Firefox 2.0.0.2 with some bugfixes
Mozzila Foundation released a new version of popular web browser Firefox. I realized that when a small popup appeared on my screen with short information about this newer version. The Firefox 2.0.0.2 release includes a fix for a bug disclosed by security researcher Michal Zalewsky last week. That flaw can be exploited by attackers to manipulate cookie information in the Firefox browser, making it probably the most important fix in the update, according to Window Snyder, Mozilla’s head of security strategy.
The updates also include a fix for a previously undisclosed memory corruption flaw in the browser that could be exploited to run unauthorized software on a Firefox user’s computer. This flaw could also affect Thunderbird users who have configured their mail client to run JavaScript automatically, something that Mozilla does not recommend. Thunderbird is Mozilla’s free e-mail client. Mozilla has patched a total of seven Firefox bugs and is also addressing two bugs in Thunderbird. Although new versions are released quite often, I’m still facing this memory bug (or feature?) which results into 200 MB of consumed memory by Firefox after few hours of browsing…
Comments(39)
grabbing this
yes it really eats my memory up, can’t use convert x to dvd and firefox at the same time without low frame rates
http://www.mozilla.org/projects/security/known-vulnerabilities.html
to all renegade nerds who were brainwashed with “targetized marketing” and think that Firefox is more secure, better and faster than IE.. TAKE THAT!
ie7 ftw
@Jonny
The list of bugs and security holes in the history of IE is at least 40 times longer than that of Firefox, so don’t even start.
At least with Firefox, the few bugs it has won’t allow an attacker to take complete control of your pc like Windows/IE bugs supposedly do.
No program is completely secure or bug free, but Firefox is damn close.
So you keep using IE like a good little fanboy and don’t come crying here the next time your browser gets hijacked.
i use IE never got a virus or got hijacked.
some people will get powned even with firefox 32.
This is what I mean by the ridiculous and biased “reporting” on this site. If these flaws had been exposed in IE, Martin would be screaming what crap MS is and how YET ANOTHER security flaw had been exposed and on and on like a jackass. Instead, he gives Mozilla a pass because he likes them, even though he’s PERSONALLY experiencing problems with the browser. I like FF and use it myself, but if you’re going to bitch and cry and flame about MS every time a small security hole is exposed, be a man and do the same when there’s one in Firefox.
@ SyntaxError – The reason flaws don’t get exposed in FF as much is the same reason Macs don’t have many viruses…not enough people use them, so nobody gives a shit. In fact, more holes typically exist in FF than in IE. Don’t believe me? http://www.infoworld.com/article/06/09/25/HNbrowserbugssurge_1.html?source=rss&url=http://www.infoworld.com/article/06/09/25/HNbrowserbugssurge_1.html
Ya my firefox keeps messing up quite often, like twice a day causing it to use up most of my memory and nearly 90% of cpu… Its very annoying.. But its still alot better than IE 7.. every time that loads up it just stays loading until it says its not responding.. and so on…
Thanks but no thanks. I don’t like browsers that come with memory leaks and which, after a few hours, causes my computer to freeze.
http://weblog.200ok.com.au/2007/01/browser-security-by-fix-rate.html
You people aren’t actually trying to say that Microsoft’s browser is more secure and reliable than…well…anything, are you?
That’s just so far beyond stupid, I’m speechless. Where have you people been for the last 5 years of Microsoft screwing up the Internet by allowing hundreds of mindless exploits slip through their fingers while the rest of us suffer the fall out from the assults?
Worse, many of the problems Microsoft was well aware of long before they bothered to fix them – they waited until it became a media field day and had to do something to avoid looking negligent (which, of course, hurts sales – which is all they really care about).
You’re the same people putting Windows machines on the Internet with no hardware firewalls in front of them and opening every attachment you see in your in boxes.
No, Firefox isn’t perfect, but at least they take care of their problems and actually care about the people using the fruits of their labor, whereas Microsoft…doesn’t.
damn, it looks that this upgrade automatically deleted all my saved logins! this sucks
“Moderating” my post for what, Martin?
