I’m not sure which is worse: that someone felt the need to create a Firefox Extension Backup Extension, or that my first reaction when I saw it was, “Yes, I could use that.”
Category: Firefox
Firefox auto-update works!
Last April, I complained about the unacceptably weak update mechanism for Firefox. In fact, just a few weeks ago I sat down at Judy’s computer and realized that she was running an old version of Firefox and hadn’t been prompted to upgrade.
I was pleasantly surprised to see this dialog box pop up a few minutes ago:
The Mozilla Firefox 1.5.0.1 Release Notes have all the details, but suffice it to say this is a critical update that fixes several serious security issues.
Anyway, kudos to the Mozilla folks for getting this feature working right in Firefox 1.5.
A tale of two patches, part 2
Apparently, some people think I chose a bad example yesterday to illustrate my point that patching complex software takes time. So maybe a different example will help.
This Secunia advisory from September 9, 2005 was rated “highly critical”:
Tom Ferris has discovered a vulnerability in Firefox, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a user’s system.
The vulnerability is caused due to an error in the handling of an IDN URLs that contains the 0xAD character in its domain name. This can be exploited to cause a heap-based buffer overflow.
Successful exploitation crashes Firefox and allows code execution but requires that the user is tricked into visiting a malicious web site or open a specially crafted HTML file.
NOTE: Exploit code is publicly available.
This Mozilla.org advisory offered a workaround that involved disabling the IDN functionality
On September 6 a security vulnerability affecting all versions of Mozilla Firefox and the Mozilla Suite was reported to Mozilla by Tom Ferris and on September 8th was publicly disclosed.
On September 9, the Mozilla team released a configuration change which, as a temporary measure to work around this problem, disables IDN in the browser. IDN functionality will be restored in a future product update. The fix is either a manual configuration change or a small download which will make this configuration change for the user.
Sound familiar? That’s exactly how Microsoft initially responded to the WMF exploit.
The patch for this vulnerability (and remember, there was working exploit code out there) was incorporated into Firefox 1.0.7, which was released 12 days later, on September 21.
I’m not trying to “smear the Open Source community.” In fact, I’m an enthusiastic Firefox user and supporter. In the September 9 vulnerability, I don’t think that the Firefox developers were underestimating the problem, nor were they sitting on a patch. The process took 12 days, period. I don’t think the Windows security team was sitting on the WMF exploit either. The process of developing and testing a fix takes time. That’s true of any complex program, including Firefox and Windows.
A tale of two patches
Update: The point of this post is not “Firefox sucks, too.” The point is that patching complex programs takes time. I’ve posted another example that makes the same point here.
In the comments to yesterday’s post about SANS and the WMF exploit, a visitor remarks:
Bear in mind that when popular open source (such as Firefox) vulnerabilities have been exposed, there were patches available in about 48 to 72 hours. It’s been more than a week since the WMF vulnerability was exposed. The problem is pretty well known by now, and it’s telling that users themselves have managed to generate a fix before Microsoft has.
My, what selective memories people have. Patches in 48-72 hours? Maybe if you’re a developer, but not for mere mortals.
Remember the Firefox IDN exploit? Working exploit code was released on or before February 7, 2005. The updated version that fixed the underlying vulnerability was released on February 24, 2005. That’s 17 days later, for those who don’t have a calculator handy. And on top of that, the Mozilla group didn’t make this available through its auto-update mechanism until roughly a week after the new version was ready.
And yet a chorus of doomsayers are ready to throw Microsoft to the wolves because they plan to release a patch for the WMF exploit via Windows Update 13 days after it was first reported. Based on the Firefox experience, that seems to be about how long it takes to produce a reliable, safe, well-tested patch.
And one orange icon shall rule them all
The announcement at the Microsoft Team RSS Blog has a picture of the new RSS icon that will be standard in IE7.
