error of UI design, not a
>nefarious plot, and was, in any event, fixed.

It wasn't an error. If you watch the WWDC keynote where Steve announces Safari for Windows, you'll see he was actually boasting about distributing Safari with iTunes. It filled me with disgust.

philry4n, the only un-patched flaw in Firefox 3 that's listed at Secunia is this: http://secunia.com/advisories/30761/ from here http://secunia.com/product/19089/?task=advisories

This bug was reported privately to Mozilla and the details are not public. Mozilla is working on a fix and it will be made available via automatic update shortly.

How childish to exaggarate other vendors update process. In opera, you simply follow the link in the notification and click the download button. Then the new version is downloaded in the background, and the update process starts automatically when ready. It will update your old version, keep your settings, and offer to restart opera when done. It will open with the last used tabs.

Whether it is technically uninstalling the old version or not is completely irrelevant, and entirely transparent to the users.

Not that firefox' solution isn't superior, but as said above, it becomes all too clear that you have your own axe to grind.

And Mozilla Corporation has the same goal as any other commercial organization on the planet: to earn money. Not users security. If they believe the latter can lead to the first for the time being, well, good for us. Just don't fool yourself by putting them on some holy pidestall.

>And Mozilla Corporation has the same goal as any other commercial organization
>on the planet: to earn money. Not users security.

Mozilla Co is not publically traded. So that statement is completely wrong.

Asa,

I sure wish you would learn. You take very valid point and slather them with your obvious bias, throw in a few flat out untruths about others processes and you have the perfect recipe for an Asa post. I like, and use firefox, posts like this further the misconception that firefox users are a bunch of zealots, who no matter the fact, will never admit firefox has its flaws....

Not entirely sure to agree with you Asa. Firefox on Windows has a number of static dependencies such as urlmon.dll. Those dlls are Windows dlls (the irony of course is that urlmon.dll is part Internet Explorer,but I'll leave that for others), therefore should a vulnerability on urlmon.dll occur, Firefox would be patched only through Windows update when Microsoft ships a patch for urlmon.dll. We are back to square one I'm afraid.

> Mozilla Co is not publically traded.

That's not really relevant. Privately held companies are out to make money too. The key difference here is that the Mozilla Corporation is owned by the Mozilla Foundation. In theory that should mean that if the money dries up MoCo will be absorbed back into the foundation instead of compromising its principles.

I agree with everything mentioned about the Firefox update process being far superior... but I have one pet peeve to add.

I have on average 12 addons for my Firefox installs. This means that every week or so, at least one of them has an update (fine).

However the user experience is frustrating because here is what happens.

1.) In an IM/IRC/Email or similar application, I see a link to something I want to check out.

2.) I click the link to open it in my default browser (Firefox of course)

3.) Firefox detects that addon x, and y have updates

4.) I get a flashing task on my task bar (WinXP) that indicates an update is avail (but the icon is not the Firefox one (issue #1)

5.) I have to give focus to that update window, and approve/reject updates

6.) When my updates have been updated/applied, I *STILL* have to click a button to continue, to get to the page I was trying to load. (issue #2)

It would be ***********MUCH************** better if the "Continue" button had a countdown timer on it (say 5-10 seconds max) and then goes ahead and opens Firefox.

There is no other option... only Continue... so why bother waiting until I click a button?

I realize there *might* be users out there that want to see what updated, what failed, etc., but if 100% updated successfully, please don't bother me with an extra click.

PS I would also accept a config property in about:config that I could set.

[boolean]
browser.preferences.pleasePleasePleaseNeverMindShowingMeAContinueButtonWhenItIsPerfectlyTotallyObviousThatThereIsOnlyOneOptionAndThatIsToContinue: true;

(feel free to change the property name) ;-)

Steve

@Stephane Rodriguez: I did a full-text search just to make sure I don't miss anything - there is no dependency on urlmon.dll. The library xul.dll is dependent on a bunch of Windows system libraries, none of which belong to Internet Explorer from what I can tell. And, yes - a vulnerability in msimg32.dll or wsock32.dll is a possibility. However, I expect Firefox developers to work around the issue (as they did in the past on various occasions when the vulnerability wasn't in their domain). They control what gets passed to these libraries, so they can make sure not to pass any problematic parameters.

Okay ASA, since you're pretty biased, I have to remind you some things:

when someone, on windows (98, XP, Vista) want to install Firefox, he needs to get through several step of the installation, so when you say that upgrading Opera is complicated, you say that installing Firefox is complicated.
If they succeed in installing Opera once, couldn't they just stop by for 2 minutes (I tried just now, no more time needed) and go through the same steps?

