MozillaZine

Mozilla Security Hole

Tuesday April 30th, 2002

Anonymous reports: "Grey Magic is reporting a minor security hole in Mozilla builds from at least 0.9.2 up to the current trunk and 1.0 branch. A bug has been filed in bugzilla, and will be opened to the public to view once the fix has been made. This also affects Netscape browsers from at least 6.1 on. There are no known uses of the vulnerability at this time." We'll let you know when a patch has been checked in for this.

On a side note, Grey Magic recommends that users "should move to a better performing, less buggy browser," on their vulnerability page. Looking at the open issues for it, IE clearly doesn't seem like the better choice.

UPDATE! A fix has been checked into the trunk, and has been approved for checkin to the 1.0 branch. Expect it to be in nightly builds for both branch and trunk starting tomorrow.


#1 Only local?

by turi

Tuesday April 30th, 2002 1:00 PM

Reply to this message

Hm, does this just display the data to the user (which can be done using frames and file:////foo too) or is it possible to send it to a server of the coders choice?

#2 Re: Only local?

by turi

Tuesday April 30th, 2002 1:02 PM

Reply to this message

hmpf, replace Link with " file : /// foo " (without spaces).

#31 That doesn't help you much

by n0nick <n0nick@netvision.net.il>

Tuesday April 30th, 2002 5:06 PM

Reply to this message

Using frames or links to get to local files doesn't do much - the online page on the server doesn't get the file's content, only the browser handles it, client-side. However using this method retrieves the file's contents into a variable in javascript - making it possible to store it online for some later use. And that's dangerous. Imagine someone reading one of your top-secret documents, your credit card details, the password to your ISP/bank account, etc.

#33 Re: That doesn't help you much

by dpol <dpol@swipnet.se>

Tuesday April 30th, 2002 6:47 PM

Reply to this message

"Imagine someone reading one of your top-secret documents, your credit card details, the password to your ISP/bank account, etc."

While an exploit of this type is serious, I believe that we should keep in mind that you'd need to know the exact file name in order to retrieve the file contents. Profile data should be impossible to get at, as the directory name is "salted", as others have pointed out. Also, on UNIX, the user is hopefully not logged in as root, thus it should be impossible to retrieve the most sensitive information. I don't see how anyone could retrieve "top secret documents" without knowing the fully qualified path name, which on UNIX includes the name of the user currently logged in.

#53 I beg to differ....

by leahcim

Wednesday May 1st, 2002 9:13 AM

Reply to this message

>While an exploit of this type is serious, I believe that we should keep in mind that you'd need >to know the exact file name in order to retrieve the file contents.

Well, /etc/passwd would work in a lot of cases, admittedly shadow passwords would fix some of that (still get a list of accounts to try) Some might have user readable fetchmail.conf files with isp passwords in them.

But actually putting file:/ in their demo I got a dir listing, admittedly that would involve a server trying to keep me clicking links and storing state until it reached a file (or could it use its own redirects?) but...

The worst thing about this is the attempt to hide the information once it was already known. Why isn't a warning screaming at me on the mozilla home page? Sod the fix being available, I'd have the choice to use another browser until there is one or pretend reading files is "minor"

Now I am asking whether this attitude has left me at risk before and will again? Perhaps time to stop using mozilla until someone other than netscape controls what is and isn't pulled from the bug tree?

I assume the $1000 is on it's way to the finder at last? If not then don't expect me to believe the lip service replies either.

#55 Re: I beg to differ....

by asa <asa@mozilla.org>

Wednesday May 1st, 2002 9:36 AM

Reply to this message

>Perhaps time to stop using mozilla until someone other than netscape controls what is and isn't pulled from the bug tree?

Not sure what your're talking about. There was a short period of time (hours not days) where those with the skills to fix the problem had a private discussion, the fix was generated and applied to the trunk and the bug is open and completely visible. If you're concerned about this bug then get today's build where it's no longer a problem. I don't see that kind of turnaround from any other browser on the planet. Mozilla takes browser vulnerabilities very seriously and if this fellow had reported the bug to Mozilla rather than trying to make money off of it then the bug would have been fixed considerably sooner. 9 out of 10 folks that care about Mozilla and browser users in general try to work with the developers on a project to get these things fixed. They do that by contacting _Mozilla_ developers and working with them in Bugzilla to get a fix. This guy decided to go to one particular vender who distributes a Mozilla-based product and try to make money off of his find. I'm glad that his type is in the minority and most people know that working with Mozilla is the best way to affect change in the codebase.

--Asa

#56 re:

by leahcim

Wednesday May 1st, 2002 10:05 AM

Reply to this message

>There was a short period of time (hours not days) where those with the skills to fix the problem >had a private discussion, the fix was generated and applied to the trunk and the bug is open and >completely visible.

Because, as you'll see in the bug comments, it was already public.

Yes I'm thankful that, reading the bug report, at least a couple noted the folly of hiding the bug, the security policy page you posted elsewhere in here speaks louder though.

You're right though, there is a sad lack of well-featured, secure browsers around, perhaps you should write one? ;o) Ok, I jest, but I hope your statements about taking security seriously (know any vendor who doesn't say that?) show themselves in the robustness of the browser, as others turn their attention to finding security holes in mozilla. Thus far it'll take more than a promise, sorry.

There's always chroot thankfully.

#58 re:

by leahcim

Wednesday May 1st, 2002 10:43 AM

Reply to this message

>If Mozilla.org were to announce the bug on their homepage before a fix was available then they >would essentially be inviting people to develop exploits to take advantage of the flaw.

You'll see my comments elsewhere in the thread concerning this. A public announcement on or near the home page would easily allow me to not use mozilla until it is fixed or a patch available (or at least restrict my surfing) thus making these exploits impotent regardless of whether millions of sites suddenly decide to write them - unless you're suggesting mozilla.org will exploit me? I don't expect that, hence I see less risk in seeing the info.

Remember mozilla is an interactive program, not a service. I can well understand why your statements make sense for a program like sshd, exim, sendmail. If you read the bug report, you'll see that a few at mozilla didn't even believe your guff.

>If you are going to stop using Mozilla until Netscape is not involved, then I am curious about >which browser you are going to use instead.

Is that because you could only think of one other? - btw, IE doesn't run on my OS, so I'm neither affected by nor concerned with IE security bugs, nor with comparisons between Mozilla's security record / procedures and MSs.

#63 Other browsers

by SubtleRebel <mark@ky.net>

Wednesday May 1st, 2002 12:25 PM

Reply to this message

>Is that because you could only think of one other?

Man, you are really reaching to come to that absurd conclusion.

