Firefox 1.0.5 is available for upgrade

[VK]

<http://www.mozilla.org/>

 

[cwdjrxyz]

<http://www.mozilla.org/>

Yes, I believe the Firefox 1.0.5 upgrade is mainly for security.
Firefox has had several recent security upgrades. I do not know of any
serious Firefox hacks so far, but hackers might soon take interest in
Firefox as some sites now report they receive over 20% Firefox hits.
Although hackers like to target Microsoft most, they will not pass up
others. For example, there are many Unix servers, and some hackers,
especially "the boys from Brazil", have defaced pages on many Unix
servers and worse.

Speaking of upgrades, one should also check any media players and media
programs they have installed from time to time. There have been
security updates for Real and others.

 

[web.dev]

but hackers might soon take interest in Firefox as some sites now report they receive over 20% Firefox hits. Although >hackers like to target Microsoft most

You are correct. The only reason IE is hit on the most is simply
because of convenience. The truth is, no browser out there is truly
"secure". We just haven't heard much of security exploits on other
browsers mainly because they weren't popular. Now that FF is on the
rise, we'll probably see more attacks.

 

[The Magpie]

You are correct. The only reason IE is hit on the most is simply
because of convenience. The truth is, no browser out there is truly
"secure". We just haven't heard much of security exploits on other
browsers mainly because they weren't popular. Now that FF is on the
rise, we'll probably see more attacks.

Attacks are not a big worry for Firefox as yet, and they do seem to
remove the potential before anyone notices it enought to actually use
one of the "features" they have fixed.

What worries me most at the moment is the unfortunate habit 1.0.4 has of
producing the "URL redirection limit exceeded" error and blocking sites.
Does anyone know, offhand, is that is fixed in this upgrade?

 

[Grant Wagner]

You are correct. The only reason IE is hit on the most is simply
because of convenience. The truth is, no browser out there is truly
"secure". We just haven't heard much of security exploits on other
browsers mainly because they weren't popular. Now that FF is on the
rise, we'll probably see more attacks.

Not to mention a lot of attacks consist of asking the user to perform a
task that is inherently dangerous (such as installing a plug-in to view
content - the dancing bunny problem: <url:
http://blogs.msdn.com/larryosterman/archive/2005/07/12/438284.aspx />)

Up to a short time ago, all the Mozilla projects benefited from the fact
that they were (typically) only being used by well-informed,
technically-oriented individuals. As more non-technical laypeople
download and use alternative browsers, those browsers will be
"vulnerable" to this form of "attack" because the users are not informed
enough to avoid performing these dangerous tasks.

When a Web site asks the user to install a plug-in (ActiveX control or
Firefox Extension) to see the dancing bunnies, many people will do just
that, regardless of the dangers involved or the warnings provided.

 

[VK]

When a Web site asks the user to install a plug-in (ActiveX control or

Firefox Extension) to see the dancing bunnies, many people will do just
that, regardless of the dangers involved or the warnings provided.

So where the *browser* vulnerability here? If some user drop (s)he
security settings to zero, and then on a popup like "Very Cool soft.
Signed by Catch-Me-If-You-Can. Install?" press "Install": what a hey
Mozilla (or Microsoft) has to do with it? These are software company,
not mental clinics.

If some "bunnies" were *signed* by some real sertificate authority
(VerySign or Thawte), then it's again not a browser problem, but the
sertificate authority failed to check the company properly. The only
stone can be thrown to FF *only if* it doesn't have a revoked
sertificates check mechanics (IE has for sure). Because even
sertificate authorities are being cheated sometimes, specially VerySign
with its "3 class" delegated trust certificates. (You're giving it to a
reputable company, and someone pass it trough the 3 class to some
scum). But again, it has nothing to do with the browser vulnerability.
Vulbnarability is when you have all recommended (default or higher)
security settings and still being successfully attaked by a site
content.

 

[Grant Wagner]

So where the *browser* vulnerability here? If some user drop (s)he
security settings to zero, and then on a popup like "Very Cool soft.
Signed by Catch-Me-If-You-Can. Install?" press "Install": what a hey
Mozilla (or Microsoft) has to do with it? These are software company,
not mental clinics.

I think my post was self-explanatory. I never claimed this form of
attack was a result of a security vulnerability in the browser.

If some "bunnies" were *signed* by some real sertificate authority
(VerySign or Thawte), then it's again not a browser problem, but the
sertificate authority failed to check the company properly.

It is not the job of the certificate authority to validate the content
of what is being signed, only to ensure that it has not been modified in
transit.

The only
stone can be thrown to FF *only if* it doesn't have a revoked
sertificates check mechanics (IE has for sure).

I was not "throwing a stone" at Firefox (by the way, the preferred
abbreviation is "fx" or "Fx", not "FF" <url:
http://www.mozilla.org/products/firefox/releases/1.0.6.html#FAQ />), I
was pointing out that as Firefox gains market share, it will begin to
see more of the types of social-engineering (and other) attacks that are
seen against IE. And since the market share it is gaining are users who
are not as well informed as the users who have used Firefox in the past,
these types of attacks will be more successful.

 

[VK]

I was pointing out that as Firefox gains market share, it will begin to

see more of the types of social-engineering (and other) attacks that are
seen against IE. And since the market share it is gaining are users who
are not as well informed as the users who have used Firefox in the past,
these types of attacks will be more successful.

Sure they will. So far many wannabes were like in that old cowboy story
about Uncatchable Joe:

- Why is Jow so uncatchable?
- Because who the hell wants to catch him ?!

Some part of Linux, Macintosh, and Firefox security image is based on
this story, and yes they may have much more security fights in the
future.