The Inside Track on Firefox Development.
« 1.0.4 | Main | Thumbnail Session History »
May 19, 2005
Netscape 8 Is Unsafe
Users of the Netscape 8 browser can click here to verify that their browser exhibits the Cross Site Scripting flaw that was fixed for Firefox 1.0.4.
If security is important to you, this demonstration should show that browsers that are redistributions of the official Mozilla releases are never going to give you security updates as quickly as Mozilla will itself for its supported products.
Posted by ben at May 19, 2005 11:06 AM
Comments
Isn't your post against MoFo strategy and XUL applications? While MoFo is working on XULRunner and while we hope that application developers migrate from IE to Gecko as underlaying HTML viewer component, not having an update system for that is a problem of this framework not the users. I think opensource and MoFo should encourage developers and also users of branchs hoping that they will develop new features that can return back to Firefox.
Posted by: Pooya Karimian at May 19, 2005 12:11 PM
Not that I disagree, in general, with the message conveyed in this post - but you don't really have to pick on the little details - true, they could've synched it with 1.0.4 (or even wait a little to have it synched with 1.1) - but this is a widely covered security flaw which has yet to affect a single person.
(My personal belief is that the hype around it is meant to discredit the, true enough, notion that Firefox is uber-safe - not because it's a really dangerous flaw)
Posted by: Jonathan Avidan at May 19, 2005 12:20 PM
> the, true enough, notion that Firefox is
> uber-safe
I think you're being a little too trusting. Firefox is pretty safe. Sorta. As far as we know and as long as you're using 1.0.4...
Posted by: Boris at May 19, 2005 12:36 PM
I raised precisely the same problem with Netscape's first beta (which was based on 0.9.3, and had a certain security hole of its own).
Though in retrospect, you can't blame them too much. 1.0.4 was released about a week ago, and that's not really enough time for a lot of QA teams to react. Someone made a business decision not to delay the release any longer, I guess.
I'm not agreeing with the decision to release based on 1.0.3, nor am I disagreeing. Yes, I wish they'd used the latest & greatest, but who knows what evil lurks in the hearts of AOL?
Posted by: Alex Vincent at May 19, 2005 1:22 PM
If security is important to you, this demonstration should show that browsers that are redistributions of the official Mozilla releases are never going to give you security updates as quickly as Mozilla will itself for its supported products.
Well, that kills the googlefox rumor. A comment like that is rather honest. And true.
Posted by: Robert Accettura at May 19, 2005 2:23 PM
This smacks with irony in light of the fact that Your Current Browser is Outdated
Posted by: Racer at May 19, 2005 2:34 PM
For me even this vulnerability fixed in Firefox 1.0.1 "works" in Netscape 8.0: http://secunia.com/multiple_browsers_window_injection_vulnerability_test/
Posted by: Steffen at May 19, 2005 2:40 PM
"Well, that kills the googlefox rumor. A comment like that is rather honest. And true."
Good point. Worth remembering.
Posted by: David Naylor at May 19, 2005 3:34 PM
The IconURL vulerability works too, but not with the default configuration...for some reason Netscape 8 ships with only update.mozilla.org on the whitelist, and there is no direct way to edit it. But if you add addons.mozilla.org then the original proof-of-concept code works. If Netscape starts its own extensions site (and whitelists it) without fixing this then there could be an even more serious problem...
Posted by: Tom Hessman at May 19, 2005 4:17 PM
I thought the idea was that updating any Mozilla-based programs would be a simple matter of updating the moz runtime libraries. In fact, from what I gathered, you could have several programs based on Mozilla (Firefox, Thunderbird, Netscape 8) all sharing the same libraries and that you only needed to upgrade one.
What happened to that idea?
Posted by: Richi at May 19, 2005 6:02 PM
I'm sure 8.1 is in the works, that comes along with another chance to opt-in or -out of add-on programs. Maybe they did it on purpose, but I doubt they would want to do that.
Posted by: Joey at May 19, 2005 6:36 PM
While I agree with the first poster, I don't think he understands how this works.
You are asking Mozilla to do study their code, write patches, and then test them?
If it was a simple embedding of gecko or a direct use of XUL runner, than yes, it would have been an easy patch.. however what you are asking for is impossible givien the way Netscape 8 was created.