No I am curious because I would like to know who you think is doing a better job than Mozilla. I could provide a long list of browsers for you to choose from, but what would be the point in that? I wanted to know which browser you were thinking of using; I was not trying to recite my knowledge of what browsers are available.

>btw, IE doesn't run on my OS, so I'm neither affected by nor >concerned with IE security bugs, nor with comparisons >between Mozilla's security record / procedures and MSs.

The only reason that I mentioned the IE factoid because I knew how long it took them to fix a similar problem. It was simply an example of how long it can take other companies to fix security problems. It was not meant to be an exhaustive list.

BTW, why did you still not say which browser you would use instead of Mozilla?

#65 re:

by leahcim

Wednesday May 1st, 2002 1:30 PM

Reply to this message

> Most users do not have mozilla.org as their home page.

Well there's not much point at the moment given the security fixes aren't there.

FFS they go to the trouble of telling folk the browser is too old on the start page, it doesn't take a leap of imagination to change that message.

> so making an announcement there would not be a very effective warning for the masses

What masses? You don't have masses yet. That aside, if the info was there and folks chose to load yahoo or blinkenlightenflashenBeepenfart.com instead that would be their lookout.

Most users don't apply fixes anyway - I hope your dumb logic isn't going to stop you writing them on the basis of what "most users" do?

No the guff I referred to was the sensible folk at mozilla who quite correctly pointed out the netscape employee who marked the bug as hidden was peeing in the wind.

#74 Your reply is incoherent

by SubtleRebel <mark@ky.net>

Wednesday May 1st, 2002 7:40 PM

Reply to this message

Your reply is incoherent

#84 heh

by joschi

Thursday May 2nd, 2002 1:17 AM

Reply to this message

i think we found the first auto-generated troll in the wild, those sentances just dont hang together :)

#64 Warning

by SubtleRebel <mark@ky.net>

Wednesday May 1st, 2002 1:00 PM

Reply to this message

> A public announcement on or near the home page would easily allow me to > not use mozilla until it is fixed or a patch available (or at least > restrict my surfing) thus making these exploits impotent regardless of > whether millions of sites suddenly decide to write them -

News of security flaws travel fast among those looking to exploit; announcing the flaw publicly almost instantly makes all Mozilla users more vulnerable than they were before. Unless you can guarantee that the majority of users will see the announcement, it is safer for the majority if the flaw is kept quiet until there is a fix.

Most users do not have mozilla.org as their home page, so making an announcement there would not be a very effective warning for the masses; however, it would be an effective means of spreading the news of the vulnerability to the malicious individuals who might develop exploits.

>unless you're suggesting mozilla.org will exploit me? I don't expect that, >hence I see less risk in seeing the info.

That makes absolutely no sense at all.

First of all, there is no way that you could possibly derive that from anything that I said.

Secondly, whether or not there is a warning on Mozilla.org's home page has no affect on Mozilla.org's ability to exploit you.

Thirdly, you are never at risk because you heard about the flaw, you are at risk because others have heard about it.

>Remember mozilla is an interactive program, not a service. I can well >understand why your statements make sense for a program like sshd, >exim, sendmail.

I do not see the difference.

>If you read the bug report, you'll see that a few at mozilla didn't even believe your guff.

I read the bug report yesterday and I just re-read it right now; I do not see where anyone, from mozilla or otherwise, made any reference to me or my "guff" anywhere. I also do not see any comments that contradict anything that I have said. Perhaps you are looking at a different bug?

#68 re: Warning

by leahcim

Wednesday May 1st, 2002 1:44 PM

Reply to this message

> I do not see the difference.

Ok, I have a copy of the exploitable mozilla, please exploit it. What? You need me to visit your site, how so? But you saw no difference between mozilla and exim? Does exim open a page at mozilla.org by default before connecting to the internet?

So, think outside the box, I start the browser and it naviagates to mozilla.org/start and instead of saying daft things like "You must now report bugs" (some weird license condition is this?) or "You've got an old browser..." it says "we fscked up again chaps, upgrade here (if there is a fix) or be careful"

At this point I don't visit h4x0r.com, I most likely click 'x' and wait for a fix.

The alternative h4x0r.com, theregister.co.uk and everywhere reports the bug and knows about it, the so-called masses visit a site and unwittingly get exploited.

If the developers can't see that you're probably right, there is no browser worth using. This one especially.

#75 This one especially.??

by SubtleRebel <mark@ky.net>

Wednesday May 1st, 2002 7:43 PM

Reply to this message

What do you mean "This one especially." ? Why Mozilla more than any other?

#76 The difference

by SubtleRebel <mark@ky.net>

Wednesday May 1st, 2002 7:50 PM

Reply to this message

Your explanation of the difference does not explain why the security policy should be any different.

If there is a security flaw in Mozilla, I can avoid exploits by not using the Mozilla. If there is a security flaw in exim, I can avoid exploits by not using exim.

Please explain why you think it would be ok for exim to keep the flaw secret, but you think it is wrong for Mozilla to do so.

#79 re

by leahcim

Wednesday May 1st, 2002 10:36 PM

Reply to this message

When you start mozilla it displays a web page from a trusted site (well I think it's trusted) that could warn (or even offer the patch)

Sure, people can change that page, but equally people could not apply a patch - if the front page of mozilla had the info you'd be daft to ignore it (plus the sidebar / tabbed browser could do both anyway)

When you start exim, it's typically used in a way that allows remote connections like other daemons (of course, not always, but then it's not exploitable) it doesn't have a user interface - the fact that mozilla.org already chooses to advertise bug reporting and out of date browsers shows that mozilla are well aware of the differences to.

The fact that mozilla.org currently claims there are no known security holes on its page at all, let alone this one, or any previous versions, shows that the policy runs a little longer than "until a fix is ready" anyway. It's a crap policy and you aren't even following it.

Of course it is worth being positive - your policy didn't work anyway and is unlikely to - as good sites are showing you can't hide info - so at least these issues are getting well reported (even by mozillazine.org) even if mozilla.org doesn't bother.

#80 re

by leahcim

Wednesday May 1st, 2002 10:36 PM

Reply to this message

When you start mozilla it displays a web page from a trusted site (well I think it's trusted) that could warn (or even offer the patch)

Sure, people can change that page, but equally people could not apply a patch - if the front page of mozilla had the info you'd be daft to ignore it (plus the sidebar / tabbed browser could do both anyway)

When you start exim, it's typically used in a way that allows remote connections like other daemons (of course, not always, but then it's not exploitable) it doesn't have a user interface - the fact that mozilla.org already chooses to advertise bug reporting and out of date browsers shows that mozilla are well aware of the differences to.

