Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Thunderbird 2.0 Alpha 1, Firefox Available 164

nuyorker and hdm wrote to mention the new releases for Thunderbird and Firefox. hdm writes "This release of Firefox fixes 12 security holes, many of which can be used to execute malicious code. The Browser Fun project has provided an online demonstration of one of these flaws. This demonstration is capable of executing code on Windows, Linux, and both architectures of the Mac OS X platform; you're going to want to upgrade today!"
This discussion has been archived. No new comments can be posted.

Thunderbird 2.0 Alpha 1, Firefox Available

Comments Filter:
  • Available? (Score:5, Informative)

    by fyrie ( 604735 ) on Friday July 28, 2006 @05:54PM (#15802377)
    As in pushed out to you without asking you first. That was quite the surprise.
    • FF that is.
    • Re:Available? (Score:5, Informative)

      by Anonymous Crowhead ( 577505 ) on Friday July 28, 2006 @06:08PM (#15802485)
      You can turn off auto updating in your prefs if you want.

      Preferences > Advanced > Update tab.

      Yeah, that kind of annoyed me the first time, but in retrospect it is good for the general public to have automatic be on by default.
      • I dont think its being pushed on you. When selecting auto update in the options that means that whenever Firefox sees an update it will download and install it. If you really dont want that just turn it off, infact I think you have to manually turn it on.
    • Yes, this smacks of what M$ does with its automatic update service and can be a privacy issue. But if they don't do this, the update will have a much smaller adoption rate and since they disclosed what security bugs they fixed, the hackers can easily exploit them on unpatched versions, of which there will be a greater percentage because people are lazy and don't update.
    • Disabling auto-update in Firefox 1.5 is easy enough to disable.
      • Disabling auto-update in Firefox 1.5 is easy enough to disable.

        Actually, you want to enable disabling auto-updates. Disabling auto-update is disabled by default.

        It doesn't bug me much. At least it asks if you want to restart firefox. It could easily be worse, especially with me having 15 tabs open and no autorestore extension installed (yet!)
    • The update didn't surprise me too much, but restarting to no bookmarks did. At least it backs them up, but having to walk four people you convinced to use Firefox through repairing their bookmarks and Sage feeds and trying to explain why you have to do so isn't too much fun. :)
    • Ok, so the fixes are in Does the 2.0 release candidate alpha/beta/etc. have the same vulnerabilities, and are they fixed, and (less likely) does Mozilla Suite have them?

      It's getting to be time to update my Mozilla Suite anyway - is 2.0xx cooked enough to use, or is it better to go to and wait for 2.0 final to update again?

  • Memory features (Score:3, Insightful)

    by end15 ( 607595 ) on Friday July 28, 2006 @05:55PM (#15802386)
    Does anyone know if this latest release has gotten rid of some of the memory "features" that I've come to love in Firefox. I don't know what I would do if they got rid of them (other than have a smaller page file ;). Thanks!
    • Work's home page(plain text), gmail, digg, thottbot, and /. open in 5 different tabs = 71MB. Minimized removes a few KB. It's been opened to these tabs for the last 5 hours.

      Honestly not sure if this is better or not as this is the first time I have ever looked. Guess that's the advantage of having 2gigs of memory. :)
      • And how many (and what kind of) extensions have you got running?
        How many and what kind of sites (heavy graphic?) have you visited since you let the fox out of his cage?

        Seriously, keep middle-clicking next to a tab and see where your memory went.
        • Re:Memory features (Score:3, Informative)

          by Durrok ( 912509 )
          Extensions: adblock, ietab, tabx, tabbrowser preferences, adblock filterset, flashblock, disable targets for dls, blockfall, and cards.

          Closed out of all tabs and was still at 60MB. Opened a new tab and closed the /. one, 50MB. Restarted firefox, 21MB. Went straight from plain text work page to /., this article, and replied to your post, 25MB.

          Time to go searching for those FF tweaking options again...
          • Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv: Gecko/20060719 Firefox/

            Currently using 61 megs of memory, with 6 tabs, and scrolling through about 60 pictures in an online photo gallery to try to drive up the memory usage. Installed extensions include Reload Every, Video Downloader, DOM Inspector, Web Developer, and Talkback. Seems to me like there are no memory problems with Firefox.

          • Time to go searching for those FF tweaking options again...

            Maybe you should do a little research on how cached memory works first. Firefox will mark a page as unused.. and if the OS needs it, it will take it. However, if Firefox needs that page again (like, say, you hit your backbutton), it can pull it up without having to connect to the server.