Posted by: Jed at May 19, 2005 7:29 PM
@Richi.
That would be the effort fo XUL runner I believe.
Number 1) XUL runner isn't ready yet (almost?)
2) Netscape didn't build their browser off of Xulrunner or embedding Gecko, they sort of forked off of firefox's code base.
Posted by: Jed at May 19, 2005 7:30 PM
I think the basic design of Netscape 8 is flawed. What happens when each new update occurs to Firefox and the IE engine? Seems to me Netscape will always be lagging behind because it depends on others to make updates - and then has to react. I can't imagine the code being efficient when every site you visit the browser desides which engine to use. This design just seems inefficient and illogical. No thanks.
Posted by: DogFace at May 19, 2005 7:54 PM
Honestly, I don't really care for Netscape, nor do I understand why they're still producing a new web browser (who still uses it?), but I don't really see how citing this isolated case is _proof_ that redistributions of Mozilla products are _never_ going to give you security updates as quickly as Mozilla will itself. Instead of making bold, absolute statements that can't be proved, why not just continue to show Netscape up by producing a superior application? The schoolyard name-calling just diminishes the Firefox project.
Posted by: bolinfest at May 19, 2005 8:32 PM
Looks like 8.0.1 has just been released, based on Firefox 1.0.4.
So, now it isn't "unsafe." (at least by Firefox standard. :-)
Posted by: Chris Ilias at May 19, 2005 8:33 PM
Well.... I have firefox 1.0.4 and netscape 8 and that page does exactly the same thing on both of them (loads a google page in a square). And the rendering engine is on firefox in NS8. so whats the big deal? what is it supposed to do?
Posted by: Jeremy at May 19, 2005 9:02 PM
I just tried the link above with FF1.0.4 and it saw my google cookie.
https://bugzilla.mozilla.org/attachment.cgi?id=182990
Posted by: kevin at May 19, 2005 9:04 PM
I switched to Firefox, because it was supposed to be 'secure'. But I didn't know that secure meant changing version every other day.
So what's the difference betweem ie and firefox now?
Posted by: Anil at May 19, 2005 9:16 PM
I use Mozilla based Opera and when I click the link it doesnt even open up a Google window...just a blank one. If I click in that 'box' it opens Google. And my browsers not even up to date.
Posted by: OperaUser at May 19, 2005 9:22 PM
The difference between IE and Firefox is that The Mozilla Foundation actually patches and improves its software. Microsoft let IE stagnate for about 4 years with little to no development.
So ask yourself if you want to be spending hours cleaning up the mess IE can let through or simply spending 2-3 minutes updating your program every few weeks?
Posted by: Lane at May 19, 2005 9:24 PM
Anil;
you'd better read this blog post by Chris Crews:
"On a slightly different, but related note, (which should be in a seperate post, but I don't much feel like doing two posts tonight.) I really am starting to hate all the hype about Firefox security. Firefox is a secure browser, only because Mozilla.org puts effort into patching flaws that are found quickly, and in general, design considerations take security into account. Firefox is most certainly not a security utopia though. It seems like Firefox advocates, in their effort to make the case that Firefox is more secure than Internet Explorer, a topic which is very likely to convince people to switch browsers on, have over-hyped Firefox's security. To the point where people expect Firefox never to have a flaw. This is now starting to generate alot of bad press for Firefox, by over-eager reporters wanting to find the smoking gun in Firefox that brings it into the same field as IE. It makes even fairly minor security flaws have the same weight as every one of IE's usually much more critical flaws. Basically, allowing Microsoft to get off the hook with having to be accountable for their security problems. By being able to say, "look over there at the "more secure" Firefox browser, it has flaws too." Its fine and useful to use Firefox's security as a "selling" point for the browser, but try to keep it realistic. So when flaws are discovered and patched, you can use Mozilla's responsiveness to support the product, instead of having to defend it from overblown criticism because it had a flaw."
Posted by: Chris Ilias at May 19, 2005 9:26 PM
If you really want to complain about security in firefox lets see someone bring up Java's integration and how it lets many fun malicous programs through.
Posted by: Lane at May 19, 2005 9:29 PM
Once again, Netscape sucks.
