• Quick note - the problem with Youtube videos not embedding on the forum appears to have been fixed, thanks to ZiprHead. If you do still see problems let me know.

Firefox has security problem

Orangutan said:
Did I miss anyone pointing out that This was fixed 2 days ago.

http://www.mozilla.org/security/#Security_Alerts

May 8th Security advisory.
May 11th Patch available.

Seems like a pretty good response to me.

O.
Click to expand...
Well, yes and no. The problem with Firefox at the moment (as is my limited understanding) is that you have to download a complete new version of the application to get updated, it's not a patch it's a new release. If you have broadband, then the size of this download isn't really an issue, but it's still a manual process.

Microsoft IE updates on the other hand (if you have "auto update" enabled, or "advise me of updates" enabled is that the patch (and it is just a patch) is automatically downloaded and installed for you, the user doesn't have to do anything to get updated.

However, I believe a soon to be released version of Firefox will have an auto-patch facility built in.
 
As far as I am aware there have been no security issues at all with my browser of preference... !ArcWeb
 
Iconoclast said:
Well, yes and no. The problem with Firefox .. download a complete new version ... but it's still a manual process.
Snip
Click to expand...

Yup, I have to admit I have a fat pipe, so I didn't notice the download time. The browser did tell me I had an update to do by popping a little red icon up on the toolbar. I guess If it can do that already I wont be that hard to tell it to just automatically do updates.

O.
 
Firefox flaws overblown?

http://windowssecrets.com/comp/050512/#story1
At Microsoft's Windows Hardware Engineering Conference (WinHEC), held in Seattle April 25-27, for example, an IE product manager made this case explicitly. Firefox had had (at that time) "three major releases," she said, while Internet Explorer 6.0 had had none. This statement was presented as though a lack of upgrades to IE was a benefit.

In fact, Microsoft has released at least 20 major security patches for Windows or Internet Explorer since November 2004. Most of these patches were rated "Critical," Microsoft's most severe security alert level.
Click to expand...

http://bcheck.scanit.be/bcheck/page.php?name=STATS2004&page=3
Actually there was only one period in 2004 when there were no publicly known remote code execution bugs - between the 12th and the 19th of October - 7 days in total. That means that a fully patched Internet Explorer installation was known to be unsafe for 98% of 2004. And for 200 days (that is 54% of the time) in 2004 there was a worm or virus in the wild exploiting one of those unpatched vulnerabilities.

IE ended 2004 with the unpatched HTML Help ActiveX control vulnerability and Trojan.Phel using it to install a backdoor.
Click to expand...

http://bcheck.scanit.be/bcheck/page.php?name=STATS2004&page=4
Mozilla and the family (including Firefox, Netscape Navigator and Camino browsers) display a much shorter window of opportunity for a prospective attacker. There were 56 days (15%) in 2004 when there was a publicly known remote code execution in Mozilla and no patched release. 30 days in May-June for MacOS arbitrary code execution problem only affecting MacOS users, one day in July between the public report of shell: protocol vulnerability and the fixed Mozilla/Firefox release, one day in August between the disclosure and the fix of libPNG vulnerabilities, and 24 days in October-November between the the Michal Zalewski's announcement of mangleme program and the Firefox 1.0 release incorporating the fixes for publicly announced bugs.
Click to expand...

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci950149,00.html
Experts are fuming over the lengthy delay -- 200 days -- between when Microsoft Corp. was first notified of a critical vulnerability affecting all supported versions of Windows and when it released a patch. The primary issue: how confidential was the information detailing the ASN.1 flaw and when can we expect the first exploit...

