Earlier in November, Firefox surpassed 25 percent usage share of Web browsers, according to Net Applications.
(Credit: Net Applications)Mozilla released a third beta of Firefox 3.6 on Wednesday, adding stability and performance features, and said it hopes to lock down the code soon for its first release candidate.
The new beta, for Windows, Mac, and Linux, includes a component directory lockdown that makes it harder for other software to meddle with the open-source browser's state by preventing that software from sidling into the same folder as the browser's own components. The result should be fewer crashes, said Mozilla's Johnathan Nightingale in a blog post, and Firefox still is open to third-party extensions via its official add-on mechanism.
The change should improve security, too, added another Mozilla programmer, Vladimir Vukecevic, who wrote in his own blog post that Mozilla is considering bringing the change to Firefox 3.5, too.
"Creating binary components to interface with the operating system or with other applications is fairly straightforward, though ultimately dangerous. Binary components have full access to the application and OS, and so can impact stability, security, and performance," Vukecevic said.
Also in the latest beta of 3.6 is a feature that lets the browser run some Web-based JavaScript programs asynchronously, which is to say without being so picky about the order the scripts run. This can improve the speed that Web pages load, Mozilla said.
The biggest Firefox 3.6 feature most folks will notice is Personas, the reskinning add-on that's now being built in. More than 10 million Personas have been downloaded so far, Suneel Gupta and Myk Melez of the Personas team said Wednesday.
Mozilla is working to release a final version of Firefox 3.6 before the end of the year, and one sign the project is wrapping up is that the developers are locking down the features and changes that can be added into the release candidate 1. Code freeze for RC1 is scheduled for Wednesday but might be at risk, a Mozilla planning site said this week.
Firefox is steadily gaining in use. Last week, Web traffic monitoring firm Net Applications announced Firefox cleared 25 percent share of those using browsers worldwide--not dethroning Internet Explorer by any means but still winning over new users. Mozilla estimates there are more than 300 million Firefox users total, and this week said there are more than 300,000 testers using the Firefox 3.6 beta
Google's Chrome, meanwhile, is appealing to some of the same browser enthusiasts who were Firefox's first users. One of its big selling points is speed, and Google is working on other ways to make the Web faster, too. Chrome gives it a vehicle to test such ideas out in the real world, a strategy that Apple, Opera, and Firefox have employed to advance the Web state of the art.
One Mozilla programmer, Alexander Limi, revealed a speedup technology called Resource Package for Mozilla, too, on Tuesday. His proposal calls for bundling many Web page elements up into a single compressed file that can be retrieved in a single Web-page request action. Browsers are limited in the number of such actions they can take in parallel, so consolidating the interactions can make pages load faster. The approach is backwards compatible with existing browsers that don't support the feature, he added.
"If the feedback is good we're likely to try and get this implemented for Firefox 3.7," said Mozilla evangelist Christopher Blizzard in a blog post Tuesday.
ORLANDO, Fla.--OK, IT managers, it's time to loosen up.
That's how analysts advised Gartner Symposium attendees here Monday, arguing that corporate computing departments shouldn't block social networking and that security shouldn't completely lock down communications with the outside world. And even if information technology authorities want to shut down such activity, they can't.
Carol Rozwell, a Gartner vice president
(Credit: Stephen Shankland/CNET)"Banning access to social media from the corporate network is futile," said Carol Rozwell, a Gartner vice president. "The world we live in is digitally enabled and socially connected."
The advice reflects the transformation of the information technology world as the Internet steadily pervades more and more corners of everybody's life. Although the Gartner event historically has concerned itself with matters such as justifying the expense of a new enterprise resource management computing system, the broadening show reflects the growing scope of work that IT managers face.
Overall, companies must acknowledge that not everything is under control of their own top-down administration, said Peter Sondergaard, senior vice president of research at Gartner.
"We're moving from control to greater autonomy," Sondergaard said. Managers also must find an appropriate place on the spectrums of in here vs. out there and owned vs. shared.
... Read more
Mozilla on Friday disabled a Microsoft plug-in for Firefox called the .Net Framework Assistant because of a security problem--then scrambled to give people with patched systems an override option.
Mike Shaver, Mozilla's vice president of engineering, announced the first step late Friday night on his blog. "It's recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that all users disable the add-on," Shaver said. "Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plug-in for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately."