The fact that mozilla.org currently claims there are no known security holes on its page at all, let alone this one, or any previous versions, shows that the policy runs a little longer than "until a fix is ready" anyway. It's a crap policy and you aren't even following it.

Of course it is worth being positive - your policy didn't work anyway and is unlikely to - as good sites are showing you can't hide info - so at least these issues are getting well reported (even by mozillazine.org) even if mozilla.org doesn't bother.

#57 Re: I beg to differ....

by SubtleRebel <mark@ky.net>

Wednesday May 1st, 2002 10:29 AM

Reply to this message

When a security problem is discovered, the most important thing to do is find a fix.

Launching a campaign to make the world aware of the security flaw should not be done until the patch has been developed.

If Mozilla.org were to announce the bug on their homepage before a fix was available then they would essentially be inviting people to develop exploits to take advantage of the flaw. You think that is the best way to protect you? Personally I am glad that they try to keep security flaws quiet until they have a fix. The reason that they made the Bugzilla bug public was so that people who had already heard about the problem could see that work was being done to resolve it.

If you are going to stop using Mozilla until Netscape is not involved, then I am curious about which browser you are going to use instead. I seriously doubt that anyone is going to provide fixes faster than Mozilla. The Mozilla team delivered a temporary fix almost immediately and then had a real patch within hours; when a similar bug was found in IE, it took Microsoft a few months to get a patch out.

As for the $1000, that is a Netscape issue and really has no bearing on Mozilla.

#70 Re: I beg to differ....

by ksheka

Wednesday May 1st, 2002 4:56 PM

Reply to this message

If mozilla.org had a warning about using Mozilla until the bug was fixed, what other options are there? IE is much less secure, other browsers are not as feature complete as Mozilla...

I suppose I could stop browsing until a fix was in, but then how would I know... :-)

#71 re

by leahcim

Wednesday May 1st, 2002 6:22 PM

Reply to this message

What other options? Do you hear voices impelling you to click links or something - go to the park, shag, use lynx if your life depends on internet access. Sheesh.

> I suppose I could stop browsing until a fix was in, but then how would I know... :-)

Well, you're evidently joking, but if you don't trust mozilla.org you wouldn't be using the browser in the first place, let alone worrying about visiting their site to check for a fix.

#72 Avoiding the question again

by SubtleRebel <mark@ky.net>

Wednesday May 1st, 2002 7:34 PM

Reply to this message

leahcim, you seem to be trying to avoid answering the question once again.

What you said : "Perhaps time to stop using mozilla until someone other than netscape controls what is and isn't pulled from the bug tree?"

The question : If you stop using Mozilla until the security bug policy changes, what other browser are you going to use that is better about handling security bugs?

Please just answer it this time or admit that you do not have an answer.

#78 re

by leahcim

Wednesday May 1st, 2002 10:15 PM

Reply to this message

> Please just answer it this time or admit that you do not have an answer.

Why? Is the motto of Mozilla "No worse than any other browser vendor" or "we set our objectives low and successfully fail to meet them"? ;o)

Does the concept of someone not using a browser at all not exist in your brain? If that's what you are saying is the case, so be it.

Stop telling me there's nothing else to use, give me a reason to use mozilla instead - this isn't politics, leave telling me the other guy is just as bad to the politicians.

On second thoughts, make it at least 1 reason for each bugtraq entry that (luckily, given the silence that's called <http://www.mozilla.org/security>) suggests I shouldn't.

#94 Off topic : My Wild Guessing Tech Support story

by SubtleRebel <mark@ky.net>

Thursday May 2nd, 2002 12:13 PM

Reply to this message

>> Please just answer it this time or admit that you do not have an answer. > >Why?

Because you implied that you had a better alternative.

>Does the concept of someone not using a browser at all not exist in your brain?

Yes I understand that concept, but it has no relevance to your previous comments regarding using a differrent browser. You have indicated previously that you think Mozilla security is worse than other browsers, but yet you continue to refuse to divulge the names of any other browsers.

>Stop telling me there's nothing else to use, give me a reason to use >mozilla instead - this isn't politics, leave telling me the other guy >is just as bad to the politicians.

What are you responding to?

1) I have never told you that there is nothing else to use. 2) I am not trying to convince you to use Mozilla; I am trying to get you to answer a simple question. 3) I have never said that "the other guy is just as bad" at all. I have said Mozilla is the best and if you want us to believe that anyone else is better then you at least have to tell us who you are talking about.

#95 Cleaned up post (hopefully)

by SubtleRebel <mark@ky.net>

Thursday May 2nd, 2002 12:16 PM

Reply to this message

>> Please just answer it this time or admit that you do not have an answer. > >>Why?

Because you implied that you had a better alternative.

>Does the concept of someone not using a browser at all not exist in your brain?

Yes I understand that concept, but it has no relevance to your previous comments regarding using a differrent browser. You have indicated previously that you think Mozilla security is worse than other browsers, but yet you continue to refuse to divulge the names of any other browsers.

>Stop telling me there's nothing else to use, give me a reason to use >mozilla instead - this isn't politics, leave telling me the other guy >is just as bad to the politicians.

What are you responding to?

1) I have never told you that there is nothing else to use.

2) I am not trying to convince you to use Mozilla; I am trying to get you to answer a simple question.

3) I have never said that "the other guy is just as bad" at all. I have said Mozilla is the best and if you want us to believe that anyone else is better then you at least have to tell us who you are talking about.

#96 Mozillazine removing carriage returns

by SubtleRebel <mark@ky.net>

Thursday May 2nd, 2002 12:17 PM

Reply to this message

Why is Mozillazine removing carriage returns from my posts?

#97 Ignore "Off Topic ..." title from old thread (n/t)

by SubtleRebel <mark@ky.net>

Thursday May 2nd, 2002 12:20 PM

Reply to this message

Previous post pulled Title from an old thread for some reason and I did not catch it.

#3 Doesn't work for me

by AlexBishop <alex@mozillazine.org>

Tuesday April 30th, 2002 1:04 PM

Reply to this message

When I try the demonstration with RC1 on Win XP, Moz just crashes. I guess this is preferable to the flaw being exploited. :-)

That "Users of Netscape Navigator should move to a better performing, less buggy browser" bit is not a solution but pure biased opinion. And IE has the exact same flaw.

Anyway, can anyone get this flaw to work? I suppose if someone could, they could use it to access information in a user's profile. Except the salting prevents that.

Alex

#4 Re: Doesn't work for me

by turi

Tuesday April 30th, 2002 1:10 PM

Reply to this message

The salting actually does prevent that. But other things are extremely easy predictable.

I can make this work locally with a 1.0 branch build. I can't get it to work over the net, but I'm no good at web-authoring...

