Category Archives: Firefox

Firefox, Patches and updates

Firefox 24 released

Leave a comment

Most of the world considers a version increase from 23.x to 24 to represent a major release, with many new and changed features. Not so with Firefox. In the interest of marketing, Mozilla has tossed out anything resembling industry standards for naming Firefox’s version numbers.

Version 24 of Firefox fixes a few minor bugs and adds some very minor enhancements: nothing worthy of a major version increase. Version 24 does include several security fixes, which can be seen on the Security Advisories page.

I suppose it almost goes without saying by now, but the release notes and related announcements for Firefox still leave a lot to be desired (see my post about Firefox 23 for details).

Firefox, Patches and updates

Firefox 23.0.1

Leave a comment

A new version of Firefox was released yesterday. Version 23.0.1 apparently fixes three minor bugs, none related to security.

There was no official release announcement for this new version. The release notes are exactly the same as for version 23, with the three fixed bugs just added the top of the list of changes. The ‘complete list of changes’ link still points to an enormous list of bugs that appear to all be related to version 23.

I won’t bother rehashing everything that’s wrong with the way new Firefox versions are being documented by Mozilla. For that, see my post about Firefox 23.

Firefox, Patches and updates

Firefox 23 released

3 Comments

Another new version of Firefox was made available yesterday. Along with the usual crop of security bug fixes, version 23 sports a few changes worthy of mention:

  • A shiny new logo.
  • A Network panel was added to the Web Developer Tools. This panel shows the network activity associated with web browsing, including load times.
  • The HTML text ‘blink’ attribute has been removed. Blinking text has fallen out of fashion, and it’s generally seen as not user-friendly and non-accessible.
  • The ‘Disable Javascript’ setting has been removed from the Options dialog. The developers feel that since disabling Javascript causes many web sites to fail, the option should be hidden. The Javascript options are still accessible via about:config.
  • The ‘Load images automatically’ setting was removed from the Options dialog. Again, the developers decided that this option was too dangerous for most users. You can still find the setting in about:config.
  • The ‘Always show the tab bar’ setting was removed from the Options dialog. Like the other removed settings, somehow this option was felt to be too dangerous for most users. You can still find the setting in about:config.

Firefox version announcements still lacking

Update 2016Jan06: The release notes page for Firefox 23.0 no longer exists. It was moved to an archive site by Mozilla, but must have been lost in the process. There’s a broken link to the missing page on the Releases/Old/2013 page.

As always, there was no proper announcement for this release. I discovered the new version when I was reading Hacker News. I’ve outlined the problems with Firefox’s online resources in several previous posts, so I’ll just provide a brief list here. Suffice to say that nothing has improved since Firefox 22.

  • According to Mozilla, the Mozilla Blog is where new versions of Firefox are announced. The blog has an RSS feed, which is good, and whenever a new version of Firefox becomes available, there is usually at least one post on the blog that describes some of the new version’s features. But these posts do not qualify as release announcements, because they never mention the new version number, or even that there is a new version! Here’s the ‘announcement’ for Firefox 23: Firefox Makes it Easy to Share Your Favorite Content with Friends & Family.
  • The main release notes page has several problems, all of which would result in a failing grade in any ‘Web Pages 101’ course:
    • the page’s title makes no mention of the version;
    • the version isn’t mentioned in any of the page’s headings;
    • the first text on the page reads "Firefox Notes (First offered to release channel users on…", which makes it sound as though some ‘notes’ are being offered, not a specific version of Firefox;
    • the version is only visible in the page’s URL, which is barely human readable, and in an aside that thanks contributors.
  • A link on the release notes page titled ‘complete list of changes‘ points to a list of bugs in Mozilla’s bug tracking system. The list is huge, and the information is highly technical and not really intended for regular users.
  • The main download page never mentions the version, although all of the download links point to the most recent version.
  • The hidden ‘security advisories‘ page lists Firefox security vulnerabilities by the date on which they were first reported by Mozilla, with no indication of which vulnerabilities have been fixed, or when they were fixed. This is somewhat mitigated by the also hidden ‘known vulnerabilities‘ page, which lists security vulnerabilities and the versions of Firefox in which they were fixed.
Chrome, Firefox, Google, Internet, Internet Explorer, Opera, Security

The perils of saving passwords in your web browser

Leave a comment

Web browsers want to make your life easier, which is why they all offer to store web site userids and passwords. But if you thought this was a safe way to store passwords, you’d be wrong. Still, some browsers handle this better than others.

