Germany Warns Against Using Firefox

jayme0227 writes "Due to the recent exploit in Firefox, Germany has warned against its use. This comes a couple months after Germany advised against using IE. Perhaps we should start taking odds as to which browser will be next." Note: the warning (from the Federal Office for Information Security) is provisional, and should be rendered moot by the release later this month of 3.6.2.

3.6.2 released

[Anonymous Coward]

Yup

3.6.2 is out.

[Anonymous Coward]

3.6.2 is out. [mozilla.org]

A release that has just happened, in fact...

[n6mod]

Firefox 3.6.2 was released earlier tonight: http://www.mozilla.com/en-US/firefox/3.6.2/releasenotes/ [mozilla.com]

To add some information to the void..

[Seth Kriticos]

The vulnerability *only* affects the current 3.6 branch. Patch is complete and will be pushed on the 30th of March.

Here is the Mozilla blog entry on the topic:
http://blog.mozilla.com/security/2010/03/18/update-on-secunia-advisory-sa38608 [mozilla.com]

Here is the original bug report:
http://secunia.com/advisories/38608 [secunia.com]

Ps: can we please get security related articles with some content instead of *OMG, we are all going to die!!* ??

Re:3.6.2 released

[Anonymous Coward]

http://www.asciipr0n.com/ [asciipr0n.com]

Re:Responsible reporting

[mysidia]

Yeah... that's actually encouraging, it means they are actually providing meaningful distinctive advise/suggestions, and not merely copy and pasting vendor vulnerability lists and activating pretty 'alert level' colors...

not like the US government, who yanked up what used to be the wonderful somewhat independent [but gov sponsored] organization called 'CERT', absorbed them into the department of homeland security, and turned them into US-CERT a mere vacant shadow of their former selves, just another clearinghose that lists every bloody little Windows vulnerability the earth has ever known, nothing too interesting, nothing too distinctive or useful anymore.

That is, ever since, CERT's usefulness has plummeted by orders of magnitude, nowadays they typically just parrot all the major commercial vendors' security advisories, even ridiculously minor ones --- I suppose this is great if you are a Windows user, it should convince you to switch, but for the rest of us it sucks.....

CERT has made what, 1 activity incident report based on actual events or compromises, intrusion patterns, intrusion details, or reports on new types of threats since 2001?

Governments don't know what to do about security, I guess... their efforts at 'reporting' just degenerate into vulnerability listing, and other mundane non-intelligence-requiring activity.

Either that or they think it's too dangerous to tell the public what direction attacks/bad guys seem to be heading.

Bah humbug! mod parent TROLL

[beh]

mod parent TROLL...

Have you looked at the BSI page and linked mozilla blog page?

The mozilla blog entry was dated March 18th (giving March 30th as the release date for 3.6.2). The BSI advisory was dated March 19th (4 days before the story broke on slashdot; and 4 days before the actual release of 3.6.2).

So, you're saying, it was retaliation by BSI against Firefox, for publishing a release date the firefox crew themselves published the day before?

On March 19th - with the projected release date 11 days away, it seems it was perfectly in order for BSI to recommend use of an alternative for those 11 days:

    "empfiehlt das Bürger-CERT die Nutzung alternativer Browser, bis die Mozilla Firefox Version 3.6.2
        veröffentlicht ist."

This has nothing to do with fear-mongering - but simply that during a potential danger period, people might want to watch out. Their article clearly stated it only affected 3.6, and their article stated that their advisory is temporary 'until 3.6.2 is released'.

How is that retaliation?

Re:the way to go

[jim_v2000]

Opera 10.51 Changelog [opera.com]

"Security
Fixed
Fixed an issue where the HTTP Content-Length header could be used to execute arbitrary code; see our advisory (http://www.opera.com/support/search/view/948/).
Fixed an issue where XSLT could be used to retrieve random contents of unrelated documents, as discovered by crazypops; see our advisory (http://www.opera.com/support/search/view/949/)."

OH SNAP SON! So much for those skilled contractors and their superior skills.

Re:Free software in action

[Anonymous Coward]

The guy who found the bug didn't give details to Mozilla promptly, he sold it in his security product to clients for a few weeks, then told Mozilla. Can't blame Mozilla for not fixing a bug they had 0 details on. Once they were given details they fixed it in a few days, not bad for fixing the bug, making a build, QA'ing and releasing it.

Re:And the risk is???

[ewrong]

A WOFF font is a Web Open Font Format font.

http://hacks.mozilla.org/2009/10/woff/ [mozilla.org]

It's basically an extension of the @font-face rule with it's own compression and meta tagging. Please don't tell my designers about it.

Re:Google Chrome.

[muckracer]

> That's true, as long as you turn off Google as the default search, disable cookies

And don't forget about LSO cookies (Flash directory), that do NOT get deleted by FF's cookie deletion on exit. Extra add-on is needed (BetterPrivacy) to do so.