Posted by: Hervard at May 19, 2005 10:56 PM
That great, but 1.0.4 you can;t use the word redirect on any page... try google.com and search exim redirect and it willnot search of love nor money
Posted by: Mark M at May 20, 2005 12:12 AM
And now, less than a day later, 8.0.1 is released, with the security fixes. Did they not realise the security flaws were there? Or did they make a deliberate decision to release the flawed version on time and patch it immediately?
Posted by: michaell at May 20, 2005 3:49 AM
>>The schoolyard name-calling just diminishes the Firefox project.
Thanks, I was looking to put it nicely too. Hope ben doesn't get his head up in the clouds. It's been 8 months since Firefox 1.0 was released. Get your act together.
Posted by: Firefox Lover at May 20, 2005 11:18 AM
I think that it was bad form to go after Netscape that way just to make yourself look better. So when did you decide to become Microsoft. And why (even if it is harmless) would you post an exploit for a flaw that may still affect some firefox users? Just to prove that Netscape sucks.
I have been using Firefox since version 0.5.x and have loved every minute of it, but if you are going to resort to Microsofts browser bashing tactics and posting exploits just to make Firefox look better then I will move on to something else.
Posted by: Matthew at May 20, 2005 1:34 PM
Yup, damn that Netscape. Mozilla is lightning fast at fixing most known, old major bugs and exploits. (Save your work, that link crashes Windows if you're running FF or IE.)
I know I'm being an asshole by mentioning that, but the attitude in this post is a little upsetting. Mozilla owes a hell of a lot to Netscape even if it's just a brand name now, and making fun of AOL's attempts to get something back from their investment is not very mature.. especially when Firefox suffers from being reasonably unsafe as well. Netscape 8 serves a purpose and Mozilla should respect that.
Posted by: SuitCase at May 20, 2005 5:04 PM
It´s kinda funny to see Ben Goodger making a big stink over the first Netscape 8.0 build being based on the INSECURE Firefox 1.0.3 code, when Firefox 1.0.3 code is also the responsability of Ben Goodger!.
Plus, such a big stink is not warranted, given that AOL has in fact reacted VERY QUICKLY, and in a matter of hours released Netscape 8.01, based on Firefox 1.0.4.
In fact, I downloaded Netscape 8.0 on Thursday night, and when I installed it I found that I already had "8.01" in the About box, based on Firefox 1.04.
Instead of recognizing that the GECKO ENGINE and much of the code of today´s FIREFOX is a result of NETSCAPE COMMUNICATIONS decision back in the late 90s to OPEN UP THE CODE, and the financial investments in Mozilla.org by AOL that led to Mozilla 0.x-1.0-1.4, here we have a childish Ben Goodger trying to tell everyone that Firefox is a result of HIS "independent" Mozilla Foundation. Yeah, right!. Maybe if you dumped the whole code base and started Firefox from scratch with a non-gecko engine!.
There´s a saying down here, spitting upwards of you is not wise...
FC
Posted by: Fernando Cassia at May 20, 2005 11:18 PM
Umm. Doesn't this sound like... FUD?
Sorry, but Netscape 8 users are also those users we need. It's based on Mozilla code -- now even Firefox -- so it will promote standards compliant design on the web anyway. And that's the main reason we need those convertees from IE, right? All that stuff about spreading fire?
It doesn't matter if it's Firefox that draws them or Netscape. Both are now very noteworthy standards compliant alternative browsers, which is great (eventhough NS comes with that stupid IE engine, but that's another story...).
So let's have a party instead.
Posted by: anderskorte at May 20, 2005 11:42 PM
If you (Ben, I mean) are that keen on attacking redistributors, wouldn't it be easier to change the licensing so they couldn't do it. Why do the work that enables redistribution and then celebrate when you fail to enable it to happen effectively?
From the stats I've seen, the majority of users with official Firefox builds are still vulnerable to these exploits, because the update stuff in 1.0 that you threw together without proper planning or review sucks, and they haven't updated.
Posted by: michaell at May 21, 2005 10:17 AM
I think the reason why ben and many of users are totally not supporting any netscape development is how netsape default 'trusted' sites to IE. I would have supported Netscape 8 if they hadn't used IE for half of the sites it uses.
Also, no linux version.