#20 Related Issue of Netscape dodging the 1000$ bounty

by TonyG <tony.gorman@blueyonder.co.Yuk>

Tuesday April 30th, 2002 3:59 PM

Reply to this message

Dunno if you have seen this

<http://www.theregister.co.uk/content/4/25079.html>

but it appears Netscape are dodging payment of the 100$ per bug bounty. The Register is pretty scathing about this and rightly so.

#26 teset

by kerz <jason@mozillazine.org>

Tuesday April 30th, 2002 4:33 PM

Reply to this message

tests

#27 test2

by kerz <jason@mozillazine.org>

Tuesday April 30th, 2002 4:35 PM

Reply to this message

test2

#21 Related Issue of Netscape dodging the 1000$ bounty

by TonyG <tony.gorman@blueyonder.co.Yuk>

Tuesday April 30th, 2002 3:59 PM

Reply to this message

Dunno if you have seen this

<http://www.theregister.co.uk/content/4/25079.html>

but it appears Netscape are dodging payment of the 100$ per bug bounty. The Register is pretty scathing about this and rightly so.

#41 Over-reacting?

by SubtleRebel <mark@ky.net>

Wednesday May 1st, 2002 1:41 AM

Reply to this message

They attempted to contact Netscape less than a week ago and have not heard back yet; from that they assume that Netscape is trying to dodge paying them $1000?

From what I have seen, Netscape has said nothing to them at all. There have been many times that I have sent email to a company or filled out a form on their website and never heard anything from them, but I have never really taken it personally.

I do not know who gets the web form posts or who got the email that was sent, but from the looks of things, it never got to the right people. As soon as a bug was posted to Bugzilla, Netscape developers jumped in and started working to resolve it; all indications are that they had not received any prior notification of the problem.

I do not know why Grey Magic's April 24th attempt to inform Netscape got overlooked (perhaps everyone was busy working on previously defined RC2, adt, nsbeta bugs?) but it seems obvious that that is what happenned. Now Grey Magic and The Register are jumping to conclusions. I would think that they would have made several more attempts to contact Netscape and waited a bit longer before making assumptions and whining about it.

#6 Re: Doesn't work for me

by Benman

Tuesday April 30th, 2002 1:22 PM

Reply to this message

I can't get it to work either, all it does is just make Mozilla crash.

I wish that reporter would get real. This is the first security bug i've seen in Mozilla, and I can guarantee that it will be fixed by the next milestone or maybe even the next nightly build.

#8 Re: Doesn't work for me

by chrisbolt

Tuesday April 30th, 2002 1:35 PM

Reply to this message

RC1 on WinXP, works for me. Successfully prints the contents of c:\boot.ini when I tried it.

#9 Re: Re: Doesn't work for me

by turi

Tuesday April 30th, 2002 1:47 PM

Reply to this message

Can you make it send the file over the net or does it just get displayed without leaving your computer?

#29 Re: Re: Re: Doesn't work for me

by chrisbolt

Tuesday April 30th, 2002 4:51 PM

Reply to this message

From the source, it appears it is displayed on the page with javascript, so it looks like it would be possible to redirect to a page with the file's contents as the query string. I haven't tried it myself, though.

#5 The Better Performing, Less Buggy Browser

by tny

Tuesday April 30th, 2002 1:12 PM

Reply to this message

Users of Netscape Navigator should move to a better performing, less buggy browser.

Unfortunately, there's only one: Lynx.

#7 Re: The Better Performing, Less Buggy Browser

by Benman

Tuesday April 30th, 2002 1:23 PM

Reply to this message

I must disagree, IMO Mozilla is the best there currently is.

#47 Re: Re: The Better Performing, Less Buggy Browser

by tny

Wednesday May 1st, 2002 7:00 AM

Reply to this message

Obviously you didn't get the joke. Lynx is much faster because it is text only; it is less buggy because it is an ancient (relatively speaking), relatively small codebase.

If you honestly think that Mozilla is better performing than Lynx, you don't know anything about browsers. But obviously Mozilla has much better features than Lynx.

#10 Re: The Better Performing, Less Buggy Browser

by turi

Tuesday April 30th, 2002 1:50 PM

Reply to this message

Don't forget links and w3m (my favorite text browser: renders tables and frames). They're certainly performing better regarding speed and bloat and due to their small codebase they're less buggy too. But hey, sometimes I want all those features mozilla offers...

#48 Re: Re: The Better Performing, Less Buggy Browser

by tny

Wednesday May 1st, 2002 7:05 AM

Reply to this message

Turi, you got that was a joke, right? I said Lynx because that's the small text browser nearly every Unix box (and many Windows boxes, like this one) has on it.

#51 Re: Re: Re: The Better Performing, Less Buggy Brow

by turi

Wednesday May 1st, 2002 8:22 AM

Reply to this message

I've just been replying with a big grin on my face, obviously I should put that into the written words... ;) But I actually do like w3m if I'm logged into a server without X running. It's so incredibly fast...

#17 He's miffed at being stiffed

by vondo

Tuesday April 30th, 2002 2:48 PM

Reply to this message

According to The Register, <http://www.theregus.com/content/4/24809.html> he wants his $1000 bounty from Netscape. I would think that is what is behind his comment. If you wanted "less buggy, better performing" you could certainly make the case that IE is that browser IF security isn't your main concern. It seems to me it is his main concern.

#40 How so?

by SubtleRebel <mark@ky.net>

Wednesday May 1st, 2002 1:17 AM

Reply to this message

In what regard is IE less buggy and better performing than Mozilla?

My experiences with IE 5.1 for OS X have been pretty negative; Mozilla for OS X is more stable and faster from what I can tell.

#52 How so?

by vondo

Wednesday May 1st, 2002 8:36 AM

Reply to this message

I don't use IE a whole lot, mainly using Mozilla on Linux. But when I do use IE 6.0 on Windows, I don't recall having it crash. I don't recall ever seeing anything in the menu system that just plain doesn't work.

Overall, it just strikes me as a "smoother" experience. Less featured, maybe, but smoother.

As for faster, I can't stand the way mozilla takes ~1 second to finish after clicking the forward or back buttons. With IE and NN, these are (nearly) instantaneous.

Remember, I said you could "make a case that...," not that it is an absolute truth. There are a thousand ways to measure bugginess and stability and I'm sure mozilla wins under some fraction of those metrics.

#69 Re: How so?

by tny

Wednesday May 1st, 2002 2:18 PM

Reply to this message

Use IE6 on a 9x Windows. You'll crash, o how you'll crash. On NT versions, it's fine.

