ANOTHER Firefox Patch – Update Now!

Mozilla likes to advertise Firefox as “The faster, more secure, and fully customizable way to surf the web”. Obviously, Mozilla doesn’t subscribe to the principle of truth in advertising.

In the first place Firefox is NOT the fastest browser available; it may be the most customizable, but it is a long way from being the most secure.

Until recently, any mention of Internet Explorer’s safety record, amongst my techie friends, was sure to draw a huge round of laughter when compared with Firefox’s record. But, no longer.

For the umpteen time, in just a short time frame, Mozilla has released a patched version of Firefox – this one is version 3.5.2, to address the following issues:

Fixed in Firefox 3.5.2

MFSA 2009-46 Chrome privilege escalation due to incorrectly cached wrapper
MFSA 2009-45 Crashes with evidence of memory corruption (rv:1.9.1.2/1.9.0.13)
MFSA 2009-44 Location bar and SSL indicator spoofing via window.open() on invalid URL
MFSA 2009-43 Heap overflow in certificate regexp parsing
MFSA 2009-42 Compromise of SSL-protected communication
MFSA 2009-38 Data corruption with SOCKS5 reply containing DNS name longer than 15 characters

In just over a month, since the release of version 3.5, we have had to download and install two patched versions due to severe, or critical, security issues. I’m not laughing; this is a continuing saga with Firefox and its not getting better. If anything, its getting worse.

The only thing that keeps this unreliable browser on any of my systems is the add-ons.  Without this customizing ability, Firefox – you’d be gone!

If you haven’t updated yet, I strongly urge you to do so.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

25 Comments

Filed under Browsers, Don't Get Hacked, Firefox, Freeware, Internet Safety, Internet Security Alerts, Open Source, Software, Windows Tips and Tools

25 responses to “ANOTHER Firefox Patch – Update Now!

  1. Nobody

    Firefox 3.5.2 breaks downloading of ogg audio files – they’re unavoidably saved as ogg-video files. Or, I should say that Firefox attempts to save them as ogv files, but never actually downloads and saves them.

  2. Hi, Bill! Our goal is to try and update as quickly as possible to get fixes into user’s hands. Sometimes this means that we update frequently. As an example 3.5.1 was turned around in 48 hours from the release of an proof of concept exploit. And we had no warning before it was public.

    So we worry about the time-to-fix as opposed to the number or frequency of releases. Firefox’s userbase happens to update pretty quickly when we release an update and this often means that our users are also the safest. The faster you can get fixes into people’s hands, the less likely they are to run into something that’s exploitable.

    We also schedule releases every few weeks to fix known problems and fix non-severe and non-critical security fixes. But sometimes we get something that causes us to release early. In the 3.5.1 case it was something that was given to us without warning. We had scheduled the 3.5.2 release to happen just after two major security conferences – blackhat and defcon – because we were told ahead of time that there would be some security problems with Firefox discussed and we wanted to have fixes in place. So we ended up with 3.5.1 and 3.5.2 being close to each other.

    We’ll likely do a 3.5.3 in a few weeks to catch a bunch of new bug fixes and any security problems that come up.

    Last, I would point out that all browsers have security problems. And it’s how you respond to them that counts. So that’s why you’re seeing frequent updates from us.

    • Bill Mullins

      Hi Christopher,

      Thanks for the explanation – it makes good sense.

      I have been a huge fan of FF since day one – and I do mean day one. In fact, I can’t recall the last time I launched another browser; other than for testing purposes. Recently, I remarked to a fellow tech, that it would take a stick of dynamite to move me away from FF.

      Your explanation has removed a certain anxiety, and a sense of worry, that I might have to give up my beloved FF and my stable of crucial add-ons.

      Cheers,

      Bill

  3. Kat1110

    I’m afraid I have to agree with Christopher on this one, Bill, I would rather update to correct security flaws as quickly as possible and do not look at it as an annoyance. On the other hand, I stay away from using IE because of Microsoft’s history of sticking to their scheduled updates and very rarely (with the recent IE patches one of the few exceptions) patching problem code on a timely basis. That has been a long time issue with IE and I was actually rather amused to see someone complaining of too many too soon with Firefox. No, with all the extensions that most of us can’t live without, Firefox isn’t the fastest but it is safe, because they push out the updates so quickly to us. And I say keep ’em coming!