Look familiar? If you use Firefox, you’ll recognize it instantly. In fact, those who want to see all-out war between IE and Firefox might be disappointed by this report:
I’m excited to announce that we’re adopting the icon used in Firefox. John [Lilly] and Chris [Beard] were very enthusiastic about allowing us (and anyone in the community) to use their icon. This isn’t the first time that we’ve worked with the Mozilla team to exchange ideas and encourage consistency between browsers, and we’re sure it won’t be the last.
We’ll be using the icon in the IE7 command bar whenever a page has a feed associated with it, and we’ll also use it in other places in the browser whenever we need a visual to represent RSS and feeds. Look for more details on the look and feel of IE7 when we post the public pre-release build next year.
A little more background here.
Firefox 1.5 versus IE
Asa Dotzler of the Mozilla Group is on a slow burn, headed toward a rolling boil.
I’ve seen a number of articles comparing the currently available Firefox 1.5 with the still not available and probably not released for some time Internet Explorer 7. What’s wrong with this picture? Firefox 1.5 should be compared against the competition, not against something that may or may not be released sometime in the future.
Unfortunately, he doesn’t include any links, so I have no idea where these comparisons are. A search at Technorati using the terms IE7 and Firefox turns up only a few developer-focused articles and much praise for the recent Firefox 1.5 release. (Changing the term IE7 to Internet Explorer 7 results in only three hits in the last 10 weeks.)
A similar Google search turns up mostly stuff from last February, when IE7 was announced. So what set off this rant?
Where are all the Firefox 1.5 versus IE 6 articles? It does no service to users to tell them how Firefox stacks up against some future offering from Microsoft. How about telling users how Firefox 1.5 stacks up against the outdated, insecure, and difficult browser they’re using today? (or if they just have to report about IE 7, then how about comparing it to the equally unreleased Firefox 2 or Firefox 3?)
I use Firefox as my main browser. Does the world really need a Firefox 1.5 versus IE6 review? No, that would take about three paragraphs. I suspect most people want to know what’s new in Firefox 1.5, whether it works with the Web pages they visit most often, and whether their favorite extension is compatible. (I’ve found some serious problems with at least one major Web site – americanexpress.com – and have had to ditch a few extensions that I really didn’t care all that much about.)
I guess the browser reviewing press really don’t care about actual users who are suffering an increasingly painful and dangerous web. Microsoft announced IE 7 in February of 2005, very nearly a year ago. They claimed at the time that it would be available in the Summer of 2005 and here we are about to enter 2006 with nothing close to a finished browser from Microsoft.
The February announcement said a beta would be available in Summer 2005:
… Gates announced Internet Explorer 7.0, designed to add new levels of security to Windows XP SP2 while maintaining the level of extensibility and compatibility that customers have come to expect. Internet Explorer 7.0 will also provide even stronger defenses against phishing, malicious software and spyware. The beta release is scheduled to be available this summer.
Beta 1 was indeed released in July. It was nothing to write home about, but it was indeed shipped.
The Beta 1 announcement said nothing about final ship dates.
It has been clear in everything written about IE7 to date from Microsoft that it is a core component of Windows Vista and that the XP version is dependent on that release.
I just don’t understand where Asa is coming from. Firefox is getting great press. It’s been downloaded more than 100 million times. Market share is growing. So where’s the conspiracy?
IE7 for XP? You’ll have to wait some more
Over at the IE Blog, this news flash just appeared:
We’ll post an updated pre-release build of IE7 for Windows XP publicly – no MSDN membership required – during the first calendar quarter of 2006.
At first I didn’t understand why this is taking so long. Then it dawned on me: The feature set of IE7 has to be in perfect sync between Windows Vista and Windows XP. And now that Windows Vista Beta 2 has been pushed sometime into the New Year, that means IE7 has to lag as well.
Good news for the Firefox folks, who just shipped version 1.5.