Posted by: dmb at May 21, 2005 12:06 PM
Posted by: Macplex at May 21, 2005 12:09 PM
Posted by: Macplex at May 21, 2005 12:09 PM
Browsers that are redistributions of the official Mozilla releases are never going to give you security updates as quickly as Mozilla will itself for its supported products.
Since you're not mincing words, I won't either:
The unpackaged (and therefore unfinished) software released by mozilla will never be installed on any significant scale Linux network. As much fun as it is getting a tarball of something...
* That I have to install in a different manner to my other 1800 packaged applications
* That I have to update in a different manner to my other 1800 packaged applications
* That I have to find updates for in a different manner to my other 2000 packaged applications
* That can never be relied upon or rely upon my other software in the same manner as my other 1800 packaged applications.
I won't. Cause that's a waste of time. Maybe Ben can explain why Firefox is somehow worthy of all that extra work.
If Mozilla.org is not providing vendors with the information they need to release updates in a timely manner, that's their fault. I wish them luck in any efforts they have in improving this behaviour.
Posted by: Mike MacCana at May 21, 2005 6:17 PM
It doesn't matter if MoFo can whip up a security update 5 seconds after a flaw is discovered if it takes end users in the order of days/months to update and is too much of an hassle for IT admins to replicate to a large number of systems easily.
"There's a new version of program X" sollicits a "The one I have works fine already" response from the majority of computer users.
You never had to worry about the top few knowledgable percent of your userbase, they will take care of themselves and be secure with or without your help.
It's the average couldn't-care-less user that needs prodding and help and so far they aren't getting any and neither are the people who need to push out an update to a large number of systems on a network.
If you want to realistically measure how secure you are, look at the average time between discovery and deployment, not the average time between discovery and released fix.
Posted by: Riva at May 22, 2005 7:31 AM
Shouldn't Mozilla work with other companies (such as Netscape) to try to resolve these problems? Rather then publicly slagging them.
I expect Mozilla (a non profit organization that I have donated to) to cooperate with others that want to use their code. Not fight against them like any other for-profit company.
Posted by: Tom at May 22, 2005 8:57 AM
Netscape is a bit diferent, netscape isn't its own company, it IS aol. AOL is in the buisness for money, and they basically used to almost 'own mozilla' and they gave it up, because they thought it was a waste, so there is no cooperation with aol.
Posted by: dmb at May 22, 2005 11:10 AM
Go firefox! :)
Posted by: bart5986 at May 23, 2005 6:32 AM
Ben Goodger,
As a long time user of Mozilla, Firefox, and Thunderbird, what I say here I say out of concern for the future of this software and other that Mozilla Foundation might produce.
I have read stories where you are described as some sort of technical "whiz kid". That may be true, but with this one post you have demostrated with crystal clarity that you have a serious competency gap in the area of public relations.
I strongly suggest that you move immediately to conduct damage control over your unwise post.
In addition, considering that a blog in the hands of someone who is seen as representative of the Mozilla Foundation and its products, and yet who demonstrates such a glaring lack of finesse in public relations, can and certainly will be harmful to the Mozilla Foundation and its products, I also suggest that in the future you consider vetting your blog posts through a more PR-savvy person at the Mozilla Foundation, or at least through someone who is a little wiser and has more common sense.
Peter Yellman
Posted by: Peter Yellman at May 23, 2005 8:21 AM
I use FF and T-Bird, everyday, all day.
I also happen to agree with Mr. Yellman. Thumbing your nose at the general public is never a good thing. But, then again this is your blog, so post what you like!
BTW, IE's box rendering model sucks, but I'll tell you what - it's owner - Microsoft - man, they've got the PR thing down.
What, you didn't hear? Longhorn will end world hunger through BizTalk XML entensions!
Posted by: Alex Sherwood at May 23, 2005 8:41 AM
What happened to the times when BLOGS were personal and no reflection of the orgranization that employs them?
Posted by: dmb at May 23, 2005 12:31 PM
I think people have made some good points on various sides of the issue. Ultimately, even though security is important, it's not my main reason for picking Firefox over IE or Netscape or Opera. Things like usability, fun, and customizability also come into play. Sure, I don't want a gaping-holey-browser, but if I can be reasonable safe and use proper settings (how about unchecking "allow websites to install software," for starters?), then there are other factors in my decision.