"If Microsoft really considered this a serious or critical vulnerability for nearly all Windows users, it should have been a 'drop-everything-and-fix' thing resolved in a short period of time," said Forno. "Nearly 200 days to research and resolve a 'critical' vulnerability on such a far-reaching problem is nothing short of gross negligence by Microsoft, and is a direct affront to its much-hyped Trustworthy Computing projects and public statements about how security is playing much more important role in its products."
Click to expand...

http://secunia.com/product/11/
Microsoft Internet Explorer 6.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical. Currently, 19 out of 80 Secunia advisories, is marked as "Unpatched" in the Secunia database.
Click to expand...

http://secunia.com/product/11/#statistics_criticality
Microsoft Internet Explorer 6.x Criticality (Based on 64 advisories from 2003-2005).
Click to expand...
42% are rated Extremely(14%) or Highly critical(28%).

http://secunia.com/product/4227/
Mozilla Firefox 1.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical. Currently, 4 out of 17 Secunia advisories, is marked as "Unpatched" in the Secunia database.
Click to expand...

http://secunia.com/product/4227/#statistics_criticality
Mozilla Firefox 1.x Criticality (Based on 17 advisories from 2003-2005).
Click to expand...
18% are rated Extremely (0%) or Highly critical (18%).

http://windowssecrets.com/comp/050512/#story1
Microsoft employs some of the best software developers in the world. The company enjoys a cash reserve of $35 billion and is highly profitable. Yet a tiny company that builds open-source browser software is making the Redmond giant look foolish and incompetent in securing its products.

I have no particular attachment to the Mozilla Foundation or its products. If the foundation's browser software was a threat to Windows users, I'd say so. At the present time, several serious unpatched holes are known to exist in IE, while few or none plague Firefox. This isn't a religious issue, it's just a fact.
Click to expand...

Just a few of the reasons I don't use IE and never have.

RayG
 
Wudang said:
Whoa! Firefox has been ahead of IE for a long time in terms of real features like adherence to CSS etc. What you believe isn't an issue. Do you believe like cures like?
Click to expand...

Take a look at this page, with IE and Firefox.

The text on the left has a p-tag, which means that, in Firefox, the line spacing is not consistent. It is in IE.

What was that about Firefox adherence to CSS again? :)
 
CFLarsen said:
Take a look at this page, with IE and Firefox.
Click to expand...

Take a look at that same page after running it through http://validator.w3.org/

Line 19, column 6: end tag for "HEAD" which is not finished

Most likely, You nested tags and closed them in the wrong order.

Another possibility is that you used an element (e.g. 'ul') which requires a child element (e.g. 'li') that you did not include. Hence the parent element is "not finished", not complete.
Click to expand...

Line 26, column 166: document type does not allow element "P" here; missing one of "APPLET", "OBJECT", "MAP", "IFRAME", "BUTTON" start-tag

...d minim veniam, quis nostrud exerc.

Irure dolor in reprehend incididunt ut

The mentioned element is not allowed to appear in the context in which you've placed it; the other mentioned elements are the only ones that are both allowed there and can contain the element mentioned. This might mean that you need a containing element, or possibly that you've forgotten to close a previous element.

One possible cause for this message is that you have attempted to put a block-level element inside an inline element.
Click to expand...

A page not adhering to standards, rendering in a sub-standard browser, is not a measurement of success.

RayG
 
RayG said:
A page not adhering to standards, rendering in a sub-standard browser, is not a measurement of success.
Click to expand...

Careful now. Automated syntax checkers are not always reliable. Look at the code itself.

I cannot for the life of me see where I have missed an end-tag somewhere. Perhaps you can point it out?

Using a p-tag inside a DIV is illegal? Since when?
 
CFLarsen said:
Careful now. Automated syntax checkers are not always reliable. Look at the code itself.
Click to expand...

That's all the parser attempted to do, examine the code for syntax errors. It relies on the document having the correct Doctype in order to return accurate results.

No DOCTYPE Found! Falling Back to HTML 4.01 Transitional

A DOCTYPE Declaration is mandatory for most current markup languages and without one it is impossible to reliably validate this document. I am falling back to "HTML 4.01 Transitional" and will attempt to validate the document anyway, but this is very likely to produce spurious error messages for most non-trivial documents.

The DOCTYPE Declaration in your document was not recognized. This probably means that the Formal Public Identifier contains a spelling error, or that the Declaration is not using correct syntax. Validation has been performed using a default "fallback" Document Type Definition that closely resembles HTML 4.01 Transitional, but the document will not be Valid until you have corrected the problem with the DOCTYPE Declaration.