Firefox’s ‘memory leak’ is actually a feature. The damn thing stores pages you’ve visited in cache in RAM. There was a way to disable this thing, involving some config editing but I don’t remember it as it’s easier for me just to close FF once in a while. No big deal…
Hey… I understand that IE in the past had lots of extreme critical bugs.. but hey! it was the only reasonable browser we had.. (remember opera & netscape those days?)
and I know today IE isn’t the most goodlooking or add-ins friendly.. but we are here today… and today IE has become the most RELIABLE and compatible browser no doubt.
now i’ll go to bed and cry like you said…
Martin something like that happened to me aswell.. All my bookmarks were deleted for no reason..
I didnt know why… But when you said that it reminded me dat it did happen after i updated it but i didnt notice cus i didnt restart firefox for a while and forgot… Anyway AHhhhh its anoying!!!!
Jonny, you’re right
Fire sux!!
anyone looked at windows media player 11, to me that too can be memory hog at times………
The guys name is ‘Window Snyder’?!??!
Opera.
>Hey… I understand that IE in the past had lots of extreme >ritical bugs.. but hey! it was the only reasonable browser >we had.. (remember opera & netscape those days?)
I think you’ll find that the first versions of IE were
strongly based on code from Mosaic (which existed before netscape or opera). If my memory is correct they even credited
Mosaic in the original IE
Not tryin to open a can of worms..Has anybody tried Maxthon..This was recommended by a friend..Thought I’d give it a try but it could have the same type of bugs[any insight],as both Firefox & IE have been doing a lot of timed out on me.Does this update fix this problem
1.8MGz 512mem–my sys
Did’nt have this problem W/Firefox at the begining
and so the IE7 and Firefox 2 battle contineus…lol, i personally use firefox, nothin against IE, which never gave me trouble, but i heard that Firefox is secure so i changed, plus i like tabs which IE copied from Firefox. That’s why i like Firefox
Its not a problem to restart firefox or harddisk. When it gets to much I just restart.
@ Martin and James:
The passwords were not deleted…you can still find them.
Look under ‘extra’ –> ‘options’ (or something similar). Then go the ’security’ tab and than you must see some option like ’show passwords’. There they are…
You are gonna have to fill them in again at all those sites (when you need them). Once you did that, FF will remember them again…Easy
I usually use FireFox, but in the last few weeks i´m trying Opera…..with big success…Opera is getting my respect
I like Mozilla products, but I cannot use the download manager in Firefox, but SeaMonkey works fine. Maybe this fix of version 2 makes download manager work again.
Those whinging about memory consumption are clueless. (This includes the above posters: ck, James, and Lothos)
In Firefox, enter in the web address line:
=> about:config
Then enter in the “Filter” line:
=> browser.cache.disk.capacity
Based on how much system memory you have enter the following to modify the value:
For 128MB to 512MB RAM => 5000
For 512MB to 1GB+ RAM => 15000
(These are typical values that work for most people. You may use other values if you wish, depending on your web surfing habits).
Then restart Firefox.
For some stupid reason, they set it to something like 200000!
(I would like to meet the person who did this and smack them on the back of the head for this stupidity).
You wonder why people are having memory related issues!
Then comes these clueless IE lovers that claim everything is a memory leak! Do you have any idea of what a memory leak is? Do you know how to detect and identify one? Do you know how to correct it? I bet you all they don’t. They’re just echoing what others have said. (Its the internet version of “Chinese whispers”).
You really want to know why I use Firefox?
Because its the only browser that works on the multiple OSs I use and its open-source. (allowing me to look at the source code…Which I could use as an example to study for programming. Maybe re-do what they’ve done in a better way.)
Its the only browser that has plugins or extensions that give me FULL control of what ad, Java or Flash crap gets loaded on screen. (Thereby further reducing memory consumption).
Firefox gets better when you DO NOT use it on Windows. When you build your own system from scratch, with something like Linux or BSD, you can keep it thin and fast. Firefox seems to be very responsive in this scenario.
mmmmmm efwe4…..the value in browser.cache.disk.capacity is the size of the disk cache that you choose in tools/options/advance/cache * 1000
Try enter 12 and this var will show 12000, etc
it’s quite simple
the more popular the software, the more attackers try to attack it and thus the more vulnerabilities it has.
the newer the software, the more secure it is.
as firefox reaches a high popularity, it’s bound to have certain flaws detected.
but firefox was built around the idea of a browser better than IE.
personally i love firefox 2
efwe4 : point taken, thank you for the insight.
but didn’t you mean browser.cache.memory.capacity ?
ad3z: Nope. Its => browser.cache.disk.capacity
(There is NO browser.cache.memory.capacity entry.)