Lock Your Computer

First of all, regardless of which web browser you use, if a person has access to your computer while you are logged in, and you allow your browser to store passwords, you should assume that the person now knows all your web site passwords. Simple techniques can be used to trick any web browser into displaying otherwise obfuscated (e.g. ‘*****’) passwords as plain text. This is yet another reason – as if you needed one – to always lock your computer when you walk away from it. Most operating systems have a setting that locks your computer for you after a period of inactivity. This is the only way to be at all secure; access to your logged-in computer potentially gives intruders access not only to your passwords, but also to all of your documents.

Password saving features in web browsers

Given the above, does it even make sense to worry about how your web browser handles saved passwords? There are arguments for both points of view. From my perspective, security should be layered: getting past one security hurdle shouldn’t open up everything. So if you allow your browser to save passwords, you should consider using the browser’s settings to secure those passwords. The four browsers I use handle passwords with varying degrees of security:

  • Firefox: Prompts to store passwords. By default, shows your saved passwords to anyone who looks in the settings. You can set up a master password to control access to the stored passwords; you will be prompted for the master password once per session, and when you try to show your passwords.
  • Opera: Prompts to store passwords. Doesn’t show passwords anywhere. You can set up a master password to control access to the stored passwords, which you will be prompted for once per session and at set intervals.
  • Internet Explorer: Prompts to store passwords. Doesn’t show passwords anywhere. No master password.
  • Google Chrome: Prompts to store passwords. Shows passwords to anyone who looks in the settings. No master password.

Google Chrome stands out in this list, since it both shows your passwords, and has no master password feature. Elliot Kember recently wrote about this, describing Chrome’s password handling as ‘insane’. I’m not sure I would go that far, but Chrome clearly needs a master password feature.

I’d like to see all web browsers show a prominent warning to any user who uses a password saving feature: “WARNING: saved passwords can be retrieved extremely/relatively easily. Always lock your computer when you leave it unattended.”

Update 2013Aug11: Here’s Google’s response.

Update 2013Aug25: Tim Berners-Lee (the person who invented the World Wide Web) weighs in. tl;dr – he agrees that Chrome should at least have a master password.

Firefox, Patches and updates, Security

Firefox 22 now available

1 Comment

Version 22 of Mozilla’s web browser was released yesterday, with the usual utter lack of anything approaching a proper announcement. The closest we got was a post on the Mozilla blog entitled “Firefox Delivers 3D Gaming, Video Calls and File Sharing to the Web“. That post discusses some of the new features of Firefox 22, but never actually mentions the new version number. I understand that Mozilla is trying to place less importance on version numbers, but in my opinion this is going too far.

Making things even more confusing, the main download page for Firefox never mentions the current version, although all the download links point to version 22 URLs, which you can see by hovering your mouse over them.

The release notes page is still a confusing mess. The first text you read on that page is “Firefox Notes (First offered to release channel users on June 25, 2013)”. It sounds like they’re saying that Firefox was released on June 25, 2013. What they really mean is that Firefox version 22 was released on June 25, 2013, but the version isn’t mentioned in the title. In fact, the only reference to the version is in a contributor “thank you” note below the title. Below that, the “What’s New” section lists changes made to Firefox, which we can only assume are specific to version 22 because the page’s URL includes the text “22.0”.

