Discussion of general topics about Mozilla Firefox
Whatever it is, bug or feature, it is bad publicity.
http://it.slashdot.org/it/04/07/31/0037 ... 28&tid=172
They're funny things, Accidents. You never have them till you're having them - Winnie the Pooh
I'm VERY disappointed in the Mozilla development team. Not so much for the existence of the bug as much as the attempted dishonest cover-up. According to that Slashdot discussion, this bug was discovered 5yrs ago and labeled CONFIDENTIAL for 5 yrs.
At the very least, the default behavior should disallow hiding the menubar and location bar. I've just done as the a poster in this thread suggested and gone into my about:config to change the pref value to "true" for disallowing removing the Menubar and URL bar. I shouldn't have had to do mess around with the guts of the system to do that. This won't stop the exploit, but makes it more obvious and harder to fall prey to scammers using it. This setting should be the default, and I hope it is in the next version of Firefox. Especially since there's no way to patch this bug because it's a "feature."
And saying that this same bug/feature exists in IE and any other browser, and is not patchable, is not an excuse. We EXPECT IE to have this type of crap.
Apparently all the recent comments in the old bug are arguing about whether it should be opened up or not. The discussion/argument about security policy has been going on for years. The policy is that bugs about security issues stay closed until they are published elsewhere, or until there has been a release of all the products containing the fix. And even then, it can take a while for them to get around to opening the bugs up.
The trouble is that having the URL bar always showing will screw up some web apps which pop-up small windows as "dialogs" to control the web app. Making the status bar show always is less of a problem in that respect. Anyway, I imagine they'll change something before the next release - exactly what will change is still under discussion.
Well, I guess I can take comfort in the fact that this same bug/feature exists in IE
Are there any browsers that don't usually allow this to one degree or another? I've always used products like Proxomitron to prevent this behaviour and truly don't know if there are browsers that don't allow this by default.
If this isn't a vulnerability, why was it kept confidential?
If this is a vulnerability, it should be fixed.
This is a vulnerability though it's also a useful capability.
I think the easiest solution is just like what has been done with applet windows since forever. Any detached window should be marked with "Warning: XUL Application window" on a non-hideable, non-coverable bar at the top/bottom.
I also think that any bugs still marked "confidential" need to be adressed and made public before the final 1.0 release. Keeping them confidential while they are being fixed is one thing, but 5 years...either it's a vulnerability or it not, but don't keep it secret for 5 years. That's the MS way and I feel it's very unbecoming of the Moz team and will cause people to rapidly lose confidence in them.
The rapid response to the Shell: problem was excellent and confidence inspiring. This is not.
I personally prefer that any potential vulnerabilities are not made public until after they appear in the wild... this keeps anyone that doesn't know about it from trying to exploit it. As far as this particular vulnerability goes - I agree with Scratch and Cusser. I personally see it along the same lines as receiving an executable as an email attachment... and I am quite aware that everyone else may see it differently.
What bothers me is the lack of information of any use to Firefox's users. I know it's a volunteer effort and respect these people have lives away from firefox--but at times like these I wonder how that model can really work? Who's in charge? How do you allocate resources in a crisis? The typical hierarchal structure of a work environment--no matter how pagan or unwieldy--sure is more efficient when things go wrong.
I've searched for news on this (perhaps I'm not looking in the right place--I used Google). I found an article dated the 27th where Mozilla said there would be a fix in about a week (cnet or news.com) and I found an article where Mozilla had promised to pay a bounty if you found a bug (that will be a mess).
So what's going on so far as Joe User is concerned?
Please post in this message about this subject.It's the same and it's been around longer.
http://forums.mozillazine.org/viewtopic ... 4&start=45
Linux Install Script
http://forums.mozillazine.org/viewtopic ... highlight=
I'll post in the older thread as requested, but I want to answer a direct question in this thread first.
The prefs I changed were accessed through about:config. Open a new window. Type ABOUT:CONFIG into the address bar, then enter. Scroll down the list (it's in alphabetical order) and you'll find the entries
(I changed these three, but there are other pref values you can change also)
Right click on each of those entries and select "modify" from the context menu. Then change the value "false" to "true" and enter. Then close the browser and restart firefox.
Now click on the spoof test (you can find them here http://www.nd.edu/~jsmith30/xul/test/spoof.html ) and you'll see that the scam is easy to recognize so that you won't fall for it.
Tools > Options > Web Features > Advanced accomplishes exactly the same thing as those about:config prefs.
Not all of them. Of the three prefs I changed, I don't see menubar or address bar there. I do see the status bar pref and others there. But of the specific three options I changed, only one of them could have been changed through tools>options>web features> advanced.
Who is online
Users browsing this forum: No registered users and 0 guests