I've converted a handful of my co-workers to Firefox, and most of the time I tout tabbed browsing, the bookmarks toolbar, and the search box as Firefox's most distinctive features, not its security.
Posted by: aysiu at May 23, 2005 12:33 PM
>What happened to the times when BLOGS were personal and no reflection of the orgranization that employs them?
Please engage your brain before posting such trifles. It has never been true that public posting such as this, from a key person (you might even say, a representative) in the development of a product, regarding the very product product in question, housed at a site with the product and organization name in its title, were "personal" and did not reflect on the organization that employed them. The short answer: such times never existed. Tidy up.
Peter Yellman
Posted by: Peter Yellman at May 23, 2005 12:43 PM
>>What happened to the times when BLOGS were personal and no reflection of the orgranization that employs them?
I guess you missed the 1200 pixel firefox logo in the background of the page, and the "Inside Firefox" title on the blog....
Ben, I find your post a bit hypocritical, seeing as Firefox had this issue about 2 weeks ago. Netscape inherited this bug from Firefox, so to sit and call Netscape unsafe is a bit moronic... you're stomping on your own toes.
Blasting them with that last comment is a bit rude too, given MoFo's practices when it comes to mid version releases.
" Opinions expressed here are my own, and not those of any organization that I may be affiliated with."
Posted by: xENo at May 23, 2005 12:57 PM
Your blog reads;
“Yes sir we supplied the engine for your car. I know it blew up while you were doing 70 mph down the motor way, and you could have had a nasty accident, but if only you had gone direct through us, we could have had it patched up and you back on the road 1 day faster.” – Like that’s some consolation, and a reason to bash the reseller.
Posted by: fluffykitten at May 23, 2005 2:07 PM
Since when did Firefox not support Open Source development. Pull your head in and stop bashing Netscape - from where you came.
IF the developers of Firefox do not wish others to use it's code then feel free to remove all that has been contributed under the GPL agreement and develop your own replacement.
Posted by: Un-Nefer at May 23, 2005 4:30 PM
I like the Mozilla platform (even thought it's quite complicated to develop with at the moment) and use both Firefox and Mozilla. And although I normally use Firefox, I have absolutely NOTHING against the Mozilla suite, Netscape, Gadeon, K-Melon, ... gosh, there are so many. If google wants to build on firefox, go for it! I'm big on opensouce, but I don't bash proprietary products. It's sad how just a few people (or maybe just one) can ruin it for all.
Posted by: ws at May 23, 2005 4:59 PM
Anil, why do you think Opera is mozilla based? I have always been told that their browser is developed by them, and some casual googling on the subject turns up no pages suporting you, in fact several come up saying the opposite.
In any case, in my experience Firefox has never been stable on my machines, Netscape 8.01 seems to be fine and can visit sites that cause FF to lock up on my main computer, though it still isn't as good as Opera 8.
I do beleive however that such a cheap stab at what were basicly the founders of the Mozilla project will be seen as sour apples between AOL\Netscape and MoFo, why you had to publicly attempt to spoil the Netscape 8 launch like this is not something I can understand, it strikes me as a rather petty thing to do, surely you have contacts at AOL\Netscape and could have pointed this out to them and to find out when the eta on a fix for this "problem" was coming? Instead you posted this blog, presumably went out of your way to create the demo of this exploit and posted it right when people were getting excited about Netscape 8, which will likely have put many people off downloading it. If that was your goal then I must commend you as you have done well, however as noted it was\is a pettey thing to do.
Posted by: Richard Murphy at May 23, 2005 6:07 PM
As the "lead engineer for Mozilla Firefox", Ben should show more enthusiasm for the adoption of the Mozilla platform by corporate sponsors. How will that comment, directed at Netscape, influence other companies that might consider using the Mozilla technology? Why would they even think about it now, if it is to see the "lead engineer" collaborating with them during the day but blasting them on his blog at night because their redistributions will "_never_" going to be as safe as his product?
The comment was gratuitous, hostile, cynical, unfair, negative... All the signs of a disgruntled employee towards his former employer.
Animals only bite the hand that feeds if one day it stops feeding them, because it makes them angry and ungrateful, but then no one else wants to feed them anymore because they're scared.
