Firefox 1.0.3 Released

[GolfProRM]

Just a heads up that Firefox 1.0.3 is out, and you should be able to get it through normal firefox updates.If not, go to http://www.mozilla.org/products/firefox

Security fixes:MFSA 2005-33  Javascript "lambda" replace exposes memory contentsMFSA 2005-34 java script: PLUGINSPAGE code executionMFSA 2005-35 Showing blocked java script: popup uses wrong privilege contextMFSA 2005-36 Cross-site scripting through global scope pollutionMFSA 2005-37 Code execution through java script: faviconsMFSA 2005-38 Search plugin cross-site scriptingMFSA 2005-39 Arbitrary code execution from Firefox sidebar panel IIMFSA 2005-40 Missing Install object instance checksMFSA 2005-41 Privilege escalation via DOM property overrides

[striker]

Thanks Ryan,Replaced 1.0.2 by 1.0.3 .

[Neil P]

As always, be sure to update to this, as it is a security release.Gervase Markham has a blog post about the 1.0.3 release, in which he talks about Firefox's popularity as it relates to the number of security bugs found.

Firefox 1.0.3 has been released, with nine security fixes, three of them critical. That's a total of 29 separate issues which were deemed worthy of a write-up since the release of 1.0. So does this add some weight to the argument that previously, Firefox only seemed secure because no-one has bothered to attack it?Frank Hecker made an important point about this issue very eloquently in an email to drivers, which I'm sure he won't mind me quoting here:    Yes, Firefox is a lot more popular now and has a much higher profile. Yes, a lot of smart hackers are working now to break Firefox. And what a surprise: These hackers aren't making life miserable for Firefox users, they're working with us to make Firefox more secure. Why is that? Because we pay attention to security bug reports, we try to treat people who find and report security bugs with respect, we invite them to work closely with us, we reward them for finding bugs (both with money and with credit), and most important: we actually fix bugs in a timely manner as opposed to sitting on them and treating security as just a potential PR problem. Absolutely.

(That's the post in its entirety)[edit]Also, Mozilla 1.7.7 has been released. Firefox 1.0.3 release notes along with Moz 1.7.7 release notes

[Guest LilBambi]

Thanks for the heads up!BTW: I am amazed to see the difference between a month ago and this month in my website stats.Internet Explorer: 53%Firefox 29.5%Netscape 8%Mozilla 3%Safari 1%And then the balance is broken out between ALL the other browsers including one visitor who was using an amiga browser and another using Links (commandline linux/unix browser).I am sure that these stats are not representative of all websites out there, but even so ....Way to go Firefox!!

[Keegan]

well it is always great that a new version is out with security fixes. but saying this: "These hackers aren't making life miserable for Firefox users, they're working with us to make Firefox more secure" is way of markwhy simply because everyday joe doesn't know how 2 upgrade their browser and the are stuck with and "old and unsecure" browser

[Neil P]

well it is always great that a new version is out with security fixes. but saying this: "These hackers aren't making life miserable for Firefox users, they're working with us to make Firefox more secure" is way of markwhy simply because everyday joe doesn't know how 2 upgrade their browser and the are stuck with and "old and unsecure" browser

<{POST_SNAPBACK}>

Auto Update looks to take care of this. I don't know how well it works yet (there were problems before) but I think it's okay now. The point of that was, the vulnerabilites aren't being exploited by people who find them, they're being reported, and often times the people help to resolve it.

[ian]

I am using Firefox on WXP and Mandriva Linux.Auto-update just kicked in on WXP (again) and I am now running 1.0.3, however, this feature does not appear to work on Linux. Do I need to manually upgrade Firefox on Linux each time I see security updates on WXP?

