Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Firefox Upgrades News

Firefox 3.6.4 Released With Out-of-Process Plugins 261

DragonHawk writes "Mozilla Firefox 3.6.4 went to general release today. The big new feature in this release is out-of-process plugins (OOPP). This means things like Flash, Java, QuickTime, etc., all run in separate processes, so when Flash decides to crash, it won't take your browser out with it. If Flash starts consuming all the CPU it can find, you can kill it without nuking your browser session. I've been using this feature since it was in the 'nightly build' stage, and it was still more stable than 3.6.3, just because Flash was isolated." And reader Trailrunner7 supplies another compelling reason to download 3.6.4: "Security researcher Michal Zalewski has identified a problem with the way Firefox handles links that are opened in a new browser window or tab, enabling attackers to inject arbitrary code into the new window or tab while still keeping a deceptive URL in the browser's address bar. The vulnerability, which Mozilla has fixed in version 3.6.4, has the effect of tricking users into thinking that they're visiting a legitimate site while instead sending arbitrary attacker-controlled code to their browsers."
This discussion has been archived. No new comments can be posted.

Firefox 3.6.4 Released With Out-of-Process Plugins

Comments Filter:
  • First (Score:5, Funny)

    by Shikaku ( 1129753 ) on Tuesday June 22, 2010 @10:13PM (#32661222)

    Firefox post. Firefox is the fastest browser around!

    • Re:First (Score:5, Interesting)

      by shadowbearer ( 554144 ) on Wednesday June 23, 2010 @01:11AM (#32662016) Homepage Journal

      I've been using Opera, Google's Chrome, and IE alongside Firefox on W7 for about four months now on three computers, on a consistent basis, meaning every day.

        Opera is a bit faster, Chrome is a lot faster, but we are talking about tenths of a second here when rendering anything other than extremely complicated web pages which to be honest would render a lot faster in any browser if the designers wouldn't include so much crap in them that demands connections to multiple websites for stupid things like a small advertising gif image from a server that is already overloaded.

        Over that time, Firefox has been easily the most stable browser I've ever used - that might have something to do with me running addons such as adblock, flashblock, and NoScript - denying access to a lot of the poorly written or implemented crap websites that can crash any browser. I can count the number of times that Firefox has crashed on all three of my computers on one hand since the beginning of the year - that's two laptops and one desktop, running combinations of Windows XP, Windows 7, Ubuntu and Fedora.

        It didn't used to be that way, no. But it is now. Firefox also consistently recalls my previous browsing sessions - even after the multiple downtimes I had tonight during numerous power outages due to bad storms (the new battery for the UPS is in transit and should arrive tomorrow, and I ordered it from a website that does not list Firefox in their supported browsers list) neither Opera nor Chrome did so.

        The addon Xmarks has proven to be both useful and consistently stable, I'd highly recommend it.

        YMMV, YEMV, etc. This is just mine. I don't know about the rest of you, but I'll take stable over fast any day. I regularly have from a dozen to several dozen tabs open at any one time, and being able to recover my work after any crash, no matter the cause, means a lot to me. These features should have been written into browsers as DEFAULT features from the beginning. Somewhat around ten years ago I remember wishing that someone would just code a browser that could remember what I was doing before a crash, and do so consistently. Now, finally, I have one. Thank you, Mozilla.

        What I find ironic about the whole browser war is that the "feature leader" over the last decade has been the open source solutions - specifically firefox, and the rest of the field is playing catchup - especially Microsoft.

        SB

       

      • I would agree with your assessments in Opera and Chrome. I'd really like to like Chrome, but it's still missing firebug, and that unfortunately is pretty important to me.

        However, your experiences with firefox stability and mine are completely different. You say you can count the number of times firefox has crashed since the beginning of the year on one hand, while I can barely count on one hand the number of times it's crashed on me TODAY. I am hoping this release reduces that number significantly.

        • See my other post regarding background programs, in particular antivirus programs. I have only run Avast here for many years, and it's one of the few common factors between my machines and my customer's machines, where Firefox seems to work just fine.

          I don't have and probably never will have enough data to know for sure, but I suspect that antivirus and some malware scanners might contribute to FF stability somewhat. Other than that it's kind of a crapshoot.