The default value is WAY too high. I discovered this then I was looking around in the source code, and checking what all those options did.
You save about 70MB or so of RAM when you implement the change I mentioned above. (I find that based on my surfing habits, the Windows version doesn’t go above 100MB of RAM no matter what I do).
If you really want to test the robustness of Firefox, try opening more than 200 tabbed windows. Then repeat with IE7. Do the same with Opera.
Just abuse those browsers and see which one comes out on top. That’s how you test software. (Pretend you’re a typical desktop user and just click at anything and everything! Really punish it!)
Regarding software security.
The issue with IE is that its linked to Windows. An IE problem becomes a Windows problem…Which results in a potential issue for the whole system. Microsoft is willing to accept this compromise, because they need to keep IE bundled with Windows in order to remain the dominate browser. (They know the majority will not try another solution because its human tendency to accept whats given to you in the case of complex technology).
Browsers like Firefox and Opera aren’t linked to the operating system itself. You’ll find that security issues are often because of the browser itself OR because of Java scripting. (Like in the recent case of Firefox).
I know the current version of the Java implementation in Firefox needs to be seriously overhauled and improved. Its a potential security problem. (I can’t comment on Opera OR IE, because I don’t have access to the source code for those apps).
Security issues isn’t because of popularity. Its mainly because of poor implementation and design decisions.
MS is renown for security issues because of implementation and company policy. They have to make compromises to keep their dominate position. (Its a fact that they hide quite well from the end-user).
To hide the seriousness of it, they will get their marketing team to create trivial excuses for the public. Examples include: “We’re more vulnerable because we’re more popular” and “No software is perfect”.
The first excuse is utter nonsense. Look at webserver implementations. Apache, and open-source solution, takes 2/3rd of the market while MS’s solution takes about 20%. And yet, the MS solution is hacked/cracked more.
The 2nd excuse is a blanket statement. Of course no software is perfect, but you can get very close to it when you do things the right way. Any security expert can tell you that.
So why are MS solutions hacked and cracked more?
(1) They treat security as a PR matter. They do “just enough” to keep the public happy, and hype it with their marketing team. As long as you feel safe, its all good!
(2) They don’t rewrite from scratch. (Because they can’t). Everyone knows IE has serious issues, because it will take too long for MS to re-implement and rewrite it. They went with the “band aid” approach because its quicker to implement. That is, slap on security features into the OS to delay the inevitable. (or at least it will by them time to release a patch).
Their marketing team will add their dose into it, and people will believe its safer.
Its not. Its a fool-hearty attempt to sell software. ie: BAD for the end user! Because its innocent desktop users like you folks that suffer in the long term! Have a think about why you need an AV solution, anti-this and anti-that malware app installed?
If the solution was properly implemented, you wouldn’t need all that! A good brain, some good security practices and policies is all you really need. (Of course, security companies don’t want you to have that because its more profitable to keep charging you a subscription service!)
Did you know that there are security technologies out there which result in you not needing an AV solution running in background (fulltime)? You only need to scan suspected files. That’s it.
(3) They overcomplicate things in an unnecessary way. If you want security, you keep things simple. That includes the implementation and the code itself.
If you ever compared the system calls for Apache and MS’s solution, you realise how overdone the MS approach is.
Complexity breeds higher probability of security issues. And takes MUCH longer to fix and patch!
Just look at their UAC in Vista. This is the current perfect example. A good idea (used actively in Unix, Linux, etc), completely screwed by implementation from MS. In fact, its so annoying that some people turn it off and Apple makes fun of it in their latest ad!
They aren’t creative enough to think of a better way to implement it and make it reasonably livable for the user.
(4) MS itself is unable to respond in a timely manner. Monthly updates are equivalent to a train schedule approach to releasing patches. This will take weeks to months.
Now think of eletronic speeds and how fast issues can spread. See how MS pales?
On the other side of the fence, open-source folks release fixes within hours to a week at most.
As well, content providers take priority for Microsoft. They react FASTER to an issue relating to the DRM implementation than they do to their own security issues! This is fact.
Why? Fixing security issues doesn’t pay in monetary terms. Content Providers do.
(5) Everything is executable in Windows!