    • Bill Mullins

      Hey Kat,

      I sit here slightly abashed, and with my head down – way down.

      Just as with Christopher’s, your points are well made, and I take them to heart.

      At the risk of offending Winston Churchill – This was *not* my finest hour. It will be a long time before my group will let me forget this one. Ha!

      Thank you from commenting, very much appreciated.

      Bill

  4. You shouldn’t hang your head on this – a lot of people see frequent updates as a sign of trouble. Just important to realize that it doesn’t mean what you think it means. 🙂

  5. Mr. Mullins,
    It is MHO that IE 6 was/is the “most hacked” piece of software ever written (Adobe being a close second?) and did much to drive people into the arms of Firefox.

    But I have personally experienced instances when IE 7 — aided with SelectView and SpywareBlaster (as well as my normal “layered” firewall/AV/Anti-spyware) — prevented an attack that got through Firefox with NoScript.

    And then I have also had the opposite experience.

    That is why I like browsing within a sandbox — such as SandBoxie.

    SelectView = http://download.cnet.com/SelectView-Filter/3000-12512_4-10658595.html?tag=mncol
    SpywareBlaster = http://download.cnet.com/SpywareBlaster/3000-8022_4-10196637.html?tag=mncol
    SandBoxie = http://download.cnet.com/Sandboxie/3000-2144_4-10371434.html?tag=mncol

    • Bill Mullins

      TechPaul,

      Thank you for this. I have some experience with the programs you have listed and I agree.

      Bill

  6. Bill,

    This goes to show that your blog has a following at Mozilla… I too was getting a little worried about the update frequency and started to question it; BUT I guess we are looking at the negative side instead the positive side. Nice to know that Mozilla is “really” on top of things.

    Rick

    • Bill Mullins

      Rick,

      I think I had one of those, the glass is “half empty” days, and didn’t take into consideration the positive aspects of regular updates. I’m glad of the discussion this has provoked.

      Thanks for stopping by.

      Bill

  7. proview

    Get your head back up, Bill, there’s no shame in voicing an honest opinion. While it is a good thing that updates are released so quickly, it doesn’t do a lot of good for user confidence.

    You’ve been around long enough to know that if you publish anything negative about FF then you risk a public rebuke from dedicated FF users 🙂

    Everyone is entitled to an opinion, an opinion which I, and many others, happen to agree with.

    No browser is perfect, it’s just that some people don’t like to admit it.

    So as far as this post goes, well said.

    • Bill Mullins

      Hey Proview,

      A point well made – my confidence was also a little shaken with the recent rollouts of FF patches.

      You’re right, in that we all are entitled to an opinion, but in this case I regret that my opinion was not as balanced as I would have liked. Overall my view sounded like a rant, and not as factual as it should have been. As I said earlier, I think this was one of my very infrequent “the glass is half empty” days. But hey, it sure provoked some good discussion and that’s always a good thing.

      As always, thanks for stopping by, and for taking the time to comment.

      Bill

      • proview

        Maybe your post did sound like a rant (slightly), but I still think your point was valid. Constant security updates to any application make people ask questions and, in time, begin to dent the users confidence in a product.

        While we’re on the subject, I’d be interested to know your thoughts on the urlclassifier3.sqlite file which FF uses to store data for phishing sites etc, and which can grow to quite an alarming size on your HD.

        Most users don’t even know it’s there, or that each time you start FF it contacts Google servers to update the list, which in turn increases the file size.

        While I agree that FF is indeed a safe browser, it does seem to come at a cost in terms of constant updates (lately) and the use of resources, especially to those using notebooks etc.

        • It turns out that given the moving nature of where danger lies on the internet – both in terms of sites that might be dangerous, but also in terms of how software might be exploited – that you need to do constant updates. We do that with Firefox, as I’ve mentioned, but we also do that with malware sites. The database that you mention is important and it’s important that it’s kept up to date.

          The other option might be to look up every site before you go to it, but that has serious privacy implications, not to mention the performance of looking all that stuff up before you go to a site.

        • Bill Mullins

          Hey Proview,

          Sorry for the delay in getting back on this – took some time off yesterday.

