Mozilla closes security hole with Firefox 3.5.1
Mozilla updated Firefox to version 3.5.1 for Windows, Mac, and Linux on Thursday, fixing a security problem, improving stability, and speeding launch time on some Windows systems, according to the release notes.
"We strongly recommend that all Firefox 3.5 users upgrade to this latest release," browser director Mike Beltzner said in a blog post Thursday.
Firefox 3.5 embodies Mozilla's hope to build a better foundation for Web applications, but about two weeks after its debut, a vulnerability in the browser's JavaScript engine came to light. Mozilla rated it "critical" because an attacker could create a Web site that would run malicious code on the computer.
The new version can be installed from Mozilla's download site or by selecting "Check for Updates" in the Help menu. Unfortunately, when I did so, the Firefox warned me that the newly updated Gears 0.5.29.0 plug-in from Google becomes incompatible again.
Update July 17 1 p.m. PDT: A patch to fix the Gears compatibility issue is under way.
Stephen Shankland writes about a wide range of technology and products, but has a particular focus on browsers and digital photography. He joined CNET News in 1998 and since then also has covered Google, Yahoo, servers, supercomputing, Linux and open-source software, and science. E-mail Stephen, or follow him on Twitter at http://www.twitter.com/stshank. 






Regarding the Gears add-on, did you try to override compatibility? FF 3.5 declared a number of my add-ons as "incompatible" again, but overriding compatibility worked just fine. Just download and install the Nightly Tester Tools add-on to make overriding compatibility easy.
Rushed patching leads to compatibility trouble as has been demonstrated.
But any patch to help things out is a good thing
LOL. Are you trying to find an excuse for the fact that Microsoft needs months to close such bugs?
You MS fanboys are sooo predictable.
If MS can't test fixes to their browser so quickly, that only hints at what a convoluted mess the IE source code must be.
Vegaman didn't even mention Microsoft. Stop trolling yourself.
ON TOPIC: I dunno about other people but the update took me a good 10 seconds. I was really pleased. ^_^
Was Microsoft even mentioned in his post? If not ****
Are you really that naive or are you just playing naivete?
If you read Vegaman's posts on other threads you'd know exactly what he meant...
Now crawl back into your holes, you MS shills.
I didn't mention Microsoft, but if you want to bring it up, then sure. Microsoft does take time to release patches because they do take the time to test it thoroughly with applications, the OS, and third party products. To blindly release a patch upon the wild without thorough testing indicates either sloppy work or that the vulnerabiity was so extreme as to demand immediate patching and just suffer the consequences of compatibility issues as one was more impacting than the other.
I'm afraid the only one trolling here was you. You made a link to Microsoft that wasn't there in the first place. Feeling a bit defensive, perhaps?
Clue. Get one. They are cheaper by the dozen.
Got to love it.
Mozilla says on its blog it was discovered the week earlier too; they may have known about it before public disclosure. http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/
[CNET editors' note: Prohibited content deleted.]
http://code.google.com/p/gears/source/browse/trunk/gears/base/firefox/install.rdf.m4?spec=svn3386&r=3385
-p
Just because a patch is released quickly doesn't mean that it's a good one. It takes time and a lot of effort to make sure the fix actually does what it's intended to do without causing other problems. Solutions that create more problems than they solve are poor solutions.
I believe Microsoft takes the time to thoroughly validate their patches and updates before release. At the same time, I question their philosophy regarding classification of vulnerabilities. MS tends to lump exploits that require some user interaction at a lower priority. Considering how ignorant many people are about secure computing, I think it would be best to classify vulnerabilities by what they do and not how they are acquired.
I continue to use Firefox solely because of Adblock Plus. If IE8 had ad blocking then that would be my browser of choice.
I've been using Firefox for several years, and recommending it to friends and family. No more. The MozFolk screwed the pooch, and their users, with the 3.5 release. They pushed it out for all the wrong reasons, most notably the PR that they knew their DRAFT HTML 5 support would generate. I think they lost sight of some core functionality and usability, in their rush for glamor and their lust for downloads and installs -- stats to tout. 3.5 was NOT ready for release, and neither is 3.5.1. Yes, perhaps we should applaud their rapid response on the security issue, but it should be golf clapping. I have a local history of being pretty quick to bash Microsoft but at this point, I'm with Hokulea. If IE 8 had AdBlock Plus functionality, and something like NoScript, I'd be done with Firefox.
Without any further updates having been applied, that I am aware of, my FF 3.5.1 start-up times have improved. When I wrote my original post, after clearing cache and rebooting, my start-up time was over 20 seconds. (I tried it at least three times, because I just couldn't believe it.) On Saturday, the day after my post, I noted that it had dropped to 12 seconds or thereabouts, fairly reliably. Today, under the same conditions, it is finally down to less than 10 seconds, coming in at about 8 seconds. Whether that is acceptable or not is an open question, and each user must make that call. I don't like it, but I'll live with it for now.
I have no idea what changed, though I wish I knew because that might help isolate the actual problem. Regardless, I suppose I should apologize for my harsh tone on the 17th. I still feel that some of Mozilla's motivations were, and are, questionable, but the start-up time issue, specifically, is diminishing.
Will I revert to recommending FF to friends and family? No, not until start-up times are reliably less than 5 seconds, comparable to IE 8.
- by resu eman July 23, 2009 6:49 AM PDT
- The latest version of Firefox (3.5.*) keeps crashing on my laptop.
- Like this Reply to this comment
-
(27 Comments)I didn't have any issues with the previous versions, but now it crashes just by launching it.
I'm hoping CNet download gives me access to the previous version because if not, I'm giving up on Firefox.