My favorite Firefox extensions
I thought it might be interesting to share the list of my favorite Firefox extensions. These are the ones that are currently installed in my Firefox profile. I’ve tried others, but these are the ones that I use regularly. If you have recommendations for additional extensions, add a note in the comments. Be sure to include a link (in HTML format, if you know how) and a description of what the extension does.
Copernic Desktop Search Toolbar – After trying X1 again for a while, I’ve returned to Copernic. It’s free, fast, and seems to work better than just about any other desktop search tool.
AI Roboform Toolbar for Firefox – I can’t imagine using the Web without Roboform.
Tabbrowser Preferences – Adds a few nice options to the Tabbed Browsing Options dialog box, such as the ability to choose whether new searches open in their own tab in the background.
Tab Clicking Options – Allows you to redefine mouse actions for working with tabs. Fully compatible with TabBrowser Preferences.
IE View – Indispensable. For sites that require IE, you can right-click on a link or on the page itself and open the URL in an IE window.
FirefoxView – Adds a right-click menu option to IE so you can open the current page in Firefox.
PDF Download – Gives you the option to open a PDF link in a new tab, save the file, or view it as HTML. The best part is that you can see the file size before it opens – no more waiting while your browser tries to download a 50MB PDF file.
SessionSaver .2 – Another indispensable extension, this one saves all the tabs in your session so you can reload them on demand (it provides excellent crash protection, too). The SnapBack menu allows you to reopen a tab you closed accidentally.
All-In-One Sidebar – Lets you view bookmarks, downloads, extensions, and more in a sidebar tab similar to IE’s Explorer bars. The more I use this, this more I like it.
Download Manager Tweak – Fixes some annoyances in the default behavior for file downloads.
Google Toolbar for Firefox – The only reason I use this is for its on-the-fly spell-checker, which works brilliantly with Web forms.
ScrapBook – Save URLs and snippets from Web pages for reuse later. Handy.
PubSub Sidebar – Quick access to PubSub searches. I’m not using this one very much these days.
Copy URL + – Awesome. Adds the option to save formatted links, snippets of text, graphics, and other bits from the current Web page to the Clipboard. If you blog, this is a must. Be sure to read the documentation on how to extend it.
ChromEdit – A nice front end for editing the Firefox user profile. I don’t use it often but appreciate it on the rare occasions when I do need it.
1-ClickWeather – Puts current weather forecasts from Weather.com in the toolbar, status bar, or sidebar. A different extension called ForecastFox uses Accuweather. I’ll try it out this week.
BugMeNot – You visit a Web page that wants you to provide a bunch of personal information just so you can view a news clip. Annoying, isn’t it? Instead, with this extension installed you right-click, choose BugMeNot, and fill in a user name and password from the public store at bugmenot.com. If the first one doesn’t work, try again. Amazingly useful.
eMusic Toolbar – Very handy if you’re an eMusic.com subscriber.
Microsoft and Firefox
Am I the only one surprised to see MSN Search blog mentioning a add-on for Firefox? Am I the only one surprised by this statement on the MSN Search blog:
some of our customers prefer using Firefox and we respect that choice.
I’m certainly not surprised. In Windows Networking and Security Inside Out, which is at the printer’s now, Carl and I spent a lot of time talking about Firefox. Whenever possible, we included instructions for accomplishing security-related tasks in both IE and Firefox. And we didn’t get any pushback from the publisher, Microsoft Press.
Bonus tip of the day: Manage Firefox downloads better
In yesterday’s Tip of the day: Find a file, jump to its folder, I forgot to mention Firefox, which also has a hidden Open Containing Folder menu.
After you download a file in Firefox, you see the Downloads dialog box.
The two visible commands give you a chance to open the file immediately (handy if you want to install a download right away) or remove it from the list of downloads. But right-click and you get two extra choices.
The Open Containing Folder option opens Windows Explorer in the folder where you saved the file. The Properties dialog box tells you where the file came from and where you saved it.
Good stuff to know!
Ed Bott 