          However I'd bet money that

      • Opera is a bit faster, Chrome is a lot faster, but we are talking about tenths of a second here when rendering anything other than extremely complicated web pages which to be honest would render a lot faster in any browser if the designers wouldn't include so much crap in them that demands connections to multiple websites for stupid things like a small advertising gif image from a server that is already overloaded.

        The real problem with these pages is not that they are slow to render, but that the renderin

      • Re:First (Score:5, Informative)

        by cgomezr ( 1074699 ) on Wednesday June 23, 2010 @04:55AM (#32662980)

        I'm afraid Firefox hasn't been the feature leader at all. Tabbed browsing? Opera had it before. Mouse gestures? Opera had it before. Quick dial? Opera had it before. Customisable search bars? Opera had them before. Ad blocking? Opera had it before (although, admittedly, worse than Firefox's). Stored sessions? Opera had them before (and it does restore from crashes without any problem in my case). I could keep enumerating, I'd say 90% of the browser features that Firefox implements are copied from Opera.

        OK, I think Firefox had private browsing before Opera, making it the browser of choice for pr0n (i.e. 99% of the internet usage); but now Opera has catched up on that and offers private and non-private tabs mixed in the same window :)

        BTW, on my machine Opera behaves much better than Firefox with 20+ tabs open (I have 57 right now), it's still snappy and Firefox would be crawling and taking up loads of RAM. But of course YMMV.

      • by nstlgc ( 945418 )
        I don't think "ironic" means what you think it does.
      • Re: (Score:3, Interesting)

        by Jurily ( 900488 )

        The main problem I see with web browsers today, is that they completely and utterly ignore every single user interface design convention they can find.

        With Chrome reinventing window layout, Firefox reinventing standard dialog layout, and Opera reinventing UI themes, where do we take refuge? Hell, even IE doesn't have menus by default anymore.

        That said, Firefox has Adblock, and Adblock has hufilter, so I'm not switching anytime soon.

    • by nmg196 ( 184961 )

      > Firefox is the fastest browser around!

      Apart from Chrome and Internet Exporer 9 :)

      • Ah! Internet Explorer, The Ayrton Senna of internet browsers - It's got the speed, but somehow that doesn't help.

  • This is great, now if only Firefox could separate tabs into processes and get a JavaScript engine comparable to V8 they could start to pull ahead of Chrome.
    • Firefox futures (Score:5, Informative)

      by DragonHawk ( 21256 ) on Tuesday June 22, 2010 @11:20PM (#32661522) Homepage Journal

      I'll take this opportunity to post some non-inflammatory info on planned Firefox development.

      Firefox 4.0, which may go into beta as early as next month, is supposed to do a lot in this direction. Overhauled JavaScript engine, overhauled HTML rendering, etc.

      http://wiki.mozilla.org/Firefox/4/Beta [mozilla.org]

      http://developer.mozilla.org/en/Firefox_4_for_developers [mozilla.org]

      I thought I had heard that 4.0 was supposed to deliver one-process-per-page functionality, but I'm having trouble finding recent status info. (One drawback to high-speed FOSS development is it's hard to keep track of things like that.) But anyway, the project is named "Electrolysis" ("E10S" in Firefox-developer-speak).

      http://wiki.mozilla.org/Electrolysis [mozilla.org]

      http://wiki.mozilla.org/Talk:Firefox/Roadmap [mozilla.org]

      • Re: (Score:3, Informative)

        by Anonymous Coward

        Don't forget the new HTML5 parser that is already working in the betas. Not only will this be the first fully HTML5 compliant parser, it will also be faster, run in a separate thread off the main thread, and make it possible to use SVG and MathML inline in HTML documents.

        http://hacks.mozilla.org/2010/05/firefox-4-the-html5-parser-inline-svg-speed-and-more/ [mozilla.org]

        • by fuzzix ( 700457 )

          Not only will this be the first fully HTML5 compliant parser

          Really, fully compliant with an incomplete and moving spec? That IS clever coding.

    • by BhaKi ( 1316335 )
      For performance reasons, tabs don't and shouldn't run in separate processes. You know, the original motivation for the tabs feature was that each tab could be run in a separate thread whereas each window needs a separate process. On most platforms, processes are more expensive than threads.
      • by BZ ( 40346 )

        > For performance reasons, tabs don't and shouldn't run in separate processes.