Below are the results of attempting to parse this document with an SGML parser...

The checked page did not contain a document type ("DOCTYPE") declaration. The Validator has tried to validate with the HTML 4.01 Transitional DTD, but this is quite likely to be incorrect and will generate a large number of incorrect error messages. It is highly recommended that you insert the proper DOCTYPE declaration in your document -- instructions for doing this are given above -- and it is necessary to have this declaration before the page can be declared to be valid.
Click to expand...

The parser warns you at least four times that the document does not contain a Doctype declaration.

I cannot for the life of me see where I have missed an end-tag somewhere. Perhaps you can point it out?
Click to expand...

Lots of times a single error in one place causes additional errors in other places. I suspect this is the case here as well.

Using a p-tag inside a DIV is illegal? Since when?
Click to expand...

Using a p-tag inside a DIV is ok, but using one inside a SPAN is a different matter. The following tags are valid within the SPAN tag: a, acronym, applet, b, basefont, bdo, big, br, button, cite, code, dfn, em, font, i, iframe, img, input, kbd, label, map, object, q, s, samp, script, select, small, span, strike, strong, sub, sup, textarea, tt, u, var

One possible cause for this message is that you have attempted to put a block-level element (such as "p-tag" or "table-tag") inside an inline element (such as "A", "SPAN", or "FONT").
Click to expand...

I'm guessing if the corrections are made, so that the document adheres to standards, page will render correctly.

RayG
 
RayG said:
I'm guessing if the corrections are made, so that the document adheres to standards, page will render correctly.
Click to expand...

Hey, I'm flexible. No p-tag. The DOCTYPE with DTD. The test still gives an error on the end-HEAD tag, but I have no idea why.

Here's the simplest HTML you can have. I still get the same error. If you have an idea, let me know.

Still: No change in either IE or Firefox.

Your call.
 
CFLarsen said:
Here's the simplest HTML you can have. I still get the same error. If you have an idea, let me know.
Click to expand...
This w3 validator is a really picky pain in the a** :)
I think you should add something between your now empty HEAD tag, for example a TITLE tag:
PHP: 
<html>
<head>
<title>Hello world!</title>
</head>

<body>

Hello, World!

</body>
</html>
 
CFLarsen said:
Doesn't help.
Click to expand...
You placed the title tag before the head tag. Here's the source of your page:
PHP: 
<html>
<title>title comes here</title>
<head>
</head>

<body>

Hello, World!

</body>
</html>
The title tag must be nested in the head tag, see my previous post.
 
ahem

http://it.slashdot.org/article.pl?sid=05/05/15/139208&tid=113&tid=218

"Several flaws have been uncovered by security firm eEye in Microsoft's Internet Explorer. The flaws allow remote compromise of computers running Windows Operating Systems and affect IE, Outlook and possibly other MS software. With the next MS Windows security bulletin release scheduled for June 14, 2005 news sources are reporting that in comparison with the Mozilla Foundation's prompt fix for the recently reported Mozilla 1.0.3 vulnerabilities MS appear to be leaving a large window for the possible malicious exploitation of these flaws."
Click to expand...

Make of that what you will.
 
wahrheit said:
You placed the title tag before the head tag.
Click to expand...

Arh! Claus, you're an idiot!

No errors now.

Guess what? Firefox is not CSS compliant. IE is.
 
CFLarsen said:
Arh! Claus, you're an idiot!

No errors now.

Guess what? Firefox is not CSS compliant. IE is.
Click to expand...
The W3C people have a test suite here. From a quite glance, seems to me neither is.
 
Donks said:
The W3C people have a test suite here. From a quite glance, seems to me neither is.
Click to expand...

Well, in this - simple - case, IE sure beats the living daylights out of Firefox.
 
CFLarsen said:
Well, in this - simple - case, IE sure beats the living daylights out of Firefox.
Click to expand...
I don't really care about full CSS compliance. I started using Firefox for Adblock and the search engines thingy.
 
You must log in or register to reply here.

Back
Top Bottom