#11 Opera is OK

by PC1

Tuesday April 30th, 2002 1:51 PM

Reply to this message

I am running Win98 and Mozilla RC1 also Crashed.

I tried Opera 6.02 1087 beta and it is not affected, Woohoo.

#44 Re: Opera is OK

by pirat

Wednesday May 1st, 2002 5:22 AM

Reply to this message

How can it be affected with its non-existent XmlHTTP support ^_-

#100 Where to obtain beta copy of Opera ?

by penang

Friday May 3rd, 2002 2:46 AM

Reply to this message

I wonder if you can tell us where to obtain beta copy of Opera ?

Thanks !

#103 Where to obtain beta copy of Opera ?

by zevious

Friday May 3rd, 2002 9:47 AM

Reply to this message

DUH! Obviously not here and if you have to ask.. well er.. n/m

#104 Re: Where to obtain beta copy of Opera ?

by PC1

Friday May 3rd, 2002 10:34 AM

Reply to this message

Version 6.01 is good; A beta version of 6.02 is @: <http://www.majorgeeks.com…iles.php?cat=5&sort=1>

#12 Two more

by jfedor

Tuesday April 30th, 2002 1:55 PM

Reply to this message

Thor Larholm disclosed two more vulnerabilities in Mozilla:

<http://online.securityfoc…9/2002-04-27/2002-05-03/0>

I think we all agree that it would be nice if these bugs weren't present in 1.0.

#13 Re: Two more

by AlexBishop <alex@mozillazine.org>

Tuesday April 30th, 2002 2:21 PM

Reply to this message

The Thor Larholm vulnerabilities are posted in a reply to the GreyMagic report on the BugTraq mailing list. This version of the GreyMagic report contains extra information that isn't on the page <http://sec.greymagic.com/adv/gm001-ns/> - specifically, it sheds a little light on the reasoning behind the harsh "better performing, less buggy browser" statement.

GreyMagic states that they contacted Netscape on Wednesday 24th April. They go on to say, "They did not bother to respond AT ALL, and we think we know why." Then they launch into some conspiracy theory where Netscape is covering up bugs to avoid paying out $1,000 rewards as part of their Bug Bounty <http://home.netscape.com/security/bugbounty.html> program. Then they decide that in future they will:

"* Release all future Netscape advisories without notifying Netscape at all.

"* Advise the security community to do the same. Netscape is deceiving researchers and should not be rewarded.

"* Advise customers to stop using Netscape Navigator through our security advisories and business contacts."

Obviously, not telling Netscape about security bugs is going to help them get fixed. And they call Netscape "extremely unprofessional"!

If GreyMagic had bothered to read Netscape's security bug report form <http://help.netscape.com/forms/bug-security.html> they would have noticed the bit that says, "We read all of the bug reports we receive, but we will only contact you if we need more details about your bug. We appreciate your feedback!" So basically, the reason GreyMagic didn't get a response is because they wrote a good bug report. Ironic? Yes. A conspiracy? No.

As for the Thor Larholm vunerabilities, I can't get the IRC one to work (but then I can't connect to external IRC servers from behind this firewall and a crash isn't really a security vunerability anyway) but I can get the second one to work. Which is bad.

Alex

#22 Re: Re: Two more

by wolruf

Tuesday April 30th, 2002 4:00 PM

Reply to this message

If there's no privacy issue, I'm not sure these bugs would get fixed for 1.0. There're many other ways of crashing Mozilla (DoS attacks ?): look for 'crash' and 'testcase' keywords. There're currently 41 such open bug reports. Not counting those without testcase.

#62 Does netscape ever reply? - No.

by johann_p

Wednesday May 1st, 2002 12:05 PM

Reply to this message

Netscape does seem to have a policy of never replying to anything, be it bug reports, support requests, security alerts, complaints, whatever. A conspiracy? No. Impolite? Yes.

#99 Re: Two more

by biesi <cbiesinger@web.de>

Thursday May 2nd, 2002 2:22 PM

Reply to this message

This issue is actually only one issue.

Furthermore, it's not a buffer overflow, but an infinite recursion, which is not exploitable.

See <http://bugzilla.mozilla.org/show_bug.cgi?id=141375>

#14 Bug Bounty

by sgifford <sgifford@suspectclass.com>

Tuesday April 30th, 2002 2:33 PM

Reply to this message

GreyMagic also say in their post to BugTraq:

> Important notes: > ================ > > Netscape was contacted on 24 Apr 2002 through a form on their web site and > through email to <security@netscape.com> and <secure@netscape.com>. > > They did not bother to respond AT ALL, and we think we know why. > > A while ago Netscape started a "Bug Bounty" program, which entitles > researchers who find a bug that allows an attacker to run unsafe code or > access files to a $1000 reward. > > By completely disregarding our post Netscape has earned themselves a $1000 > and lost any credibility they might have had. The money is irrelevant, but > using such a con to attract researchers into disclosing bugs to Netscape is > extremely unprofessional. > > Netscape's faulty conducts made us rethink our disclosure guidelines and we > came to the following decisions: > > * Release all future Netscape advisories without notifying Netscape at all. > > * Advise the security community to do the same. Netscape is deceiving > researchers and should not be rewarded. > > * Advise customers to stop using Netscape Navigator through our security > advisories and business contacts. > > > [1] <http://home.netscape.com/security/bugbounty.html>

Does anybody know about the validity of these accusations?

#15 Re: Bug Bounty

by sgifford <sgifford@suspectclass.com>

Tuesday April 30th, 2002 2:35 PM

Reply to this message

Wow, that came out as a mess...Sorry about that!

#16 Re: Bug Bounty

by sgifford <sgifford@suspectclass.com>

Tuesday April 30th, 2002 2:36 PM

Reply to this message

Wow, that came out as a mess...Sorry about that!

#102 Re: Bug Bounty

by GreyPoopon

Friday May 3rd, 2002 8:35 AM

Reply to this message

Oooh. They waited a whopping 6 days for a response? What morons. Did they expect the $1000 to be wired to their account immediately? I haven't read the "Bug Bounty" description, but if it indicates a short response time, we'll obviously have to change the moron pointer's direction.

#18 bugzilla/bugscape

by jwb

Tuesday April 30th, 2002 3:11 PM

Reply to this message

Netscape's policy of moving all security bugs to their ridiculous internal non-public bug system is stupid and prevents effective flushing out of security problems. That is all.

#38 Re: bugzilla/bugscape

by asa <asa@mozilla.org>

Tuesday April 30th, 2002 11:18 PM

Reply to this message

You clearly don't know what you're talking about. <http://www.mozilla.org/pr…security-bugs-policy.html>

--Asa

#54 Then again...

by leahcim

Wednesday May 1st, 2002 9:29 AM

Reply to this message

Yes he does.