This warning sign greeted Firefox users after Mozilla blocked use of a Microsoft add-on.
(Credit: Screenshot by Stephen Shankland/CNET)The .Net Framework Assistant add-on lets Firefox use Microsoft's ClickOnce technology for installing applications that run on its .Net programming foundation. The add-on already was something of a thorn in the sides of some Firefox users: it was automatically installed via Windows Update with the .Net Framework 3.5 Service Pack 1 without telling the user the add-on was being installed or giving an option. More hackles were raised because it wasn't compatible with Firefox 3.5, Shaver said, and because removing it initially required people to edit their Windows Registry--a technically onerous task for most people.
Firefox checks a Mozilla server periodically for a list of add-ons to avoid. Although Mozilla's blocking move was intended to protect users, it caused other problems. Shaver indicated that Firefox's changed behavior irked some system administrators.
That led Justin Angel, a former Silverlight program manager at Microsoft, to tweet, "When business users can't use their core business functionality--they uninstall stuff."
One issue was that Mozilla's add-on blocking technology couldn't tell if people had patched their software and so weren't vulnerable anymore. "We can't distinguish patched from unpatched, so we're blocking it while we sort that out," Shaver twittered. Over the weekend, Mozilla worked to remedy the situation.
"Pushing a change to our blocklist software that will let Firefox 3.5 users override the blocking of .NET FA/WPF plugin if they're patched," Shaver tweeted Sunday. But a few hours later, he added, "We're still working on the blocklist tweaks to help enterprises override the blocking of the WPF plugin, stay tuned!"
Update 6:47 p.m. PDT: Crisis partially averted, apparently. At about 6:10 p.m., Shaver tweeted, "MSFT confirmed that the .NET Framework Assistant is not exploitable, so we've removed it from the blocklist; one down!"
Update 8:34 p.m. PDT: There's still another blocked Microsoft add-on that's vulnerable, one that concerns the Windows Presentation Foundation (WPF), which also is installed with the .Net service pack. Shaver said it was more serious.
"We're hard at work on improving the experience for (especially enterprise) users who wish to override the blocking of the WPF plugin before we remove it from the blocklist," Shaver said in a Sunday night blog post that announced the other plug-in had been removed from the Firefox blocked add-on list.
Mozilla and Microsoft don't always see eye to eye when it comes to browser technology, but they agree broadly on one thing: thumbs down for Google Chrome Frame.
Chrome Frame is a plug-in that puts Google's browser engine under the hood of Microsoft's Internet Explorer, and Google argues that it can modernize IE versions 6, 7, and 8 with faster page loading and JavaScript performance. It kicks in only on Web pages that Web developers have labeled with a specific tag. After Google announced it, Microsoft criticized it as creating a potentially increased risk to browsing security.
Google Wave is one site that suggests IE users install Google Chrome Frame.
(Credit: Google)Mike Shaver, vice president of engineering for Firefox backer Mozilla, published a different concern in a blog post Monday night.
"I certainly share that longing for a Web in which the vast majority of Web users enjoy the performance and capabilities we see in Chrome, Safari, Firefox, and Opera. Unfortunately, I don't think that Chrome Frame gets us closer to that Web," Shaver said.
Specifically, Shaver said Chrome Frame can disable IE features and muddle users' understanding of Web security matters. And users of the reviled IE 6 browser, he added, often won't be able to run Chrome Frame anyway because their computer is locked down to prohibit changes or lacks sufficient power in the first place.
"As a side effect, the user's understanding of the Web's security model and the behavior of their browser is seriously hindered by delegating the choice of software to the developers of individual sites they visit. It is a problem that we have seen repeatedly with other stack plug-ins like Flash, Silverlight and Java, and not one that I think we need to see replayed again under the banner of HTML5," he said.
Shaver's advice is to rely on that ages-old technique: an upgrade suggestion on the Web site.
"It would be better for the Web if developers who want to use the Chrome Frame snippet simply told users that their site worked better in Chrome and instructed them on how to install it," Shaver said. "The user would be educated about the benefits of an alternate browser, would understand better the choice they were making, and the kudos for Chrome's performance would accrue to Google rather than to Microsoft."
Mozilla on Wednesday released two new versions of its browser, Firefox 3.5.3 and 3.0.14, that patch three critical security holes and fix assorted other bugs.