        In both IE8 and Chrome, tabs do in fact run in separate processes, with some caveats.

        > On most platforms, processes are more expensive than threads

        While true, processes have the benefits that:

        1. One process crashing doesn't bring down other processes.
        2. A process can be run in a low-privilege mode and memory isolation keeps it from accessing the guts of other processes.

        Threads don't have those two properties, and both IE

        • Re:Great (Score:4, Insightful)

          by kangsterizer ( 1698322 ) on Wednesday June 23, 2010 @08:16AM (#32663936)

          However processes use a lot more memory. Firefox uses way, way less memory than Chrome when you have a few tabs open.

          Also, the browser should not crash. But if it does, it restore the session, but seriously, that rarely happens on Firefox (yeah, Chrome tabs crash all the time, but that's Chrome's fault... flamebait maybe but one could argue tab-process encourage buggy code since it's no big deal when a tab crashes)

          The only things the browser does not have control over are plugins, and they're not in their own process, which is cool. Extensions are a more complex matter, I suppose they could still bring down everything with own process tabs.

          I'm not sure the security added by sandboxing tabs into processes is worth the trouble right now. It's some kind of hack after all.

      • by DragonHawk ( 21256 ) on Tuesday June 22, 2010 @11:50PM (#32661668) Homepage Journal

        For performance reasons, tabs don't and shouldn't run in separate processes.

        I find that statement dubious. Please explain.

        In my experience, the process-per-page (be they tab, window, or whatever) yields much better performance. I believe there are multiple reasons for this. For starters, the OS already has a perfectly good scheduler, and it makes sense to use that to handle multi-tasking. Indeed, OS people prolly know more about how to design a scheduler than browser people. By exposing the this to the OS, it also means the OS can do whatever tricks it has to make I/O, memory allocation, etc., more efficient on a per-page basis, rather than treating the whole browser as an opaque object.

        Finally, lot of modern hardware has 2, 3, 4 or more processor cores. Firefox generally only uses one of them. A browser like Chrome can have each page render on its own processor core, which is a *huge* performance gain. Without that, any multitasking is going to be limited to slicing up a single core between multiple tasks. The system can still only do one thing at a time. By using multiple cores, the system actually gets multiple things done literally simultaneously. On good hardware, the performance difference is astounding.

        "You know, the original motivation for the tabs feature was that each tab could be run in a separate thread whereas each window needs a separate process."

        That's just plain wrong. Each window does not need a separate process. Each tab does not get a separate thread. In Firefox 3.6, multiple threads are used, but it's not a one-thread-per-tab thing. Most of the work is still done in a single monolithic thread.

        The motivation for tabs in Firefox was to copy Opera. The motivation for tabs in Opera was as an alternative to one-page-per-window or MDI [wikipedia.org].

        • by Khyber ( 864651 )

          "In my experience, the process-per-page (be they tab, window, or whatever) yields much better performance."

          While reading Slashdot, it doesn't make one bit of difference. While one story tab loads, the rest of Firefox FREEZES while slashdot struggles to get rendered. I can't even scroll up or down.

          Which makes me think it's not a browser problem any longer, but the coders of websites and the coders of plugins (Crash er I mean Flash) that are the issue.

          • "In my experience, the process-per-page (be they tab, window, or whatever) yields much better performance."

            "While reading Slashdot, it doesn't make one bit of difference. While one story tab loads, the rest of Firefox FREEZES while slashdot struggles to get rendered. I can't even scroll up or down."

            That's because Firefox uses a single thread for just about everything. If a page is slow to render because of complex HTML/CSS, or has bad JavaScript which eats up CPU time, that drags everything to a stand-still.

            Browsers that use a separate process/thread per page, on other hand, will keep everything else running. That one page will be slow/non-responsive, but everything else keeps humming along nicely (as long as the hardware can keep up). Google Chrome works this way. Firefox does not (yet).

            (Firefox

      • by jrumney ( 197329 )

        On most platforms, processes are more expensive than threads.

        True, but on modern platforms the difference is not as significant as it was in the days of Windows 95.

      • "On most platforms, processes are more expensive than threads."

        To be honest, I don't think it really even matters.

        While having this very page open in one process, I just opened 20 more Firefox processes, all loading the Slashdot main page. I simply clicked my shortcut for it 20 times in rapid succession, and they were all opened and loaded within 3 seconds of my last click.