Posted by: clickfornews at May 24, 2005 5:03 AM
"Animals only bite the hand that feeds if one day it stops feeding them, because it makes them angry and ungrateful, but then no one else wants to feed them anymore because they're scared."
I think Google's feeding Ben just fine.. better than Netscape ever would have.
Posted by: Praneet Kandula at May 24, 2005 5:47 AM
This is trash talking pure and simple - last week this same person slammed KDE for focusing on perfection instead of day-to-day fixes. As some of the posters pointed out, Mozilla wouldn't be where it is today had this advice been followed (remember the whole Gecko controversy?). This is part of the open source style - release it when it's ready, not by some accountant's or marketer's schedule.
Posted by: Michael O'Keefe at May 24, 2005 7:47 AM
it's nice to know you're still stirring up controversy. :) anyway, i wanted to congratulate you on your success, i can't believe how far you've gone. didn't i say you'd end up taking over? i think i did. you totally deserve it.
way to go, ben.
Posted by: andrea at May 24, 2005 12:47 PM
>I use Mozilla based Opera and when I click
>the link it doesnt even open up a Google
>window...just a blank one. If I click in that
>'box' it opens Google. And my browsers not even
>up to date.
Some poor village is missing their...
Opera is not a Mozilla based product. In fact, it has nothing to do with the Mozilla code OR gecko.
Posted by: d3bruts1d at May 24, 2005 1:21 PM
I was reading this commentary, which is interesting in that it says that standard procedure for open source projects is that when a important security vunerability is found, they alert all vendors who rely on the code, patch it up, send it to all the vendors to incorporate, and try to syncronise the release together.
Apparently the "be an ass" and crow that we are better than all the people who made the mistake of chosing our code is only a Mozilla-specific procedure.
Posted by: Here's something interesting at May 24, 2005 2:51 PM
I got the same results using Firefox 1.0.4 as I did using Netscape 8. The exact same thing happened, I saw my google cookie. Why is this?
Posted by: Scott at May 24, 2005 3:06 PM
I have a great respect for firefox and its development and also you - but I must say, this comment of yours leaves a deep distaste.
I would rather think that this speaks of Firefox's reach and greatness that now other browsers are copying your engine - infact, Netscape has done a smart job of giving user the option to render IE or Firefox - now even ordinary user who might have not heard of firefox or not willing to make a switch can easily see why firefox is better!!
Instead your comment seems to disregard and seems to leave bad taste by immediately blamin them that they are unsafe.
Just my 0.02 cents.
Posted by: Mahesh at May 24, 2005 6:19 PM
Shame on Netscape for open-sourcing their code and expecting to be able to make a new product without being trashed by the very people they helped.
Posted by: Micah at May 25, 2005 9:49 AM
I have been using Firefox since it was still Phoenix, and I have loved the product from the get go. I love the spirit of the MOFO and what it is trying to become, and I lend my vote to it by using their products. But I see this blog post as an ivitation to expose some of the flaws I see with Firefox and Gecko. I do this, not to bash, but perhaps to illuminate Mr. Goodger that the goodwill Firefox has enjoyed from the Web community is not a license to think that you are better than others, even if in fact you are. So while I still think Firefox rules, here are two of my biggest gripes with it:
Rendering Engine Updates:
Starting with the problem you expose, and building upon the comment that this is a flaw of the framework and not the Netscape product. The Internet Explorer render mode of Netscape 8 would never suffer from the problem of lagging behind the IE release. Why? Because Netscape 8 utilizes the built in infrastructure of Windows COM (or ActiveX if you will) to get a handle to the shared rendering engine at the OS level (shdocvw.dll). SO when Windows Update finally gets around to updating problems in the engine, Netscape 8 will immediately benefit from the fixes too. Say all you want about how long IE takes to get updates, at least it updates all products that use its components when it does so.
Not so with Firefox. Since the rendering engine is redistributed by copy and paste of code that then needs to be compiled, the rendering engine is never shared at the component level, not even between Mozilla's own products (Firefox and Thunderbird for example.) True: that targeting open source and multiple platforms makes this a much harder proposition for Gecko...though that is hardly an excuse to bash other products trying to use your rendering engine, particularly when that same product does not seem to suffer from the issue when switched to use your competitor's render mode.
