[LINK] FF 3. hits 14M downloads but security flaw discovered

Rick Welykochy rick at praxis.com.au
Sat Jun 21 12:49:06 AEST 2008


<http://www.crn.com/software/208800006>

   Firefox 3 At 14 Million Downloads

   Firefox 3, the Web browser from Mozilla, has broken the 14
   million download mark. Launched on Download Day this past Tuesday,
   The company hoped for 5 million downloads in a World Record attempt.
   The Web browser surpassed that goal, ending up with over 8 million
   downloads in a 24 hour window.

But!

<http://www.informationweek.com/news/internet/browsers/showArticle.jhtml?articleID=208700715&subSection=All+Stories>
or
<http://tinyurl.com/46zeao>

   Firefox 3 Bugs Reported

   Security flaws were found in Firefox 3 just hours after the open source
   Web browser was released Tuesday.

   By Antone Gonsalves, InformationWeek
   June 19, 2008 03:00 PM

   Security flaws were found in Firefox 3 just hours after the open source
   Web browser was released Tuesday by developer Mozilla.org.

   Within five hours after the official release, security tool vendor TippingPoint
   was notified of a "critical vulnerability" affecting Firefox 3.0 and 2.0.
   The flaw could enable an attacker to run malicious code on a computer,
   the company said. Like other browser-based vulnerabilities, a person
   would have to click on a link in an e-mail or visit a malicious Web
   page to get infected.

   ...

   Another Firefox 3 vulnerability was posted Tuesday on a security mailing
   list hosted by security consultant Neohapsis. The brief posting warned
   of a buffer overflow bug in Firefox 3, but provided no details. It was
   not clear whether the flaw was the same as the one reported by TippingPoint.

   An InformationWeek review of Firefox 3 found that new security features
   designed to protect users against phishing and malicious Web sites were
   unreliable. From a security standpoint, InformationWeek found Firefox 3
   a step backward.

-------------------------------------

My observations on FF 3.0:

The new rendering engine is faster but buggy. For example, the pages
over at westpac.com.au do not render correctly with FF 3. Bits and pieces
of the page now overlap each other and are harder to read than in FF 2.
The online banking login keyboard now renders in an ugly typewriter font
with a background colour and highlighting the make the individual keys
much harder to read.

The history dropdown is now very verbose and it is much harder to find
a visited link. Each entry in the dropdown is several lines long and
contains fonts in multiple sizes and emphasis. In FF 2, the dropdown
list was a traditional single entry per line format. On the plus side,
the search for an item in the download history is much improved and
far more accurate. If you type in "abc" FF will find *any* URL with
"abc" *anywhere in the link, something FF 2 did poorly.

The download manager page (Clover-J or CTL-J) now automatically deletes
links whose download has completed. This can be disconcerting and lead
to unnecessarily retrying a download you have already completed.

The discovery of YABO (yet another buffer overdflow) in FF 3 leaves
me breathless. There are tools in C++ (the programming language
used) to prevent this, i.e. the string class in STL as well assertion
checks. I would rather the browser raises an exception and notifies the
user if a problem arises rather than appear to be operating cleanly when
it is in fact not doing so. I've been writing code that does this for
decades. It ain't rocket surgery!

Overall I am happy with FF 3 but what disturbs me is the concentration
on style over substance. There is so much eye candy added that methinks
the developers have opted for market grab over stability and usability.

cheers
rickw


-- 
________________________________________________________________
Rick Welykochy || Praxis Services || Internet Driving Instructor

A lie can travel halfway around the world
while the truth is putting on its shoes.
      -- Mark Twain



More information about the Link mailing list