I don't need to use mozilla, mozilla isn't like, say sshd or exim, a service running on my machine that could be attacked remotely before a fix is written or applied - full public disclosure on the mozilla home page (that is the first page I open) would allow me to click 'x' and stop using it (or at least restrict myself to trusted sites, if there is such a thing) and hence remove all risk.

I hope they rethink this policy.

#61 Security policy

by bzbarsky

Wednesday May 1st, 2002 11:35 AM

Reply to this message

The point is, it's not _Netscape's_ policy and the bugs are not moved to Bugscape...

#81 Re: Then again...

by asa <asa@mozilla.org>

Wednesday May 1st, 2002 10:52 PM

Reply to this message

Point me to a single instance of Netscape "moving all[any] security bugs to their ridiculous internal non-public bug system". What? You can't? You really didn't read the post I responded to? You read it but didn't understand it? You're just trolling?

--Asa

#19 Yeah, it works

by arsa

Tuesday April 30th, 2002 3:52 PM

Reply to this message

In RC1 on W2K it shows me my local file. Scary. What am I gonna use to browse pr0n now? 8)

The real question for post-1.0 era is whether there will be any patch delivery mechanism available for mozilla, so people don't have to download whole thing all over. I understand that it can be fixed very fast with source code available, but delivery - that's problem. MS has windowsupdate at least.

#39 Re: Yeah, it works

by asa <asa@mozilla.org>

Tuesday April 30th, 2002 11:19 PM

Reply to this message

>In RC1 on W2K it shows me my local file. Scary. What am I gonna use to browse pr0n now? 8)

How about tomorrow's build or RC2?

--Asa

#50 Well, sure, but...

by arsa

Wednesday May 1st, 2002 8:12 AM

Reply to this message

It's 10Mb download. Of course it's just half an hour on a modem.

But I am talking about binary patches. And/or a website that would tell people to update, like windowsupdate.microsoft.com

#66 Post Mozilla 1.0

by SubtleRebel <mark@ky.net>

Wednesday May 1st, 2002 1:31 PM

Reply to this message

You gather that you are talking about SmartUpdate/XPInstall type updates. IIRC, somewhere someone said that this was planned for after Mozilla 1.0 is released. It may have been a Netscape deal though rather than Mozilla.

#23 Yeah, it works

by arsa

Tuesday April 30th, 2002 4:01 PM

Reply to this message

In RC1 on W2K it shows me my local file. Scary. What am I gonna use to browse pr0n now? 8)

The real question for post-1.0 era is whether there will be any patch delivery mechanism available for mozilla, so people don't have to download whole thing all over. I understand that it can be fixed very fast with source code available, but delivery - that's problem. MS has windowsupdate at least.

#24 Yeah it works.

by starheart <chaos@okcforum.org>

Tuesday April 30th, 2002 4:03 PM

Reply to this message

Running Mozilla 1.0RC1 under WinXP it crashed when I tried to read foo.txt(I made) from C:temp, but does work when I tried boot.ini in C:. I think I will be moving to using konqueror till this gets fixed.

#45 Re: Yeah it works.

by pirat

Wednesday May 1st, 2002 5:24 AM

Reply to this message

Konqueror under WinXP? Very good ^_^

#25 Test

by TonyG <tony.gorman@blueyonder.co.Yuk>

Tuesday April 30th, 2002 4:11 PM

Reply to this message

plz ignore

#28 Internetnews.com Article

by AlexBishop <alex@mozillazine.org>

Tuesday April 30th, 2002 4:42 PM

Reply to this message

Internetnews.com <http://www.internetnews.com/> has an article on the flaw and the whole "Netscape didn't pay me" debacle.

<http://www.internetnews.c…cle/0,,10_1025541,00.html>

Alex

#42 Grey Magic seems to lack patience

by SubtleRebel <mark@ky.net>

Wednesday May 1st, 2002 1:52 AM

Reply to this message

Based on the info in that article, it really just sounds like Grey Magic needs to learn a little patience.

#88 maybe Netscape should move a bit faster?

by johann_p

Thursday May 2nd, 2002 5:26 AM

Reply to this message

How much patience do you expect someone to have until maybe a simple "we got your email, thank you, please give as till next week to get back to you to discuss this in more detail" email arrives? How difficult would it be for Netscape to react on this a *bit* faster and show both Grey Magic and the rest of their customers that they care? To cite the article: "Netscape officials were unavailable for comment." Yep.

#93 Re: maybe Netscape should move a bit faster?

by asa <asa@mozilla.org>

Thursday May 2nd, 2002 11:42 AM

Reply to this message

When I file a bug in Bugzilla (which would have been the more community spirited thing to do, but I guess greed overrules decency for most people) sometimes I have to wait for a developer to look at the problem. 5 days wait (where two of those days are weekend) isn't out of the ordinary for Bugzilla bugs (with the exception of security sensitive issues or other critical problems). Developers, even those working on security issues are all overloaded with work these days. Welcome to the real world of software development. If Gray Magic would have filed a bug in Bugzilla or sent mail to <security@mozilla.org> (it was a bug in core Mozilla code, not something specific to one vendor's distribution after all) rather than attempting to get a bounty from Netscape he would have had an immediate response and the bug would have been fixed 4 or 5 days earlier.

--Asa

#98 Re: maybe Netscape should move a bit faster

by SubtleRebel <mark@ky.net>

Thursday May 2nd, 2002 12:39 PM

Reply to this message

Personally I hate receiving form letters that say "we got your email..." because it really does not mean that anyone has read it or anything. Whether or not you receive such an email, the message can still get lost before it gets to the right person.

The statement that "Netscape officials were unavailable for comment." means nothing either. As I write this post, I have no Netscape officials available for comment; I also have no officials from Microsoft available for comment; in fact, I do not see anyone (besides me) around, official or not, who is available for comment. It is doubtful that the author made any significant attempt to contact someone at Netscape who was qualified to comment on the matter.

Regardless, Grey Magic reacted unprofessionally. If they know anything about large corporations then they should realize that if you want to get a message to developers quickly, you do not contact the marketing department.

As for the whole bounty thing, I would think that if Grey Magic had filed a bug in Bugzilla then Netscape would be just as inclined to honor that for the Bounty as they would for anything.

#30 Minor?

by tomgilder

Tuesday April 30th, 2002 5:01 PM

Reply to this message

Since when was a browser being able to freely read and steal files from the local file system a "minor security hole"?