        I then closed them all (except this one), then quickly did the same thing, but opened 20 news tabs (in this process!) to the same page.

  • UI Lag (Score:5, Insightful)

    by electrosoccertux ( 874415 ) on Tuesday June 22, 2010 @10:16PM (#32661234)

    now can we do something about the rest of the awful browser?

    Open 20 tabs and the entire thing chugs to a grinding halt as only one (1) of my four (4) processor cores gets maxed out. So much for the "multithreading" everybody says that Firefox.
    The same list of 20 tabs peg all my cores to 100% for a few seconds and then they're all done rendering, when I'm using Chrome. No thanks Firefox. You guys are ancientsauce.

    • Re:UI Lag (Score:5, Interesting)

      by Nadaka ( 224565 ) on Tuesday June 22, 2010 @10:21PM (#32661262)

      I have never had problems with firefox having a ton of tabs open.

      I regularly have 15+ tabs, sometimes 50 or 60. The only time I have any issues is if I turn off no script and get some flash or javascript running to slow things down.

      • He's not saying he has problems once the tabs are open. He's saying that when he starts Firefox, the browser opens the tabs from the previous start. And that takes a good 10-15 seconds, while the whole UI is unresponsive. That has been my observation as well.

    • Re:UI Lag (Score:5, Interesting)

      by nmb3000 ( 741169 ) on Tuesday June 22, 2010 @10:42PM (#32661370) Journal

      This, this, this, this, this. The terrible user interface responsiveness of Firefox is what kept me on IE for the longest time (and I only moved because of addons, not because Firefox itself is any better).

      For a good test, open a Slashdot story with ~1000 comments and watch as the browser just stops dead in the water for 5-15 seconds while it renders the page. You can also try opening the browser when you have 10 or more tabs saved in your session. Again, the entire interface is useless while the pages are rendering. If the browser really is multithreaded in any meaningful fashion, then the rendering threads obviously have a priority higher than the UI, which seems like a bad thing.

      I'd rather have this improved than move plugins into an external process. Since I started using NoScript I haven't had Firefox crash because of Flash. Ever. However, I still read Slashdot so I do deal with the lagging on a regular basis.

      • Re: (Score:2, Interesting)

        Comment removed based on user account deletion
        • Re: (Score:2, Interesting)

          Interesting. Ever since my SMP box died, I'm using an old P4 e-Machine with 512 megs and linux. Flash playback, and video in general plays just fine. Graphics are onboard Intel i915. Though newer versions of FF *are* much better. I saved a bunch of CPU horsepower by using a decent hosts [someonewhocares.org] file so that AdBlock and NoScript don't have to work so much.

          The UI *does* lag a bit with pages that have tons of comments, but not nearly as bad as it used to be. On the SMP box there wasn't any lag at all. By SMP I mean m
        • My experience is that it runs better on Linux than on Windows...

          Also, what the heck happened to D2? It's like I'm back in the early Aughts.

        • Comment removed based on user account deletion
      • For a good test, open a Slashdot story with ~1000 comments and watch as the browser just stops dead in the water for 5-15 seconds while it renders the page

        I haven't found a browser that doesn't do that. Firefox, IE8, Chrome, Safari, and Opera all do that for me, at least on Windows. Haven't done any meaningful testing on Linux lately though.

      • by l0b0 ( 803611 )

        Sorry, but you might want to check up on what web sites, extensions and spyware you're running. Computers have this annoying habit of doing what you tell them to do, rather than what you want them to do. I've been using Firefox since 0.6, and I keep seeing these comments about huge problems, never* experiencing them myself. I don't have high end machines, and I've never had more than 2 GB of RAM. Been running Firefox on Windows XP, then FreeBSD (keep up the good work!) and now Ubuntu.

        * As in, whenever I do,

      • by CBravo ( 35450 )

        Instead: IE just waits for all of the html to arrive before showing anything. In single-page-manuals that really nags me.

      • I must say that something is weird with the way Slashdot does JS. It’s only here, that having a page open in the background over time starts to rise in CPU and memory usage. As if a loop would constantly fork itself while not releasing its variables to free memory.

    • chrome's got an alright engine, they just need to fix up the interface... sticking to firefox for now.
    • now can we do something about the rest of the awful browser?

