Firefox Update Kills Bugs, Adds Mac Support

Juha-Matti Laurio writes "Several vulnerabilities are fixed in version Firefox 1.5.0.2, which was released on Thursday. In addition to security patches Firefox now includes some stability enhancements and, as expected, includes native support for Apple Computer's Macs with Intel processors. Secunia has a detailed advisory about vulnerabilities fixed with this release."

Re:It still leaks!

[somersault]

Isn't the memory 'leak' just the caching of pages, that you can disable by typing about:config in the title bar, and change "browser.sessionhistory.max_entries" to a lower value? Firefox keeps the last few pages in memory to increase speed when you browse to a previously used page.

Re:It still leaks!

[PyroPunk]

Something that other tabbed browsers (Safari, Opera, IE7) can do just as fast, or faster, without the caching.

Re:It still leaks!

[Dan Ost]

Could you be a little more descriptive of the memory leak problems that your experiencing?

What platform are you on?
What version of Firefox are you running?
What extensions to you have enabled?
What types of things are you doing when you notice the memory increasing?
Are you legitimately using more memory or is it actually a leak?

C'mon, man, give us something useful.

Re:"Fixes some security issues"?

[Anonymous Coward]

Considering how much Firefox gets touted as being superior to M$IE, I'm concerned about the sheer number of "arbitary code execution" fixes were in this 0.0.1 version increase. Maybe it's not as secure a codebase as the foundation thought?

How does a browser that doesn't even run activex GET arbitary code exploits???

Re:"Fixes some security issues"?

[geoffspear]

If there's only one user of a piece of software, a bug that allows execution of arbitary code is still critical.

Next you'll be telling us that any bug in Windows is merely "serious", not "critical", as the DoD isn't running Windows on the systems used to control nuclear weapons launching, and that "critical" is too strong a word to describe anything that couldn't possible result in the annihilation of all life on the planet.

While we're at it, why not redefine "bug" as "a flaw in software that will literally kill the user" and claim that Firefox is completely bug-free?

Re:"Fixes some security issues"?

[Zocalo]

I suspect that some of these are bugs found by HD Moore of The Metasploit Project [metasploit.com] in Firefox last month - some details here [theregister.co.uk]. We can probably expect a similar slew of updates from Microsoft in a future "cumulative update" for Internet Explorer since there were more than 50 brand new flaws (not all critical) found in IE as well.

Take a close look at the techniques used, and it's no wonder those "criminal cracker gangs" we keep hearing about have no apparent problem coming up with fresh 0-day exploits to sell if they are applying something like this. The only defence against this is going to be that you ship robust code that you can guarantee will handle any malformed data gracefully from day #1. That's going to take some getting used to in places like Redmond, WA where the "if it compiles, ship it" approach seems to have been the standard for so long.

Annoying update message

[LiquidCoooled]

It did it again.
I have firefox set to inform me that theres an update.

In my eyes that update check should only occur when I open a window, NOT when I'm in the middle of typing.
I saw a flash of something whilst I was typing and realised I had inadvertantly accepted a popup box.

I want to set Firefox to inform me of updates, but make sure it only does that when opening a new window or tab (so it knows I'm not actively typing).

Re:It is nice

[LiquidCoooled]

It still updates in the middle of use.
The default button is still focused and easy to accept.
If it only displayed this update message upon startup/New tab/window then I wouldn't have a problem, but if it detects an update mid session then it pops up then taking away focus.
I personally prefered the update throbber in the top right.

Re:"Fixes some security issues"?

[Anonymous Coward]

Because programmer errors cause exploits, not ActiveX. Don't swallow the groupthink you read on Slashdot.

Re:spellcheker pleeze!

[maynard]

Ah. I see. You're here to help me learn what is a "real" browser and what is not by linking to a commercial product. You are a walking advertisement with an anchor tag. Most helpful.

Hold on there

[dereference]

With only 1% of users on Firefox, they can hardly be considered critical. Any vulnerability in Internet Explorer is automatically 99 times as bad, due to its user base.