#49 Can't write or execute...

by leafdigital

Wednesday May 1st, 2002 7:42 AM

Reply to this message

Well, I agree that it's a fairly serious problem, but frankly, these days, anything that doesn't let you write to user hard disk or execute arbitrary software is 'minor'. Also, this can't easily be exploited by email (since Mozilla iirc has javascript off for email by default), which is the more serious delivery method.

It could also be argued that ANY security hole in Mozilla is 'minor'. I mean what's the point in exploiting mozilla? With around 1% share you are missing out on the 85% of your potential victims who use versions of MSIE (probably in most cases old, unpatched versions of IE).

Anyway I'm glad they've fixed this bug and I hope they catch the other ones too. The only fly in the ointment is that I'm a little concerned that Mozilla perhaps hasn't had the kind of scrutiny from within the security community that IE regularly benefits from. It's likely that there are a good deal more bugs like these lurking beneath the surface; I hope this announcement attracts more attention from hackers so that exploits can be quickly found and then fixed.

--sam

#59 Mozilla still not 1.0

by SubtleRebel <mark@ky.net>

Wednesday May 1st, 2002 11:06 AM

Reply to this message

Of course it also might be worth remembering that Mozilla is still in pre-release. Although we are getting very close to 1.0, Mozilla has not yet said given the Golden Master label.

If a serious security problem is found after 1.0 is released then people can blame Mozilla for releasing a browser with a security problem, but until then, any bugs found, security or otherwise, are just part of the pre-release testing.

#60 re:

by leahcim

Wednesday May 1st, 2002 11:17 AM

Reply to this message

Excuses, excuses, it doesn't wash. The key here isn't this bug, it's the policy.

This link is pre-release too? Or has all this testing not found anything?

<http://www.mozilla.org/pr…nown-vulnerabilities.html>

#73 You are off topic

by SubtleRebel <mark@ky.net>

Wednesday May 1st, 2002 7:37 PM

Reply to this message

This thread was about whether or not the bug was a major security issue or a minor security issue.

#32 Someone on the List Told off the bug reporters

by ksosez <ksosez@softhome.net>

Tuesday April 30th, 2002 6:29 PM

Reply to this message

<http://online.securityfoc…6/2002-04-27/2002-05-03/1>

They told them basically they didnt report the bugs first like they should of and told them how to do it next time unless they were just doing it to make us look bad.

#34 Why it doesn't work i n RC1

by AlexBishop <alex@mozillazine.org>

Tuesday April 30th, 2002 7:02 PM

Reply to this message

This post <http://online.securityfoc…72/2002-04-27/2002-05-03/> by Thor Larholm explains why the exploit doesn't work in RC1 (basically, XMLHttpRequest is busted).

Alex

#35 then...

by chrisbolt

Tuesday April 30th, 2002 7:17 PM

Reply to this message

...why does it work for me?

#36 You're special? ;-) (n/t)

by AlexBishop <alex@mozillazine.org>

Tuesday April 30th, 2002 7:37 PM

Reply to this message

This space has been intentionally left blank.

Alex

#37 You lied!

by chrisbolt

Tuesday April 30th, 2002 10:29 PM

Reply to this message

There was text!

#90 Re:

by Kirby

Thursday May 2nd, 2002 5:59 AM

Reply to this message

It works here too. Mozilla 1.0 RC1 on RedHat Linux.

#43 Bug reported - bug fixed

by mmarquee

Wednesday May 1st, 2002 5:15 AM

Reply to this message

They reported a bug, it was investigated, and fixed. Chalk on up to the Mozilla team.

They have reported half a dozen issues about 'another browser', none of these have been fixed.

#46 OMG a bug ! Quick, use something else !

by shin

Wednesday May 1st, 2002 5:47 AM

Reply to this message

Really, this behaviour is so childish. What if that person found a security bug in the latest kernel ? Would he advocate using Windows or MacOS ?

Solution: Users of BugTraq should disregard all misleading, buggy, driven-by-bias comments.

#67 One more reason to use Mozilla, not Netscape

by johann_p

Wednesday May 1st, 2002 1:34 PM

Reply to this message

Mozilla bug fix is checked in. Netscape didnt even release a comment on this, let alone a bug fix. They seemingly didnt even send an acknowledgement or "thank you" to the reporters of the security hole. I have heard the uproar when MS did something like this before ... where is the difference in NS's policy?

#82 Re: One more reason to use Mozilla, not Netscape

by AlexBishop <alex@mozillazine.org>

Wednesday May 1st, 2002 11:50 PM

Reply to this message

> Netscape didnt even release a comment on this, let alone a bug fix.

What do you mean? If you look at bug 141061 <http://bugzilla.mozilla.org/show_bug.cgi?id=141061> you'll see that it was fixed by Darin Fisher, a Netscape engineer.

Alex

#85 I am talking about a comment or released fix

by johann_p

Thursday May 2nd, 2002 1:27 AM

Reply to this message

That means something that is addressed to the end user. Nothing on the Netscape home page to warn about the security hole in their browser, no announcement of a new NS6.x build. I am not critisizing engineers here. But the general "feel" of support for end users from Netscape is close to zero.

#86 Re: I am talking about a comment or released fix

by AlexBishop <alex@mozillazine.org>

Thursday May 2nd, 2002 4:21 AM

Reply to this message

So basically, you want a Netscape 6.2.3?

Alex

#87 NS 6.2.3

by johann_p

Thursday May 2nd, 2002 5:18 AM

Reply to this message

Well, yes - of course a binary patch (just replacing the lib that had the broken code in it) would be preferable. Its not so much that *I* want it since I am using nightlies anyway. But I believe most potential users of NS would like to see NS react to these kind of things in a reasonable, user-firendly way. MS *does* release security patches now and then and you dont have to install a new version of IE (even if some patches are nearly as big anyways). MS has had a way of not reacting to security issues or more or less ignoring them officially and they have received a lot of bashing and bad press for it - and I wonder why NS would want to choose the same route. MS is in a position where they essentially can ignore the uproar of informed or security-aware users. Netscape certainly is not in that position.

#105 Very disappointed

by leet

Friday May 3rd, 2002 12:03 PM

Reply to this message

Totally agreed. Netscape (probably due to AOL) is just behind the curve on so many levels. The whole point of Netscape 5, then 6, was to make the browser more modular, like IE. I remember years ago when the issue of partial updates were brought up - heck, Navigator 4.x can do some of that with SmartUpdate, though it wasn't that much different from downloading the whole thing. Fast forward 4 years and we still get updates by reinstallation.

#77 Auto-Update

by Waldo

Wednesday May 1st, 2002 9:24 PM

Reply to this message

Will Mozilla 1.0 have any kind of "check for an update" built in or an auto-notification when such security related bugs are found/fixed?