Single Instance Browsing
As a developer, I love the fact that I can launch multiple IE processes at the OS level, so that I can start multiple sessions with my webservers. In fact, this is one of the few reasons I still use Internet explorer....because it is a real drag to test web application development with firefox (I am not talking about testing HTML or DHTML, but testing things like Load balancing, single-signon and other server related development). Why firefox insists on a single OS process is beyond me.
Perhaps it has something to do with the awkward User Profile concepts it inherited from Netscape 4 days? I say this because I noticed that I can't even use my firefox profile if an instance is already started in another OS login session on the same machine due to the locks on my firefox user profile - eg. When using Windows Terminal Server. As far as I know this is one of the few Windows apps that suffers from this annoyance.
In my experience this flaw only compounds the issue of the first. I frequently use both the Mozilla Suite and Firefox to get around the issue of single process on the OS. Well, that means that when one needs an update, I need to stop and update both products.
I hope that all the feedback you got on this post make you think twice next time about how the goodwill of a community can quickly turn against you if you assume this arrogant position that you are better than others. We know that already. So keep doing the things that make you better, instead of resorting to name calling.
(DID you even consider, when posting your blog, that a large number of firefox users are probably still running 1.03 and that in doing so you are only making the exploit code even more readily available to malicious site operators?)
Posted by: Peter Hammer at May 25, 2005 11:39 AM
Frankly, I think this is blown way out of proportion.
The fact is, some flippin' idiot at AOL made the decision to release Netscape 8.0 based on code that was already known to have security flaws for which a *public* fix had been available for over a week.
It was a stupid decision on AOL's part, and the fact that they came out with 8.01 the next day proves that they could have released a 1.04-based 8.0 in the first place, and that cared more about an internal deadline than "holding the presses" to fix a known security flaw.
Telling the truth here isn't "being like Microsoft", isn't "spreading FUD", isn't "not being a team player", etc. While I disagree with Ben that redistributions *can't* plan better/faster releases, I'm more interested in Mozilla's *long-term* reputation, and if a big stink hadn't gone out about this to cause AOL to patch up, who knows how many NS users could have been compromised due to AOL's flawed distro, which would have unduly hurt all related projects.
Posted by: Richard Tallent at May 25, 2005 12:05 PM
@Richard: I believe AOL did that because they cared more about money then safety. AOL as stated above is a profit company, they burnt lots of 8.0 cd's to send to people to get them into Netscape, this in turn would have got people onto their Internet Service, and thus money.
If they had to reburn the CDs, theyd loose money.
Instead they send out the CD's with the core of the code, and then allow people to download a small update.
It's what happens when profit companies use the GPL.
Posted by: Rotten at May 25, 2005 12:37 PM
This is retarded... All Ben said was that third party redistibutions couldnt release security updates until mozilla released security updates... OK isnt this the way it would obviously work?
Posted by: Russ at May 25, 2005 1:26 PM
Mr. Cassia is praising Netscape for thier quick fix of the bugs. But why? Firefox 1.0.4 was released a week before netscape released thier software.
Ok so 1 week isn't enough time for the netscape team to update thier base code to use Firefox 1.0.4. But 24 hours is enough time??
Netscape should have never released v8 without fixing the latest bugs. I guess they hoped nobody would have made a big deal about it.
Posted by: Dave at May 25, 2005 1:44 PM
All the success has gone to the heads of the bigwigs like Ben. Usually that is the downfall of a company. Also, resistance to major change after they develop something that is fairly successfull. Google will only go down from here. Why? Because they develop everything as barebones applications. What happens when high speed becomes universal, longhorn shows up, and pc's arent as slow as they used to be? People will want more features because in the future more features won't mean slower loading times. Your business model will soon be based on an expired paradigm. Google will go the way of Altavista and people will look at Firefox like netscape is looked at now. That's why Ben is so nervous. What happened to Netscape is going to happen to his product. Keep posting things like 'mozilla will take over the world' and acting anti social and your failure will just be brought on faster. But then again your failure is inevitable because your flimsy open source project may get freelance programers to design a flimsy pull down search bar but I don't know about them working for free to design what MSFT has in store for 7.0.