Oh...and MozDevs...please restore the 'Clear History on Exit' window on browser exit. Thanx!

Re:Free software in action

[sopssa]

It is "bloated" in the sense of feeling slow to begin with. XUL and XML based GUI is probably the worst idea ever. If you've ever used Opera, you know just how fast and snappy the UI feels. This is what has always put me off from Firefox - it just doesn't feel good.

Re:Free software in action

[TheReal_sabret00the]

Seriously? I'm all for the opinion that Firefox is becoming the Winamp of browsers, with that best of the rest feel rather than the best feel. But Opera really doesn't have a snappy UI or a snappy feel. Opera is a great browser but has always felt clunky and dopeish. Not to mention that with the same tabs open in both Opera and Firefox, Opera is the one that feels the most sluggish. I fully agree that Firefox is making some disastrous decisions, taking a month to fix a reported bug is beyond acceptable, but lets not make it out like it's the new IE. By all means let's slap them on the wrists and hope they don't do it again. Lets hope that in Firefox 4, you'll be given an installer screen that will let you choose which features you want, I for example, won't be opting for TaskFox installed. But in no way is it the demon browser from hell sent to rape our mothers.

OK: Some facts then (about Opera speed & secur

[Anonymous Coward]

See subject-line above, & also, note this report from SECUNIA:

----

Vulnerability Report: Opera 10.x:

http://secunia.com/advisories/product/26745/ [secunia.com]

Unpatched 0% (0 of 5 Secunia advisories)

----

Download Opera 10.51 FINAL RELEASE, here:

http://my.opera.com/desktopteam/blog/ [opera.com]

----

OPERA ALSO SURPASSES FIREFOX IN BROWSING SPEED, at BOTH the javascript processing & HTML processing/parsing speeds levels as well, consistently & for years, no less!

Per latest:

1.) SunSpider tests done here recently -> http://www.pcpro.co.uk/gallery/features/356350/on-test-the-hidden-seven-browsers-in-the-windows-ballot/145087 [pcpro.co.uk]

2.) AND IT HAS BEEN "BLOWING AWAY" FIREFOX IN HTML PARSING/PROCESSING SPEEDS AS WELL, & FOR YEARS NOW, per this test years ago -> http://www.howtocreate.co.uk/browserSpeed.html#win [howtocreate.co.uk] and this one too last year also -> http://crave.cnet.co.uk/software/0,39029471,49302491,00.htm [cnet.co.uk]

("Beat that with a stick", as the saying goes!)

APK

P.S.=> Nicest part about Opera is that it originates a LOT of what folks consider cool, as far as browser features, & first (e,g, - tabbed browsing anyone), & it contains features you cannot get in FireFox & IE natively (i.e - without addons (such as site by site choices of whether to run javascript on a website, or not (javascript IS what gets you people all "hit" by these online attacks, & sites like SECUNIA.COM or SECURITYFOCUS.COM can show anybody that much, easily)))... apk

The BSI is not the Government

[Anonymous Coward]

The article implies that Germany (meaning the government) has issued a warning. However, the BSI (Bundesamt für Sicherheit in der Informationtechnik (engl. Federal Agency for Safety and Security in Information Technology)) warned about an issue in firefox. So the BSI does the same job as CERT, they warn about security issues. It is not that the government made a law or a ruling or any other governmental thing. BTW: The same thing applies to the IE problem. And if there is a problem with Safari or Opera or Lynx or Telnet or any other browser you can think of then they will warn about it.

As Firefox is the most used browser in Germany, it is really important that the BSI warns people about any issue.

(I appologize for any inconvenience due to misuse of prepositions and articles in this post)

Re:First

[SmilingBoy]

They also recommended against the original Google Chrome Beta:

https://www.bsi.bund.de/ContentBSI/Presse/Pressearchiv/Kurzmit2008/090908chrome_htm.html [bsi.bund.de]

And they also recommended against Opera 10.50:

http://www.buerger-cert.de/newsletter_suche.aspx?param=HGf116Hsnmjdg%2B95Lx4xLVfgHeBWpfgcdyqiMrbjzdH9yQ4jIcV6TY4STnzgjITQ%2BhD3uF8Dgn3F1%2BDy1Synkw%253d%253d#anchor1 [buerger-cert.de]

So, nothing to see here.

The BSI is not the Government

[prefec2]

The BSI is not the government. It is a federal agency. BSI = Bundesamt für Sicherheit in der Informationstechnik (engl. Federal Agency for safety and security in Information Technology). They are more something like CERT. Even though the US government thinks the BSI is some sort of NSA, because the NSA also does security in information technology (e.g. seLinux). However, the BSI does not spy on people. This is done by another agency. And the BSI is so much the government as it is the police or judges.

Re:governments warn us about exploits

[Rockoon]

..and if you have actually used it on Windows, you know that its really bad.

Unresponsive, with a non-conforming UI, and the installer carries a payload of other apple software.