      Open 20 tabs and the entire thing chugs to a grinding halt as only one (1) of my four (4) processor cores gets maxed out. So much for the "multithreading" everybody says that Firefox. The same list of 20 tabs peg all my cores to 100% for a few seconds and then they're all done rendering, when I'm using Chrome. No thanks Firefox. You guys are ancientsauce.

      I am curious if that is a Windows specific problem (not as in "MS screwed up" but as in "Firefox for Windows does not take advantage of SMP") as I have no such problem on eComstation or OS/2 Warp. Any Linux users who can confirm this problem does/does not exist for Linux?

    • by drsmithy ( 35869 )

      Open 20 tabs and the entire thing chugs to a grinding halt as only one (1) of my four (4) processor cores gets maxed out. So much for the "multithreading" everybody says that Firefox.

      I run 150+ open tabs in Firefox (times two, because I have a "work" and "personal" instance of Firefox Portable), all day, every day. Sure, it crashes every few days (Session Manager to the rescue), but calling 20 tabs anything significant, is laughable.

    • by swilver ( 617741 )

      20 tabs? Try 500+ tabs... with flashblock, noscript and a tab counter plugin (obviously). Yes with Firefox. Only time it annoys me is when the browser crashes (due to lack of memory, it doesn't like it when it comes close to 2 GB).

    • I'm having problems with firefox freezing as well. I always assumed it was my crappy video card configuration, but with FF 3.6.4, a lot of speed issues are actually fixed. They've done a great job on this release.

    • by knarf ( 34928 )

      Funny, that. I have tried Chromium on my state of the art IBM ThinkPad T23 and found it to suffer from UI lag and stutter way more than Seamonkey does. I keep on trying the most recent versions (now at 6.0.444.0) but the problem remains: open a tab, from within that tab open some links in background tabs and watch the whole thing stutter and halt regularly until the last background tab has finished its business - whatever that business may be as Chromium defers rendering background tabs until those tabs are

    • It’s interesting, how they are at fault, when you’re the only one with that problem.

      I bet you set affinity once and forgot about it. And what sites do you open to get FF to 100% CPU anyway? I’ve only ever seen more than 50% CPU, when the Flash plugin caused trouble.

  • by kbahey ( 102895 ) on Tuesday June 22, 2010 @10:22PM (#32661272) Homepage

    I confused, since I am on Kubuntu 10.04 64-bit version, and use the Firefox version that comes with that release (3.6.3).

    For the longest time, I am able to kill npviewer.bin without Firefox crashing. I just get a grey box when I do that where Flash used to be.

    Flash already runs as a separate process for me.

    Here are the processes:

    me 4177 1746 0 12:43 ? 00:00:00 /bin/sh /usr/lib/firefox-3.6.3/firefox
    me 4182 4177 0 12:43 ? 00:00:00 /bin/sh /usr/lib/firefox-3.6.3/run-mozilla.sh /usr/lib/firefox-3.6.3/firefox-bin
    me 4186 4182 9 12:43 ? 01:03:08 /usr/lib/firefox-3.6.3/firefox-bin
    me 4353 4186 2 12:45 ? 00:16:37 /usr/lib/nspluginwrapper/i386/linux/npviewer.bin --plugin /usr/lib/flashplugin-installer/libflashplayer.so --connection /org/wrapper/NSPlugins/libflashplayer.so/4186-1

    So, what is happening here?

  • Opera! (Score:5, Informative)

    by uid8472 ( 146099 ) <slashdot@jdev.users.panix.com> on Tuesday June 22, 2010 @10:39PM (#32661358)

    Has no-one else yet commented to point out that Opera has run plugins in a separate process for years now? Then I guess I have to.

    Not to minimize the accomplishments of the Firefox developers, I mean, and getting this feature to the Firefox userbase is valuable in and of itself, and so on. But there is precedent.

    • Re: (Score:3, Funny)

      by Nimey ( 114278 )

      Opera is a poor imitation of lynx.