          I was unaware of the issues around the urlclassifier3.sqlite file, until your note. I must admit, I have not had any issues with this. I did a quick informal poll within my tech group, and this issue did not seem to be a concern. On the other hand, I saw in the forums that there can be issues for those running, as you suggest, notebooks etc. You’ve taught me something here, thanks.

          I’m guessing that you personally may have had an issue with this, and I wonder if you would consider writing a guest article outlining your concerns. I think readers could really benefit.

          I look forward to your reply.

          Best,

          Bill

          • proview

            Bill, you’ll have to pardon me for not replying earlier but I’ve had to wait until the weekend to find the time to do it properly, so sorry about that. I’ve given your reply some thought and have decided that it’s better to do this in segments.

            First; The reason for me posing the question was because I was interested in your thoughts on the urlclassifier3.sqlite file and if you had encountered any problems with it, no more than that. I was curious because the file size seems to vary on different machines, at least on the ones that I have come across personally. I wondered what the reason for that might be. The size of the file on my personal PC sits at 30.89mb, but I have seen it at over 40mb on some laptops and on one it was over 50mb so I was puzzled by this.

            Second; The gentleman who left a reply to the question, Mr. Blizzard, is obviously much better qualified than me to enlighten your readers on the reason for the size of the urlclassifier3.sqlite file and it’s use. Therefore, if anyone was to write a guest article on the subject then surely it would be him, due to the position he holds at Mozilla, however, I am very flattered at your request.

            Third; I am fully aware, myself, that the file is an important part of Firefox and that it should be kept updated. The question is the varying file size and the possibility of high CPU usage being caused on the initial start up of Firefox which can have an impact on some older PC’s and, as I mentioned, notebooks. I believe that this could be the reason as to why Firefox takes a while to load on some machines, due to the fact that Firefox contacts the Google servers to update the database (plus loading various add ons) and which is, again, something that I have witnessed first hand.

            In conclusion I would like to say that I feel very comfortable using Firefox to browse the internet, as far as the safety aspect goes, and have installed it on many machines and encouraged the owners to use it, as opposed to the less secure browsers around. But when those same people ask why they have to keep updating the browser lately (FF), and why it sometimes takes so long to start when they click the icon it’s nice to be able to give them an answer, this is the reason why I commented on your post originally. It doesn’t take long for some people to start drifting back to their old habits and using IE because of the slow start and frequent updating of Firefox and that, in my opinion, is not a good thing. Perhaps this was the point you were trying to put across in your original post? … your slight rant, and that’s why I still agree with what you said, “glass half empty day” or not.

            Once again, sorry about the delayed response. But thank you for your time, and that of Mr. Blizzard. It’s very much appreciated.

  8. Hi Bill,

    I tried Firefox once but the add-ons slowed my laptop down too much. I used Google Chrome from when it was launched as it was blisteringly fast compared to the other browsers. However, when I read that Google was collecting information without users’ knowledge I stopped using it.

    I now use Opera 10Beta 2. I have used Opera for quite a while now. It has NEVER crashed on my laptop. It has NEVER done anything but work day after day, without any problems. It doesn’t slow my machine down. It looks really good. It has some great features. I can’t fault it.

    Maybe someone with your experience may know of some flaws but it works perfectly for me. (I hope it is safe and secure).

    I have no idea who makes it. I think that says a lot about the company, I don’t need to know because it works.

    Have a good day, Bill.

    Paul

    • Bill Mullins

      Hi Paul,

      You’re right Opera makes a great Browser, I recently tested Opera 10 Beta 1 and was blown away with the speed – I was truly amazed.

      I have to admit that I’m not aware of any security issues at present with Opera. You can be sure that if any come to light, you will read it here.

      BTW, happy to hear your vacation was so successful. Like you, I was amazed and charmed by Nova Scotia – great place and great people.

      Talk to ya later,

      Bill

  9. Pingback: ANOTHER Firefox Patch – Update Now! « Bill Mullins' Weblog – Tech … | Firefox News on Twitter

  10. Pingback: The seemingly endless stream of Firefox patches continues - Computers - PCs, laptops, hardware, software - City-Data Forum

  11. release first patch later