Posted by: Sergey at May 25, 2005 1:55 PM
You have done Firefox far more damage than anything Techweb or anyone else could have done with your comments. Thanks for trashing the image that Firefox had built for itself as the anti-microsoft browser. The project was based allowing and promoting other versions than IE which currently rules the market to the detriment of all, now you've made Firefox look as if it wants to be the next IE. Please apologize.
Posted by: NYKrinDC at May 25, 2005 2:38 PM
Ben, head outta the clouds!
This is OPEN source - remember? That 1.3 code might have been buggy, but it was YOUR code before they got hold of it. AOL also fixed it pretty damn quick as well. As has been pointed out many other projects can sync fix releases - as manager for this codebase that not happening here is more a failure on your part than anyone elses.
Quite frankly you owe them an apology (and that's a tough thing to say about AOL...)
Posted by: Richard at May 25, 2005 2:40 PM
Regarding ben's blog, even tough big FireFox logo is at the back with title of "InsideFirefox", i never take ben's blog as an official statement or MoFo. I believe the blog here is a pure opinion from ben. It's some sort of chit-chat content that you get when speaking with someone in coffee house.
Regarding the content, i find that very true. For anyone experience coding before, it's always faster for the software's owner to fix a flaw. And for other partner which depends on the fix, they still needs to integrate it into their product. Unless special measure is taken between the two parties, there is no way that outside partner can fix it in blitz of time.
This 'fact' reflects another low-point of OSS which should be encountered. Among those big OSS projects, hopefully there's reliable mechanism to sync patches among parties at FIRST TIME.
The media has stirred this blog's content way too much of the context. Among other things by associated ben with MoFo, and even claiming 'mozilla blast netscape...' kind of things. OSS supporters should be intelligent enough not to be taken troll.
Even tough i agree with the content of the post, i found it a bit 'bashing' for netscape user. Hope that the next time Ben post similar 'critics', you would rephrase the sentence. Posting exploit in public space is as well as divulging your family defects. Even tough it's a fact nobody like to be on that stage.
hmmm, i havent seen Ben's reply. So what's your take?
Posted by: robin at May 25, 2005 3:32 PM
Ben,
I still think you're awesome, if it matters any. I don't know anywhere near enough about the background to give a valid opinion even, but I think it rocks that you call it like it is...
Posted by: Marybeth at May 25, 2005 5:12 PM
Grow up. Firefox *is* a redistribution and if distributors can't keep up with Mozilla Foundation's own distribution, obviously the process isn't open enough.
Posted by: classup! at May 25, 2005 6:19 PM
YOU WILL NOT GET AWAY WITH THIS BEN!
Posted by: Netscape at May 25, 2005 6:26 PM
Geez, I feel a little less motivated to root for firefox after that snide little post :(
Posted by: Jason R. Kaiser Sr. at May 26, 2005 8:26 AM
Wow... Ben sure pushed some buttons here...
I guess there is some kind of code, you just don't talk like that about other non-Microsoft browsers. Like you don't betray your allies.
Maybe some Firefox developers feel like Netscape is trying to take their hard work, at use it as it were theirs?
Missing some comments from Ben himself...
Posted by: Mads Foersom at May 26, 2005 1:28 PM
@Foersom
"Maybe some Firefox developers feel like Netscape is trying to take their hard work, at use it as it were theirs?"
Gee, I thought that was the point of Netscape releasing their code.
Posted by: Micah at May 26, 2005 10:31 PM
Some notes:
It's possible to create a distribution of Firefox that touches none of the core code, simply by layering UI over the top in the form of an Extension.
Netscape chose not to do this, because they wanted (IMO foolishly) to bundle the IE engine. They are certainly free to take this path if they want, the code is MPL, but I am also free to pontificate on the foolishness of it.
As far as Firefox also having this flaw 3 weeks ago, yes it did, but we weren't the one releasing a major new product with known cross site scripting and remote code execution flaws.
Michaell: We are currently working on a comprehensive new update system. If you'd like to help with that instead of bitching in blog comments, feel free to do so.
Posted by: Ben at June 1, 2005 6:05 PM
©1997-2006 Ben Goodger. All Rights Reserved.
Opinions expressed here are my own, and not those of any organization that I may be affiliated with.
Reload icon is © Stephen Horlander;
Firefox logo is by
Jon Hicks, and is a
trademark of The Mozilla Foundation.
GetFirefox buttons are from rakaz