            The memory is indeed freed.. the OS just hasn't bothered reclaiming it yet.
      • 14302 firefox-bi 2.7% 2:01:43 22 596 1245 164M 28.8M 136M 652M

        Second from last is RSIZE. Sucks.
    • about:config (Score:3, Informative)

      by The MAZZTer ( 911996 )
      URL: about:config, filter for: memory, adjust relevant options. -1 for capacity indicates automatic.
  • ...I was pushed Thunderbird earlier this morning, too.
  • I tried the demo on my system (an up-to-date Gentoo w/ Firefox It didn't work. I use the hardened sources w/ the hardened USE flag, so that may have something to do with it.
  • Finally! (Score:4, Informative)

    by angrytuna ( 599871 ) on Friday July 28, 2006 @06:05PM (#15802461)
    I have really been waiting for this build of Thunderbird. It finally includes message tagging, which is something that I've been wanting natively in Thunderbird for a long time. Tagging now also apparently works with IMAP connections, although at least some users [mozillazine.org] are having some problems with that feature. (Bug #344290) [mozilla.org].
    • How is it at dealing with large volumes of e-mail now? I subscribe to 50 heavy traffic mailing lists and the 1.5 version is very slow. Even when it's not retrieving mail, it seems like it takes forever to allow me to select messages in the inbox (which only has 30 messages).

      (All of my mailing lists are in their own folders, with sub-folders where I move the previous year's messages to to make the main folders smaller. Still I have around 4GB of e-mail in my Thunderbird profile folder.)

      • Do you ever compact your folders? It's not on by default, so it's possible that your inbox is actually chock full of TONS of messages, but 99.9% of them are flagged for deletion and are hidden.

        right click your inbox and select 'compact this folder'.

        more details, and instructions for automatic compaction:
              http://kb.mozillazine.org/Compacting_folders [mozillazine.org]
        • Hmm... spent the half hour and compacted all my folders (4.5GB down to 3.3GB for the profile).

          Thunderbird 1.5's UI is still slow at selecting messages. Click on a message in the message list and it takes half a second for TB to highlight the message. Then there's the issue that rules are not always moving messages to the proper folders.

          It's all CPU-bound utilization.

    • Does it finally include vCard/iCard support for the address book?
  • How would a person use this flaw to run a keylogger or other virus on a person's system? Is it possible to do this with this bug? I autopatched when the new version came out, but the behavior of the test site, with firefox crashing and the hard disk making the hard disk reading/writing noise, I've seen before the patch on some nonreputable websites...how bad could the damage be, and do I need to reformat? (NAV doesn't detect anything, but NAV never detects anything, including my homemade virii/keyloggers)
    • Arbitrary shell code can be run on the system for many of the exploits. So it would be trivial for an attacker to infect your system with pretty much any program they want (though they may have to make the shell code download the executable to your system first if theres a limit on how much they could run at once).
  • by Anonymous Coward

    my Sinclair ZX81 isn't exploitable
    take that! YUO L00ZER HAX0RZ

    • I think there may be a difference in "can't be hacked" and "who the hell would bother".

      On a more serious note along those lines, FF and Thunderbird are finally getting enough marketshare to grab the attention of spammers and virus writers. We should rejoice on it's success and how quickly it was patched instead of "oh noes there actually are security flaws in FF!" If you want more security, switch to a more obscure browser (just make sure it isn't just an IE wrapper). Sure, you will lose a lot of functio
  • ... between Windows and the other OS's is that generally, the average user for Windows has full admin privs. while the average user for Linux and OSX browse the internet with significantly less privs.
  • When, oh when, will I learn to not click on things that say "Clicking this may crash your browser"?

    I am running (thanks, Firefox auto-updater thingy!), so it couldn't execute the test on my machine, but that didn't stop the browser crashing.
  • My favorite part of the exploit JavaScript reads:
    if (! shellcode) {
        alert('OS not supported, only attempting a crash!');
    Clearly, this needs to be maintained by the Debian team so it supports all 33463562 platforms known to man.
  • I just tried the exploit demonstration page, and it doesn't seem to do anything. Using Firefox on Mac OS X. Any ideas?
  • Seems that the really old Bon Echo (firefox 2 alpha) version I am using isn't vulnerable, that's weird
  • No lengthy and buggy "WGA" product check neccessary.
    No advanced computer knowledge neccessary.
    Browser restart is required, operating system restart is not.

    (this is in the case of a Windows user).

    Turnaround time from the reporting of http://www.mozilla.org/security/announce/2006/mfsa 2006-45.html [mozilla.org] to a fix deployed : 1 day.

    I'll leave the comparisons up to others.
    • It was NOT 1 day! (Score:3, Insightful)

      by SirTalon42 ( 751509 )
      No, if you go to the ZDI link at the bottom it shows you this:

      Disclosure Timeline:

      2006.06.16 - Vulnerability reported to vendor
      2006.07.25 Vulnerability information provided to ZDI security partners
      2006.07.26 - Digital Vaccine released to TippingPoint customers
      2006.07.26 - Coordinated public release of advisory

      So it was REPORTED to Mozilla on the 16th. Mozilla ANNOUNCED it on the 25th. Sorry it wasn't one day. Still kicking the crap out of IE updates..