The updates can be fetched through the Help menu's Check for Updates option, or can be downloaded directly.
Although Mozilla still supports the 3.0 version, it's pushing people to the 3.5 version, and support for the 3.0 series will end in a few months. Version 3.5, released in June, supports a variety of new Web page technologies and includes a faster JavaScript engine for running Web-based programs.
Interested folks can read the release notes.
A vulnerability in Microsoft's software for housing Web sites is now being used for "limited attacks" on the servers it's running on, the company said Friday.
Microsoft disclosed the Internet Information Services (IIS) vulnerability on Monday and said Friday it's still working on a security update to fix the problem. In the meantime, the advisory has instructions for a workaround, including disabling various elements of the vulnerable FTP (File Transfer Protocol) service to upload and download files.
According to the advisory, the vulnerability could let somebody run arbitrary code on a server using FTP on IIS 5.0 and conduct a denial-of-service attack using FTP on IIS 5.1, 6.0, and 7.0. The present version 7.5 isn't affected, though, and FTP 7.5 can be downloaded and installed on IIS 7.0 to protect it.
"Customers should be aware that the Download Center has FTP 7.5 available for Windows Vista and Windows Server 2008. FTP 7.5 is not vulnerable to any of these exploits," said Alan Wallace, senior communications manager for Microsoft's security response communications team, in a statement.
Initially, the company said it was investigating a vulnerability only with versions 5 and 6 of IIS.
Google has fixed two high-severity vulnerabilities in the stable version of its Chrome browser that could have let an attacker remotely take over a person's computer.
With one attack on Google's V8 JavaScript engine, malicious JavaScript on a Web site could let an attacker gain access to sensitive data or run arbitrary code on the computer within a Chrome protected area called the sandbox, Google said in a blog post Tuesday. With the other, a page with XML-encoded information could cause a browser tab crash that could let an attacker run arbitrary code within the sandbox.
Chrome 2.0.172.43 (click to download for Windows) fixes the issues and another medium-severity issue. Once Chrome is installed, it retrieves updates automatically and applies them when people restart the browser.
Google won't release details of the vulnerabilities until "a majority of users are up to date with the fix," Engineering Program Manager Jonathan Conradt said in the blog post.
Mozilla on Monday released two new versions of Firefox, 3.5.2 and 3.0.13, to patch two critical security holes. You can download the Windows and Mac versions of 3.5.2 from CNET Download.com, or go to Mozilla for the Linux build and Firefox 3.0.13.
"We strongly recommend that all Firefox users upgrade to this latest release," Mozilla said in a blog posting about the security issue.
The first vulnerability could let an attacker run arbitrary code on a person's computer by sending specially crafted authentication information called certificate.
The second vulnerability, disclosed last week, involves a flaw in certificate authentication technology that could potentially let an attacker gain access to encrypted information or issue a bogus update to Firefox.
Adobe has released a patch for a critical Flash Player problem that could let attackers take over people's computers through content viewed in a browser.
The vulnerability affected a file that shipped with Flash Player 9.x and 10.x for Windows, Mac OS X, and Linux, and with Adobe Reader and Adobe Acrobat 9.x for Windows, Macintosh, and Unix. Adobe said Thursday it fixed the problem in a security advisory, and Adobe's Matt Rozen posted a note on Twitter that directed people to download the patched version from Adobe's Flash download site.
This was no abstract, theoretical vulnerability, either.
"There are reports that this vulnerability is being actively exploited in the wild via limited, targeted attacks against Adobe Reader v9 on Windows," Adobe said in an earlier advisory about the problem.
Flash is very widely used in browsers to power features such as interactive stock charts and YouTube video streaming.
Mozilla on Tuesday released Firefox 3.0.12, an update to the open-source browser that fixes five critical security vulnerabilities and fixes a handful of other bugs.
"We strongly recommend that all Firefox 3.0.x users upgrade to this latest release," Mozilla said on its developer blog. "If you already have Firefox 3, you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting 'Check for Updates...' from the Help menu."
Version 3.0.12 fixes five critical problems and one high-level security problem, according to the Mozilla security advisory site.
Mozilla is trying to move people to the newer Firefox 3.5, which offers faster JavaScript program execution, new privacy features, and a handful of technologies geared for more powerful Web applications.
And Mozilla is pushing the new browser hard. Security and stability fixes for the 3.0.x series will end in January 2010.