Be careful with this line of reasoning. All along there's been this mantra of "Firefox is inherently more secure, and would be even if it were the dominant browser" spouted continuously. Well, I happen think the GP makes a great point about this, and your reasoning seems to fly in the face of the mantra. Don't get me wrong--I'm one of these said spouters--but I'm honestly feeling more than a bit hypocritical at this moment. These are some damn serious issues, and it's not just a handful.

Now, I suspect the reason for this is that the Firefox community as a whole (users and developers) are far more pre-disposed to actually finding and publicly disclosing such bugs. My guess is that we really only see the tip of the IE iceberg in terms of security.

However, we still can't have it both ways; these are indeed very critical bugs, and to dismiss them otherwise may seem beneficial, but it's actually a great disservice.

Re:It still leaks!

[everphilski]

When you close those 60 tabs, firefox should free the memory. It doesn't.

Who cares?

Seeing as that memory is now lost and unusable you **should** care. It is a sign of sloppy design anyways and the other two (Opera and IE) don't seem to have problems with memory leaks...

LEAKS ARE NOT A FEATURE!

[Anonymous Coward]

Yes, we all know. The developers say that the memory cache explains the leaks.

THEY ARE LIEING.

Everyone needs to understand that. They are lieing.

Opera has a far superior memory cache feature for going forward and backward. Yet it doesn't leak up to 1GB of memory in a day's worth of use.

The Firefox memory leaks are a BUG, and not caused by any feature (other than poor memory management). They're caused by poor design and sloppy coding, period.

Re:colgroup bug still exists

[CTho9305]

Maybe because the Mozilla Foundation is smart enough not to take big risks with security releases? They got a lot of heat with 1.0.x from distributors, since they included more fixes than just the security fixes and major stability fixes, so now the 0.0.0.1 increments will only fix very very low risk (or very high-impact) issues in security releases.

It might seem like a fix is simple, but when you have a really large codebase and millions of web pages doing strange things, it's very easy for a "simple fix" to significantly change rendering results. Sure, in this case you personally would like the change, but imagine if you had a corporate intranet which for some reason depended on that specific alignment being unsupported. You distribute the security update, and suddenly it looks wrong. You'd be flaming the Mozilla Foundation for changing non-critical things in a minor point release.

That's why old branches are supported (i.e. Firefox 1.0.x) long after a new release is available - people don't want to have to worry about non-critical changes breaking things for point releases.

Re:FF configuration to reclaim leaked memory

[starwed]

You do realise that, if this works, it isn't really leaked memory?

Re:It is nice

[jthill]

But popping a focused "accept" button at random times is near criminal, no matter who does it. Yah, go ahead. "Redundant". I say that bears saying until everyone on the planet is sick of hearing it, and then saying it some more. Kind of like telling kids to look both ways before crossing the street.

Re:Annoying update message

[pen]

The pop-up is a good idea, but I think that it should have that delay feature that other pop-up dialogs have (where the buttons are disabled for a few seconds.)

Accurate firefox usage information

[elliott666]

It would be interesting to see how many times the automatic update is downloaded. At first glance it seems like that might be a good way to get some sort of idea as to how many people really are using Firefox.

Acting Like Spyware

[opensrvtech]

This update scared the hell out of me. I couldn't tell if a 3rd party app had mysteriously been installed or if it was a trusted update from Mozilla... There was no information available in the popup itself and the update/release notes had not yet been released, we're not loaded into a tab or window and had not hit the web or cleared my ISP's cache. Yet, I get a popup telling me that, basicly, I may or may not be fucked if and when I permit Firefox to reload. It's important to facilitate end user verification and awareness of what a trusted 3rd party is about to do to their machine.

This is bad protocol. Many (and I mean MANY) 3rd party nightmares identify themselves as proper patches for trusted titles. Firefox's update looked exactly like several of them. It's IMPORTANT TO CLARIFY WHO YOU ARE AND WHAT YOU'RE DOING. This could be resolved in any number of convenient, non-frightening, ways (All of them, too obvious to list).

It would be of tremendous value to the more paranoid side of geekdom if Mozilla/Firefox also forced release notes to load at the time of notification of an update. It took me more than 4 hours to give in and run a complete system backup to dvd... all because my browser wanted a restart.