I think that you take users for dumbs, and for that, people should'nt give you any credits.

PS: it's a fall statements that for upgrading Opera you need to uninstall old version first, you know it, but you want to pull down all other browsers. It seems you don't agree at all the benefits coming from other company.

Of course Firefox no longer notifies the user about updates on Windows XP, unless you are foolishly running from an administrative account. It's hard to understand why they would do this. I often find my Firefox copies out of date, and I am reminded only because I frequent this Web site.

For once I have to stand up for Asa a little here. I have to admit that my Opera is usually out of date, partly because I have to download it and install it manually, just like he said.

On the other hand, as I mentioned, Firefox doesn't even notify me of updates any more, and that's arguably a worse problem. That's by design, and unfortunately, I can't change it.

@Wladimir

"I did a full-text search just to make sure I don't miss anything - there is no dependency on urlmon.dll."

Hmm. How about that?
http://www.arstdesign.com/BBS/picsupload/ImageFirefoxUrlmon.gif

Clearly, urlmon.dll is a static dependency of shell32.dll, which is a static dependency of xul.dll, which is a static dependency of firefox.exe

"The library xul.dll is dependent on a bunch of Windows system libraries, none of which belong to Internet Explorer from what I can tell."

Hmm. UrlMon.dll is one of the dlls of Internet Explorer 4 (which was introduced with Windows 98, the famous OS with built-in IE). You can check that out in the archive of the guy who built ways to have standalone multiple IE versions on the same machine. Here : http://browsers.evolt.org/?ie/32bit/standalone
Take a look at ie4_9x.zip

"And, yes - a vulnerability in msimg32.dll or wsock32.dll is a possibility."

Yes. msimg32.dll is what renders some of the old bitmap formats such as WMF and EMF.

"However, I expect Firefox developers to work around the issue (as they did in the past on various occasions when the vulnerability wasn't in their domain)."

How? Those are system dlls. Even updating with your own setup is impossible due to the windows protection scheme which will put back the original version of the dll. Microsoft Windows update does something special in order to disable the windows protection scheme, to make it possible to update the dlls. Is there any of that in Firefox? I don't think so, but I'd love to be proven wrong.

"They control what gets passed to these libraries, so they can make sure not to pass any problematic parameters."

If the libraries have vulnerabilities, I wonder how the control of passed parameters is going to stop the problems. For instance, everyone knows the problem with WMF files is within WMF files themselves. So passing a filepath to render a WMF picture would be checked ok even though the file is made to attack to vulnerability.

Anyway, my point was, there's plenty of system dlls loaded inside Firefox on Windows so the basic point made by Asa and others are flat wrong. Besides this, urlmon.dll (among others) being part of Internet Explorer, I like the idea that when you run Firefox on Windows, you are actually running part of Internet Explorer...

Urk

You know, I read this blog a lot, and I notice a pattern. Every time Asa will post valid reasons for why Firefox is a superior browser, no one actually takes him up on any of his points. Instead, every single time Asa's personality is attached. People say "Asa is biased" or "Asa has an axe to grind", and so on. Never does anyone actually take up any of the points he lists, or god forbid, (try to) attack the study itself. It's always "Asa this, Asa that".

And what blows my mind even more, is why would people want to defend vendors that do not work in the best interests of the community? Opera is not as aligned with community interests as Mozilla is. Not even close! But at least I could kind of understand some love for it. But what about Microsoft? Why would anyone in their right mind defend or apologize for Microsoft? Or Safari? Apple is a horrible vendor when it comes to user's rights, community and openness. Arguably Apple is worse than Microsoft, considering their unholy proprietary hardware+software operation. Apple sometimes opens things up, but only after a lot of pressure from the community. The same is true with Microsoft. After decades upon decades of immense pressure, finally Microsoft is opening up "their" file formats so the users can access their own data using the applications they chose. Why would anyone defend any of these monstrosities is beyond me.

I've come to a conclusion that everyone who posts an anti-Asa rant here is a paid-for shill. I don't think any user would be passionate about a closed-source vendor that's only looking out for itself. Mozilla looks out for its users! You can't say otherwise. Everything they do is open. Bug database is open. The source is open. I don't see how you can protect your users more than that. I don't see how you can be more selfless than that.