This is the biggest compromise in design to make it easier for the user. Its the reason why UAC exists. (You see what I mean by band-aid now?)
In other OSs, nothing is executable unless specifically requested by the user. If it isn’t, its denied. (Which will then allow you to see a potential bit of malware trying to do something nasty).
(6) The complete lack of user education about security and good practices.
Yeap. I blame Microsoft for this. They could have actively promoted security tips and guides to ALL Windows users. They could add tutorials, helpfiles, video demos, etc, etc.
But they didn’t. They were more concerned in selling an operating system.
Now we have a generation of computer users who think they know computers but lack the necessary knowledge of even the basic security concepts!
(7) Internal bickering of MS is having an impact on everything they do.
The biggest delay of Vista is because of Microsoft itself.
The company actually consists of smaller parties that fight and bicker with different goals. One group likes and accepts open-source, the other doesn’t.
What usually takes days to weeks for something to get done in a typical software company, usually takes months for Microsoft to do. (There are too many managers to report to and to request permission to change features!)
+++++
You probably then wonder why, Linux/BSD/etc still get compromised!
This is often because of two reasons.
(1) Lack of knowledge and experience about security and the tools available to them. This often results in mis-configuration that results in exposed areas.
(2) Poor or complete lack of security policy. If you don’t conduct serious audits, how do you know you’re secure? A common one is that they didn’t keep up with updates. This is why you define some good policies!
You will NEVER find, when you dig through computing history, a case where a *nix based operating system cause as much of a ruckus on the Internet as a Microsoft solution. (Words like Code Red, Welchia, Slammer, Blaster are clear reminders of what MS has done and could have prevented)…Heck, check your firewall logs and you still will find the residue of these nasties STILL floating around!
Have a think about why Apple picked FreeBSD as part of the basis of its OSX. Granted, I don’t like Apple, but at least they’re smart enough to see a *nix solution is a good one to adopt.
What’s really sad is that even Microsoft’s OneCare Live security solution is suffering from security issues. (check their recent patches and you’ll see).
Now that’s just ironic.
MS wants you to trust them with security, and yet, their own implementations have series security issues? Should you continue trusting them?
I wouldn’t. That’s why I left them. I don’t trust software where I can’t see the source code.
So you can see why I pick stuff like Azureus over uTorrent, etc.
****
So why do people stick with Microsoft?
I see two reasons.
(1) People just take whats bundled with a system.
(2) Applications.
Say if an alternative suddenly appeared.
It will have a compatibility layer that was seamless and secure. But was completely compatible with ALL Windows-based applications from Windows 3.1 to Windows Vista. To top it off, its an option to be bundled with any PC.
How well do you think Windows will sell if this solution was completely and legally free?
At best, you will expect their marketing department to lie through their teeth to keep people to stay while they scramble to counter this new threat.
Have a think about that the next time when you hear people question why people stick with Windows.
Its not because they enjoy it, its because they have to.
Think about why gamers plan to adopt Vista in the future…That’s right. Its the only OS that will work with DirectX 10 games.
What happens if an alternative can do that without spending a single dime? How will this particular audience react? How would MS react?
You see, I’ve figured out that MS isn’t an invincible software empire. Its just a tyrant that lies and does deals to maintain its dominate position. To break that, you have to come up with alternative solutions that render their money making model useless. As in to completely de-value their software from head to toe.
I like this guy… I totally agree that if a new, fully compatible OS surfaced, I’d be ditching XP and riding the good ship FuckMS into better waters with DX10 gaming, Firefox and Azureus
Opera Ftw.
its spelt Mozilla not mozzila
#8: The number isn’t that much bigger, but the response time to fix it is MUCH better. From that same link:
“While there may have been more bugs in Mozilla than in IE, Symantec gave the open-source project high marks for its bug-fixing. On average, it patched bugs within one day of their public disclosure — the fastest turn-around of all measured browsers. Opera came in second, averaging two days. Safari was next, with a five-day window, followed by Microsoft, which averaged nine days per patch.”
My firefox eats lot of ram too. They’re fixing that problem in version 5, due in the summer of this year. I already “built” the version and it’s looking pretty darn good.
Mozilla Firefox v2.0.0.4 Final
http://releases.mozilla.org/pub/mozilla.org/firefox/releases/2.0.0.4/win32/en-US/
Thank you for your nice post!!