A link on the release notes page for version 22 titled “complete list of changes” now points to a list of bugs in Mozilla’s bug tracking system, Bugzilla. The list of bugs shown is huge, and although each of the 510 entries supposedly represents a bug fixed in version 22, the information is highly technical and not really intended for regular users. A proper change list is nowhere to be found.

Somewhat more useful are the confusingly-named and well hidden “known vulnerabilities” and “security advisories” pages for Firefox. The first of those pages lists security vulnerabilities and the versions of Firefox in which they were fixed, including version 22. The second page lists Firefox security vulnerabilities by the date on which they were first reported by Mozilla, with no indication of which vulnerabilities have been fixed, or when they were fixed.

I’ve been pointing out the lack of proper version announcement resources for Firefox here and in other online forums for a while now, but have yet to see any significant progress.

Firefox, Patches and updates, Security

Firefox version 21 released

1 Comment

Another new version of Firefox was released today. Version 21.0 fixes several security vulnerabilities and other bugs.

As usual, the release notes for version 21 don’t mention the version except in a note about contributors, but the list of fixes seems to be relevant to the new version.

Clicking the ‘complete list of changes‘ link on the release notes page now goes to the Firefox bug tracking site, but the list of bugs shown includes issues that were resolved long before version 21 appeared, which is still very confusing.

On a brighter note, the release notes page now includes this entry:
21.0: Security fixes can be found here
Clicking the associated link shows a page titled “Known Vulnerabilities”, which clearly shows the version in which particular security vulnerabilities were fixed.

Firefox, Patches and updates, Security

Firefox 20 released

1 Comment

On Tuesday, Mozilla released another new version of Firefox, version 20.

The new version includes several security fixes, as well as private browsing, changes to the download system, performance improvements, and several other bug fixes and enhancements.

As usual, the release notes and complete list of changes for this release are a jumbled mess of old and new information, making the job of figuring out what has actually changed needlessly difficult. Will they ever fix this?

Firefox, Patches and updates

Firefox version 19 released

Leave a comment

Firefox 19 was released today, with the usual lack of a proper announcement, and a confusing jumble of change information from Mozilla.

Instead of a proper announcement for the new version, all we get is this post announcing a new, built-in PDF viewer.

As usual, the release notes for version 19 are confusing, but at least the new version is mentioned, albeit in an unusual congratulatory note to ‘new Mozillians’ – whatever they are. And, as always, the complete list of changes for version 19 actually includes every bugfix in recent history. When are they going to clean this stuff up, one wonders.

Still, a built-in PDF viewer will allow users to steer clear of at least one buggy piece of Adobe software in the form of a Reader plugin. It remains to be seen whether the new viewer has as many security issues as what it’s replacing.

Firefox, Patches and updates

Firefox 18.0.2

1 Comment

The latest version of Firefox apparently fixes some Javascript stability issues.

On a related note: is it just me, or are the release notes for Firefox kind of messed up? Looking at the page for the latest release, I notice the following:

  • The version being discussed doesn’t appear anywhere at the top of the page, in any headings, or in the page title.
  • The first reference to the version is in the list of issues fixed in the What’s New section, but issues fixed in previous versions appear as well.
  • What does appear in the page headings is “Notes (First offered to release channel users on February 5, 2013)”. Apparently this is telling us that the version being discussed was released on that date. But again, it’s not clear what version we’re talking about, unless you look at the page’s URL, which includes “18.0.2”.
  • The link to a complete list of changes takes us to a page that lists changes going back several months, in previous versions. It’s a massive list, again with no version information, despite being on a page with a specific version in the URL.
  • Comparing the complete list of changes for version 18.0.2 with the the list for version 18.0.1 shows that they are in fact identical. You have to go back to version 17.x to find a different list.

Confusing. To make matters worse, among all the Mozilla blogs, press releases and other related Firefox information on the Mozilla site, I’ve so far been unable to find a mailing list, feed or any other resource that simply announces new Firefox versions. I have to find out about new versions from SANS.