  • by doom ( 14564 ) <doom@kzsu.stanford.edu> on Friday July 28, 2006 @06:47PM (#15802735) Homepage Journal
    Would anyone want to hear a semi-relevant complaint about Firefox? There's some major suckage in the installer as far as Linux is concerned. If you make the mistake of trying to put the new version of firefox where the existing version is, it's entirely too easy to end up blowing away an entire directory -- e.g. your "/usr/bin".

    Try to imagine writing a shell script that would cheerfully do a cd /usr/bin; rm *. Can you? Now look at this bug report: bug 234479 [mozilla.org]

    One of the programmers (Andrew Schultz) can't imagine any way of dealing with version skew problems outside of completely erasing the installation directory in order to start from scratch.

    • I think it'd be safe to say that if you're doing a manual (I.E. not 'apt-get' / RPM equiv.) install, you should KNOW if you have multiple versions on your computer. You should further know that doing a manual install into /usr/bin is "universally stupid" (Thanks, Fruit Loops).
      • That's a good point. I'll install Firefox into /usr/local/bin instead. I'm sure that won't delete any important files.

        The problem isn't "it deletes files when you install it into /usr/bin". The problem is "it deletes files that it has no business deleting". It's a reasonably common mistake that never takes more than a few days to get fixed once it's reported. Except, apparently, in this case.
      • by gatzke ( 2977 ) on Friday July 28, 2006 @08:52PM (#15803239) Homepage Journal
        I personally like to install firefox / mozilla / whatever in /usr/local/application or /opt/application and include version numbers




        So you get the old version installed and kept as well.

        Then I get into /usr/bin and soft link the application there

        cd /usr/bin
        ln -s /opt/mozilla-1.5.2/bin/mozilla ./mozilla

        Sometimes I keep the old version as a softlink as well

        ln -s /opt/mozilla-1.4/bin/mozilla ./mozilla.old

    • There's an installer for linux? :-)

      Seriously, I just use the tarball. I unpack it, then "mv firefox firefox-" and "ln -s firefox- firefox" so that I retain the old installation (just in case) and automatically point users to the new location. Before I update I just have to delete the sym-link before unpacking the tarball.
  • Still not fixed. (Score:3, Interesting)

    by werdnapk ( 706357 ) on Friday July 28, 2006 @06:53PM (#15802772)
    I have version installed on my windows machine and the online demo still crashes my browser. I will await version :)
  • by CritterNYC ( 190163 ) on Friday July 28, 2006 @06:55PM (#15802788) Homepage
    Portable Firefox is now Mozilla Firefox - Portable Edition (or, Firefox Portable among friends) and a new version has been released. This new version sports some handy new features, including: CD support (aka Firefox Portable Live), partial update support, in-place upgrade support, full compatibility with Wine running on your favorite *nix distro, and more. It's available in three different versions: for everyday use, 2.0 Beta 1 for testing the latest Firefox beta and 1.0.8 for web developers to test pages against. Full details are on the Firefox Portable Release Page [portableapps.com].
    • Portable Firefox is now Mozilla Firefox - Portable Edition (or, Firefox Portable among friends)

      Portable Edition? I thought Firefox was already portable - it runs on Windows, various UN*X+X11 combinations, and OS X, right?

      • Portable Firefox runs on a USB drive without leaving anything on the computer that you're running it on. It allows you to take your edition of Firefox to any PC (Not sure if it has to be Windows based, probably) and run it without any problems, with your favourites and extensions. I really loved this when i was in school and used different computers in the IT room.

        It's also optimised to require very little read/write cycles to your USB drive seeing as they do have a limit. It's also a smaller install.
      • Sigh. It would seem the Slashdot website lets you type more characters into the Subject field than it actually uses... which is just plain odd. The full subject line of that comment was:

        Firefox Portable & 2.0 b1: Works on USB & CD
  • by Urtica dioica ( 973533 ) on Friday July 28, 2006 @07:09PM (#15802837)
    but my Firefox crashed. :(
    • but my Firefox crashed. :(

      Every firefox version beyond 1.0 crashes randomly on me. That's why I haven't updated and propably won't, either.

      And of course I'd have to get new versions of all the extensions I'm using...

      • My Firefox rarely crashes. Your computer is broken. Also, since a few versions ago, most extensions changed to be enabled by default when the browser is upgraded. I suggest you upgrade. :)
        • My Firefox rarely crashes. Your computer is broken.

          I use Linux and hibernation and typically have about a hundred or so Web pages open at once. Firefox 1.0 crashes once every few months. Any newer version I've tried crashes every few hours. Since no other program has a problem, not even the same programs earlier version, I find it hard to believe that the problem is in my computer and not in Firefox.