    • Re: (Score:2, Informative)

      by Ndymium ( 1282596 )
      I would like to comment that it, in fact, doesn't. I've run Opera on OS X and Windows for a few years now and have seen no indication of that. In fact, I can see only one Opera process in Activity Monitor right now, with 15 threads - even if I open up a Youtube video. When Flash crashes, so does the whole browser (which used to happen all the time with the 10.5x betas). I've heard rumors on the My Opera forums that Opera on *nix might have this, but the OS X version certainly doesn't and I have no knowledge
  • At work I have a Windows PC, and I was always frustrated by the very poor performance of Flash video. The video would freeze, then unfreeze over a second later with the video frames in between just dropped. (When you are watching a 5 second film [5secondfilms.com] this problem makes the movie almost unwatchable!) And it's a quad-core AMD Phenom II system. It should be fast.

    So now, I'm trying out 3.6.4 and the difference is stunning. Now the Flash video playback is perfectly smooth.

    I still want WebM in HTML5 instead of Fl

  • Just recently Adobe announced they would drop [arstechnica.com] support for 64 bit Linux. What is wrong with these people? Is it really so difficult to put out a 64 bit version of software you already have running? Oh, but they promise they'll get it working someday. Thanks a lot, guys. It's a shame 64 bit computers are so damn new I have to use a wrapper to use your buggy, bloated, insecure, crap software.

    • by jo_ham ( 604554 )

      This is once issue where OS X users and 64 bit Linux users can huddle together for warmth in the cold and the snow. At least we sort of have a working browser plugin, if you have a powerful enough machine to brute force a simple task like an SD video, or a page of navigation links etc.

  • by behindthewall ( 231520 ) on Tuesday June 22, 2010 @11:10PM (#32661490)

    According to the discoverer and the issue; he mixed up two different fixes, initially:

    http://lcamtuf.blogspot.com/2010/06/yeah-about-that-address-bar-thing.html [blogspot.com]

    https://bugzilla.mozilla.org/show_bug.cgi?id=556957#c46 [mozilla.org]

    • I use Opera all the time and I can't thank them enough for supporting Symbian S60 with a decent browser.

      The issue with Opera, Safari (it is way more than Webkit shell), IE is: Who knows how many of such issues exist on them? It is more frightening if some gray/black hat found a similar issue on them and put it on black market.

      Recently Opera released a security update to 10.53 (10.54) and declined to tell the "major" "critical" issues they fixed. I can't blame them, it is how they work. On the other hand, wi

  • So... (Score:5, Funny)

    by sootman ( 158191 ) on Tuesday June 22, 2010 @11:10PM (#32661492) Homepage Journal

    ... if Firefox crashes will all the plugins keep running?

  • by thoughtsatthemoment ( 1687848 ) on Tuesday June 22, 2010 @11:12PM (#32661498) Journal
    It looks like there is a single process plugin-container.exe to run all flash files. Killing this exe will stop playing all the flash files. This means while you are enjoying a show on hulu.com, a rogue flash ad could still spoil the fun.
    • "It looks like there is a single process plugin-container.exe to run all flash files. Killing this exe will stop playing all the flash files."

      FWIW, Google Chrome works the same way.

      I'm not sure, but I suspect this *may* be due to design of the whole plugin concept. I would guess that the plugin concept assumes a single monolithic process for everything. There would be no need for an IPC facility. So I would guess Flash doesn't expect to find different windows running in a different process space. I know I've seen Flash objects communicate between each other; I presume that's done inside the plugin. If I'm right with my guess, using a differe

      • by BZ ( 40346 ) on Tuesday June 22, 2010 @11:44PM (#32661640)

        You're exactly right. Flash assumes that all running instances of it share a single address space and uses various internal communication channels to have the instances talk to each other. The Chrome folks actually tried a process per plugin instance, and it broke too much stuff out there.

      • by renoX ( 11677 )

        >to design of the whole plugin concept.

        *Sigh*, and to think that the "plugins" were described as a big improvement: want to have 'flexible' software? Use plugins.
        But they don't even have 'fault isolation'(*) right!!

        WTF?

        * and resources management and security.