[havnblast]

for linux I always download the source file without the installer - unpack and your all set to goCan get it at http://ftp.mozilla.org/pub/mozilla.org/fir...ox-1.0.3.tar.gz

[ian]

for linux I always download the source file without the installer - unpack and your all set to goCan get it at http://ftp.mozilla.org/pub/mozilla.org/fir...ox-1.0.3.tar.gz

<{POST_SNAPBACK}>

Thanks Kelly. If I understand you correctly.1) Auto Update does not work on Linux2) It is safe to unpack a new tar.gz over an existing installation3)I used Bruno's instructions to install 1.0.2 in /usr/local/bin so I can just repeat that procedureWill any extensions/plug-ins need to be re-installed after the update?Will any session history/cookies/passwords etc have to be rebuilt? Edited April 17, 2005 by ian

[Neil P]

Thanks Kelly. If I understand you correctly.1) Auto Update does not work on Linux2) It is safe to unpack a new tar.gz over an existing installation3)I used Bruno's instructions to install 1.0.2 in /usr/local/bin so I can just repeat that procedureWill any extensions/plug-ins need to be re-installed after the update?Will any session history/cookies/passwords etc have to be rebuilt?

<{POST_SNAPBACK}>

Do Bruno's instructions include removing the directory first? It's always best to remove the directory first...So, to install 1.0.3 in /usr/local/bin/ you would:1. Download Firefox (this is the one you want (it's en-US))2. su <password>3. rm -rf /usr/local/bin/firefox (if that's where you installed it)4. mv firefox-1.0.3.tar.gz /usr/local/bin/5. cd /usr/local/bin/6. tar -zxvf firefox-1.0.3.tar.gz7. firefox/firefox (run it as root once)8. Now you can run it as user just fineYou shouldn't have to do anything with extensions, and your bookmarks, cookies, passwords and any other settings will be untouched.As for auto-update, I think it works on Linux...you might have to run Firefox as root, unless you have write access to /usr/local/bin/ as a user. Try that first:Run firefox as root, go to Edit -> Preferences -> Advanced and hit the button to check for updates from there. Then if that doesn't work you can download a new build.

[Guest LilBambi]

Didn't have to reinstall my plugins this time. Kewl! :thumbsup:Auto update worked great on both WinXP and Win98SE for the upgrade to 1.0.3 ... the only difference I did between Win98SE and WinXP Pro is I closed all the windows behind the installer window in Win98SE before running the installer and all worked great! Didn't do that in WinXP Pro.NOTE: If you are using the Chatzilla extension, there is an update that is available for that as well. Today the Chatzilla extension updated fine on Win98SE. Still need to install it on WinXP Pro later.

[crp]

The Auto-Update didn't work on my W98 system, probably due to a misunderstanding on my part.I got the small dialog popup that there was an update available last night. I clicked on the link and it started the download/installation process in its own window. So i figured , what the heck, might as close my FireFox browser window. 10 hours later, the download/installation process was still running but evidently going nowhere. No IP activity and the Cancel button was greyed out. I killed the window by clicking the upper right X but now the FireFox doesn't seem to notice that it is an old version and could use an update.

[GolfProRM]

The Auto-Update didn't work on my W98 system, probably due to a misunderstanding on my part.I got the small dialog popup that there was an update available last night. I clicked on the link and it started the download/installation process in its own window. So i figured , what the heck, might as close my FireFox browser window. 10 hours later, the download/installation process was still running but evidently going nowhere. No IP activity and the Cancel button was greyed out. I killed the window by clicking the upper right X but now the FireFox doesn't seem to notice that it is an old version and could use an update.

<{POST_SNAPBACK}>

If you go to Tools ->Options -> advanced, you can force it to manually check for updates.

[Keegan]

If you go to Tools ->Options -> advanced, you can force it to manually check for updates.

<{POST_SNAPBACK}>

but how is the auto update supposed 2 work? i have this option ticked and i see the little icon beside the trobber but i haven't gotten any dialog saying that there is a update

[rbdietz]

but how is the auto update supposed 2 work? i have this option ticked and i see the little icon beside the trobber but i haven't gotten any dialog saying that there is a update

<{POST_SNAPBACK}>

I believe it would more properly be called auto-notification of updates.If you click on the little icon beside the throbber, you should get a dialog that will allow you to download and install the update.