#83 Re: Auto-Update

by AlexBishop <alex@mozillazine.org>

Wednesday May 1st, 2002 11:56 PM

Reply to this message

If you look at Edit > Preferences > Advanced > Software Installation, you'll see that there is a mechanism to alert users of updates. I don't think Mozilla uses it though. It's probably intended for vendors like Netscape.

Alex

#89 Netscape missed a big opportunity here

by johann_p

Thursday May 2nd, 2002 5:36 AM

Reply to this message

IMO Netscape gave away a big oportunity to score as "the better browser provider" here: instead of embarrassing MS by reacting fast and with an openminded attitute to this, the impression is that Netscape tries to be even better in simply ignoring security issues. No announcement on the NS page, no patch or new version availeble, nothing. Instead, every paper with a tech column has the news here and most of them underline that a) the problem is still unresolved and b) NS people are unavailable to comment. Is this their marketing strategy to make people switch over from IE?

#91 Re: Netscape missed a big opportunity here

by Kirby

Thursday May 2nd, 2002 6:01 AM

Reply to this message

Didn't Netscape announced some time ago that they don't make browsers anymore? I think they've given up.

#92 Re: Re: Netscape missed a big opportunity here

by macpeep

Thursday May 2nd, 2002 9:14 AM

Reply to this message

Umm.. ??? You are aware that the vast majority of Mozilla engineers are actually Netscape engineers, right?

#101 Re: Mac OS 9.x: Cursor Problem

by bandido

Friday May 3rd, 2002 3:37 AM

Reply to this message

That is NOT what they say said. What they said was that in a few months Netscape would be known for more than web browsers.

#106 Re: Re: Mac OS 9.x: Cursor Problem

by Kirby

Sunday May 5th, 2002 2:44 PM

Reply to this message

Then the media must be playing with the announcements again... WebWereld (a Dutch newsite) wrote that Netscape had given up on browsers.

#107 Fixed in Beonex Communicator

by benb <mozilla@bucksch.org>

Sunday May 5th, 2002 10:00 PM

Reply to this message

#108 Fix incorporated into a stable release?

by jayseye

Monday May 6th, 2002 2:38 PM

Reply to this message

As an end-user, I'd like to download a stable build which incorporates the fix. Are the nightly builds now considered suitable for general use? Or should we wait for RC2?

#110 Re: Fix incorporated into a stable release?

by AlexBishop <alex@mozillazine.org>

Monday May 6th, 2002 4:04 PM

Reply to this message

You're probably best waiting for RC2. It'll be out any day now.

Alex

#112 Re: Re: Fix incorporated into a stable release?

by jayseye

Tuesday May 7th, 2002 9:12 AM

Reply to this message

Alex: Thanks for the reply here, and for the one on Bugzilla. Bug 138000 (Make RC2 Not Suck) looks pretty large, with new nominations still coming in. Is there an estimated release schedule posted somewhere?

#113 RC2 Release Schedule

by AlexBishop <alex@mozillazine.org>

Tuesday May 7th, 2002 10:26 AM

Reply to this message

It looks like the Roadmap <http://www.mozilla.org/roadmap.html> has been updated with the 'ideal' release date for RC2 being May 10th. That's this Friday. I wouldn't be surprised if it slips a day or two though.

Alex

#111 Re: Fix incorporated into a stable release?

by benb <mozilla@bucksch.org>

Tuesday May 7th, 2002 6:33 AM

Reply to this message

> As an end-user, I'd like to download a stable build which incorporates the fix.

Read the comment just above yours?

#114 Re: Re: Fix incorporated into a stable release?

by jayseye

Tuesday May 7th, 2002 11:44 AM

Reply to this message

Yes, that might be an option, if you would supply some details not found on the Beonex website. First, do you have a workaround for the Windows 95 install problem? (Mozilla makes a ZIP file available for this.) Second, does Beonex make any changes to Windows Registry, other than those made by Mozilla itself?

#115 Beonex information?

by johann_p

Tuesday May 7th, 2002 4:57 PM

Reply to this message

I agree - the info provided on the Beonex site is extremely sparse. People might be more willing to download when they know beforehand what exactly they will get, what the differences are, what changes and additions have been made.

#116 Re: Re: Re: Fix incorporated into a stable release

by arnoudb <arnoudb@dds.nl>

Tuesday May 7th, 2002 5:41 PM

Reply to this message

I really wouldn't know, but 1) Beonex doesn't seem to be much more than a Mozilla build that has the Debug and QA menu's removed and a few other small fixups 2) Beonex is made by a Mozilla contributer so it should be pretty safe :).

#122 Beonex info

by jayseye

Thursday May 9th, 2002 3:25 PM

Reply to this message

In fairness, the beonex.com sitemap leads to a decent amount of detail, including their source code changes to Mozilla. Their mission sounds good, focusing on protecting user privacy, adding usability and support options. Beonex replied to my questions in a private e-mail, claiming: 1. Their installer should work in Windows 95 2. They make no Windows Registry changes other than those made by Mozilla itself Given the updated roadmap, and being a developer & consultant, I plan to wait for Mozilla RC2. But I may check out Beonex, after 1.0 is released, for use by clients and friends.

#109 Fix incorporated into a stable release?

by jayseye

Monday May 6th, 2002 2:45 PM

Reply to this message

As an end-user, I'd like to download a stable build which incorporates the fix. Are the nightly builds now considered suitable for general use? Or should we wait for RC2?

#118 Re: Fix incorporated into a stable release?

by thegoldenear

Thursday May 9th, 2002 2:33 AM

Reply to this message

from my experience nightly builds since 1.0RC1 have been suitable for general use (as they have been for months and months and months apart from a few occasions, which is the risk you take with nightly builds, that you're opening yourself up to the unexpected)

#119 missed the thread

by thegoldenear

Thursday May 9th, 2002 2:35 AM

Reply to this message

sorry, excessive use of Ctrl+End, missed the existing thread

#121 Re: missed the thread

by jayseye

Thursday May 9th, 2002 3:00 PM

Reply to this message

I appologize for posting the same question twice. The accident resulted from hitting Refresh / Reload, some time after submitting my post, to check for replies.

#117 Whatever

by Tanyel <tanyel@straightblack.com>

Wednesday May 8th, 2002 1:57 PM

Reply to this message

Why does Mozilla not have an auto-update feature? Even America Online has that.

#120 Netscape 6.2.3

by AlexBishop <alex@mozillazine.org>

Thursday May 9th, 2002 11:55 AM

Reply to this message

By the sounds of comment 40 in bug 133170, it looks like there's going to be a new Netscape release with a fix for the hole.

<http://bugzilla.mozilla.o…how_bug.cgi?id=133170#c40>

Alex