  • If you use FlashMute under Windows, edit HKCU\Software\InDev\FlashMute\filenames to include plugin-container.exe. I also found out the FlashMute volume slider control works under Flash 10.1.
  • Nope, sorry (Score:5, Informative)

    by yuhong ( 1378501 ) <yuhongbao_386@@@hotmail...com> on Tuesday June 22, 2010 @11:43PM (#32661632) Homepage
    "And reader Trailrunner7 supplies another compelling reason to download 3.6.4: "Security researcher Michal Zalewski has identified a problem with the way Firefox handles links that are opened in a new browser window or tab, enabling attackers to inject arbitrary code into the new window or tab while still keeping a deceptive URL in the browser's address bar. The vulnerability, which Mozilla has fixed in version 3.6.4, has the effect of tricking users into thinking that they're visiting a legitimate site while instead sending arbitrary attacker-controlled code to their browsers."" Nope, sorry: https://bugzilla.mozilla.org/show_bug.cgi?id=556957#c46 [mozilla.org]
  • by FraGGod ( 1821866 ) on Wednesday June 23, 2010 @12:01AM (#32661716) Homepage

    Ok, now that we're able to put flash code in a separate proc, my question is: can we cut it's privileges so another (monthly) "zero-day vulnerability" will finally become just a tale to scare little children?
    Strangely enough, with all the concern about flash security, article seem to miss that point.

    • Re: (Score:3, Insightful)

      by BZ ( 40346 )

      You can, if you're willing to break enough sites... Flash commonly performs network access, raw graphics operations of various sort, file access, and a few other things like that which would have to be disallowed in a sandbox.

      • Re: (Score:2, Informative)

        by FraGGod ( 1821866 )
        Well, I can think of a "nobody" user with home in, say, /tmp/nobody, and flash is running with it's uid and cgroup'ed, so:
        • flash can read any libs or binaries (for these raw graphic ops, I presume) from fs as needed.
        • flash can't access sensitive data in /home/myuser.
        • flash can't write to /home/myuser/.mozilla/firefox/**/some_binary_file (that might get injected into process, run as "myuser").
        • it can write to it's own "home" and access network as it pleases, although it will die along with a browser tab (cgro
        • Re: (Score:3, Informative)

          by BZ ( 40346 )

          What flash needs for a lot of what it does is raw device access. In Linux terms, access to stuff in /dev (video, camera, audio, etc).

          It's clearly possible to setuid Flash to a low-privileges user if you want it to not write to disk in general and don't mind breaking part of the functionality. The question is whether you're willing to break it. Browsers may not be in a position to do that (though you individually may be if you don't use certain Flash features yourself).

        • It's things like webcams, audio, low-level graphics and sockets, as I recall. On IE8 (the one with a sandbox) the flash plugin is split into two parts. They have an in-sandbox stub which communicates over a channel to an out-of-sandbox process which contains the actual flash player. This out-of-sandbox player runs with full rights.

          So even if FF did have a full sandbox for plugins, Adobe would probably make a hole in it for Flash.

  • If Flash starts consuming all the CPU it can find, you can kill it without nuking your browser session.

    Sold! I’ll take it.

    Java was already sort of its own process. Making other plugins do this as well will be a very good step.

  • by gig ( 78408 ) on Wednesday June 23, 2010 @01:14AM (#32662026)

    So all we have to do is send all Web users to night classes on process management so they can diagnose when Flash is consuming too many resources and identify and kill the relevant process. That way we can rescue Flash designers from having to learn HTML and Adobe from having to compete with anybody. Makes total sense. I mean, playing video ought to be complicated, right?

     

  • Now I can watch Youtube and post on Slashdot at the same t
  • This is going to make me give firefox another shot. I've been driven to chrome for per-process tabs, and Safari for the eye candy (visual preview of bookmarks/history) - and firefox has just been this browser with the UI that is prone to lock up when something shits itself for me. Sure there are plugins but i can live without them for 99% of browsing I do.

    Splitting plugins into a seperate process will be a massive win for UI response I reckon, downloading the update now :)

  • A tag on the post implies it, but I thought it'd be worthwhile to mention specifically that this applies to Windows and Linux, but NOT Macintosh.

    Personally, although the Flash plugin for Mac is dramatically less speedy than on Windows, I've never had stability issues with it. I've never once, in the last (...6 years?) had it crash and/or take the browser with it.

    My only real problem with Firefox has been the bizarrely high CPU utilization and tremendous memory leaks, neither of which are caused by extensio

  • More stuff is broken with each new version, I notice - I trialled the last release, and not only were half the config settings not preserved from the previous version, but the browser is still refusing to download executables because Internet Explorer is set not to do that. Keep your nose out of my IE settings and kindly attend to your own, they're different for a reason.

You know you've landed gear-up when it takes full power to taxi.

Working...