To all you anti-Asa ranters: do you realize you sound like a bunch of sore losers when you don't address any of the points that Asa brings up, but instead go for Asa's personality and intentions (which you know nothing about, but rather, you speculate based on your own miserable personalities and your own intentions were you put into the same position)? You are a bunch of whiny ungrateful children.

@Stephane Rodriguez:

"Besides this, urlmon.dll (among others) being part of Internet Explorer, I like the idea that when you run Firefox on Windows, you are actually running part of Internet Explorer..."

Do you have proof that Firefox is using the APIs that actually depend on urlmon.dll? Just because the dependency walker shows a dependency doesn't mean the API is used. Each library can have many APIs and only some of those APIs may depend on another library, and so on. You have to demonstrate that Firefox is using specific shell32.dll APIs that rely on urlmon.dll.

@Leo,

Answering whether or not Firefox makes a call to urlmon.dll is a different question than answering whether or not urlmon.dll is loaded when Firefox.exe starts. My original post was about the latter.

What I'm saying is, if urlmon.dll (a piece of Internet Explorer) is absent on your computer, Firefox.exe won't start. That, in and of itself, is already interesting.

What we know, also thanks to a tool like the dependency walker, is that Firefox.exe statically imports 13 functions from Shell32.dll. Importing functions means that Firefox.exe makes calls to it. It can also make any number of calls dynamically. The functions are :

DragQueryFileW
SHAddToRecentDocs
SHBrowseForFolderW
SHGetDesktopFolder
SHGetFileInfoA
SHGetMalloc
SHGetPathFromIDListA
SHGetPathFromIDListW
SHGetSpecialFolderLocation
SHGetSpecialFolderPathW
ShellExecuteA
ShellExecuteExA
ShellExecuteW

Functions like ShellExecute(), a general purpose url function that triggers an application based on the associated file extension, use Urlmon.dll's url moniker facility.

Leo wrote:
"Never does anyone actually take up any of the points he lists, or god forbid, (try to) attack the study itself."

On the contrary, most of the comments attack his statements.

"I've come to a conclusion that everyone who posts an anti-Asa rant here is a paid-for shill."

Some of us who challenge (or defend!) Asa's statements have devoted thousands of hours to Firefox user support, documentation, and bug reports.

Another off topic comment by myself: could Asa please prevent or delete double posts? There are many of them, and they make following conversations annoying...

@Stephane:

"What I'm saying is, if urlmon.dll (a piece of Internet Explorer) is absent on your computer, Firefox.exe won't start. That, in and of itself, is already interesting."

Not really. It's an artifact of how the standard Windows libs work. If you don't like it, complain to Microsoft.

I don't see how Firefox can be blamed for using widely advertised Windows APIs that Microsoft wants you to use when you program on Windows.

I am still not convinced it's something Mozilla should be criticized for. In what contexts is it used? What kind of parameters are fed to it, when, how, etc.? Is there an alternative? In other words, are they using ShellExecute(...) when a widely available secure alternative exists? Is this alternative guaranteed to behave well in all future versions of Windows?

Does Opera use something else instead of ShellExecute(...)? If yes, what?

@Leo

You are 100% offtopic. Quit the fanatic nonsense, thanks. If we go back to the original poster, he was claiming how good Firefox update mechanism was, especially compared to Windows update. My point was and still is that Firefox relates to Windows system dlls that are high candidate for vulnerabilities, and they have already been in the past (msimg32, urlmon, ...).

In other words, updating Firefox in the broader sense is a combination of Firefox update and Windows update, which contradicts the poster's point.

A minor point I added was an ironic one, which is that Firefox users on Windows actually run pieces of Internet Explorer. You may not like it, but that's the truth.

>>Does Opera use something else instead of ShellExecute(...)?

At the time of writing I don't know (but it's easy to find out), but you are trying to move the subject elsewhere. Typical of someone with no arguments. I don't think the Opera guys have made the same claim than the Firefox guys, have they?

Asa, I think there's a forum glitch that sometimes results in double posts. As I recall, a comment doesn't show up right away, then it balks at reloading or moving forward or back, ... or something. It sometimes requires you to resubmit data, and you don't realize until later that it's resubmitting the comment. And since you don't see what has happened right away, no one is aware immediately that something went wrong. When the problem shows up later, the details are forgotten. Or something like that.

don't know about ie7 updates. the win updates work ok.
partly because of "malformed request... 200" on *some of the ff's, opera updates are about the same level of chorishness.
w/opera, you just have to keep the bookmark of the page that gives the d/l choices for our os(s). with windows, get the "classic", avoid the msi installer. (which is the default on the earlier d/l page)