Firefox a ticking time bomb

A pair of unpatched vulnerabilities in Mozilla's Firefox Web browser -- rated as "extremely critical" by one security firm -- could allow an attacker to take control of a PC simply by getting a user to visit a malicious Web site.

Not good, and what's worse this exploit is actually out on the net today. This would mean the forth critical security patch for Firefox this year, when 1.0.4 is released, in comparison IE has only had 2, both of which were promptly fixed. I don't believe there is currently any solid release date for version 1.0.4 which would address these issues.

With all these people using Firefox, I actually had a look at the traffic logs for my sites over the last 7 days (about 50 000 visitors). Out of those using Firefox only 13% actually had the latest version 1.0.3 (which is as above not secure anyway), everyone else were using even older versions with loads of security issues.

Mozilla REALLY need to get a move on with releasing updates, and they need to get their users installing them. The autoupdate in the old versions certainly doesn't work right, I've got autoupdate enabled on one of mine (using 1.0.2) and it has yet to inform me about 1.0.3, which has been out for weeks. I have to go and manually check, which isn't a very nice experience with it being hidden in advanced options.

How is your average user who saw Firefox mentioned in the newspaper (most of which falsely claim it's "secure") going to know how to do that? Chances are they're running an even older version, have been fooled into thinking they have something "rock-solid and secure" and are going to end up with their machines compromised. Mozilla you're not in the little leagues anymore, not all of your users visit your update page every day and try out the nightly builds, you have to get ALL of your users up to date, and you have to get vulnerabilities fixed BEFORE samples of the exploit code get put up on the net.

Firefox is a ticking time bomb, it's getting close to critical-unpatched mass, Mozilla had better do something fast, because if a lot of users do suddenly find their machines not working they're gonna end up with a very bad taste in their mouths that will hang around for years to come.

Categories: Technology
Permalink11th May 2005 18:19:34, 385 words, 1797 views5 comments »Send a trackback »

Trackback address for this post

Trackback URL (right click and copy shortcut/link location)

5 comments

Comment from: Wester547 [Member] · http://www.halflifeportal.com/
I suppose it's time to stick to Maxthon or Netscape then.....
11th May 2005 @ 21:17
Comment from: Paul Smith [Member] · http://www.dasmirnov.net/
I'm not saying that, for people who update then sure you're fine, there's always gonna be the odd exploit that goes wild before it's patched, but generally that's not how problems happen.

My focus is on the 77% that still have 1.0.2 and below who have not updated.
14th May 2005 @ 02:30
Comment from: Wester547 [Member] · http://www.halflifeportal.com/
Ahh.... well I have utterly nothing to worry about then since I've updated my Mozilla Firefox browser version build to the latest 1.0.4 build release. :)
14th May 2005 @ 17:22
Comment from: Paul Smith [Member] · http://www.dasmirnov.net/
That's the kind of attitude that leads to problems Wester.
15th May 2005 @ 12:15
Comment from: Joey [Visitor] · http://www.geocities.com/gadgetlinks/
We're now onto the 7th release and all are down to security problems and bugs. Not good.

And now they're changing FF so you can download patches instead of a full upgrade. This is (1) because they know there will be a lot more and (2) to hide the number of bugs because you won't be able to count the versions.

Because it was sold on a security ticket, it will be judged harshly and people will go back to IE which also keeps getting critical holes and patches.

Sad but true.

22nd July 2005 @ 02:04

Leave a comment


Your email address will not be revealed on this site.

Your URL will be displayed.
PoorExcellent
(Line breaks become <br />)
(Name, email & website)