          Sorry, but "rarely" is not good enough for my use - it must be "almost never". I'd say "never", but Fir

  • This release is buggy. The "dom inspector" and "livetalk" extension (the ones that come with firefox itself if you choose to install them" get disabled when updating due to incompatibility with the new version.

    However, at work the update went file, so i dont know what exactly triggers it.
  • I don't know if it's an illusion or not, but 2.0a1 feels faster than
    • How well does it perform when loading multiple background tabs over a slow net connection?

      (My biggest complaint about the 1.5 firefox code is the constant waits while a background / non-active tab talks to the DNS and web servers. The whole reason taht I loaded the tab in the background was that I knew it would take a minute to load and render...)

  • Looks like Firefox will be released very quickly to fix a bug in some streaming media links in Specifically, Windows Media ".wmv" when called using "mms://", maybe real using "rm://", does not work. Breaks streamining video links on http://mlb.com/ [mlb.com] Release candidates for Firefox are already on the way.
  • by Kanasta ( 70274 ) on Friday July 28, 2006 @10:28PM (#15803590)
    Wonder why Seamonkey gets close to nil attention here, thinking ./ users would want the extra functionality/control of Seamonkey over FF's pretty face.

    ALways wonder why if both use Gecko, FF supports horizontal scrolls while SM doesn't. Plus touchpad zoom 'just works' in FF and even IE, and 'just doesn't' in SM.
  • by redtail ( 265571 ) on Friday July 28, 2006 @10:43PM (#15803641)
    Just the other day I updgrade to 1.5 so I can use an extention. Unknow to me that turns on automatic updates. Turn my box on today and am told update is ready. Grumble, OK. Enter endless loop of Firefox unable to complete update (because I don't run as admin). Can't EVEN LOG OFF. Have to kill firefox from process list. I guess I'll run IE for an hour to feel better about Firefox again.
  • After reading the 'what's new' for the a-release and its bug fixes, it still boils down to one thing: Thunderbird still can't let you add address book records using LDAP. I was hoping this issue would get resolved soon enough but no dice. Someone, PLEASE tell me how wrong I am. I beg you!

    This is frustrating because in my experience, Outlook is such an irrational piece of software when it comes to IMAP/LDAP and Thunderbird (to me anyway) only provides a superior IMAP portion. Still does wonders for me but ho
  • C - Cyclone (Score:3, Interesting)

    by John Nowak ( 872479 ) on Saturday July 29, 2006 @01:49AM (#15804289)
    When are we going to stop writing large programs in C? For small things where potability is critical and lines of code are low, C can be a good choice for a certain class of application where low-level access and/or high efficiency is needed. However, with something massive like Firefox, it isn't possible to keep tabs on things. The result is a number of security holes surfacing constantly -- Not an ideal situation. Why not move to a more secure language like Cyclone [thelanguage.org]? Programmer portability in such a situation is high and entire classes of bugs would disappear. The performance penalty would be minimal.

    Why aren't more people using such language? Why not use Cycling, or even higher level languages where they can reduce lines of code and keep things more maintainable in less performance critical sections? I can only attribute it to laziness and blubism:

    "As long as our hypothetical Blub programmer is looking down the power continuum, he knows he's looking down. Languages less powerful than Blub are obviously less powerful, because they're missing some feature he's used to. But when our hypothetical Blub programmer looks in the other direction, up the power continuum, he doesn't realize he's looking up. What he sees are merely weird languages. He probably considers them about equivalent in power to Blub, but with all this other hairy stuff thrown in as well. Blub is good enough for him, because he thinks in Blub." - Paul Graham
    • You're going to port the 150 or so megabytes of Mozilla sourcecode to one of these obscure untested languages? Great!

      If not, STFU and let the real programmers do their job.
      • I wasn't suggesting we port a massive existing codebase. The fact that the source is 150 megabytes (if that is actually the case) is quite telling though...
    • I've worked with good programs written in C, and bad programs written in C or C++. The Mozilla code base is not one of the good ones. I went into it once to try and chase down a proxy problem, and I ended up giving up... I couldn't figure out the call tree from entering a URL through to the proxies being applied to the actual connection.

      Maybe it's better now, I don't know, I don't really care. Because on top of that the whole design of Firefox has gone down the same path as Internet Explorer (though, hopefu
  • Does Thurderbird read local maildirs yet so I can get off of Evolution?
  • I tried the test page and it popped up a dialog indicating that someone was trying to start a shell on a high port, and the browser hung.

    Is Camino vulnerable to an exploit or just a DOS?

    Where is Camino 1.0.3? :)

Kill Ugly Processor Architectures - Karl Lehenbauer