Firefox gets emergency update to fix the last update
Summary: It looks like last week's automatic update to Firefox came with an unintended hitchhiker: a new bug that opened up a potentially critical security vulnerability. The Mozilla Foundation responded by pushing out a new update that fixes the problem:MFSA 2009-23 Crash in nsTextFrame::ClearTextRun()I found the time line on this one interesting so I thought I'd share it.
It looks like last week's automatic update to Firefox came with an unintended hitchhiker: a new bug that opened up a potentially critical security vulnerability. The Mozilla Foundation responded by pushing out a new update that fixes the problem:
- MFSA 2009-23 Crash in nsTextFrame::ClearTextRun()
I found the time line on this one interesting so I thought I'd share it. It provides a fascinating insight into Mozilla's around-the-clock development process (all times are PDT):
April 21:
- 5:11am: Marc Gueury, who was running a pre-release version of Firefox, noticed a new crash when using the HTML Validator extension (bug 489322). As more people started running into it, one noted:
Firefox 3.0.9 downloaded in the background and installed when I restarted. Ordinarily I think that is a brilliant thing, but this time, because of this bug, it's corrupting my ability to work.
April 22:
- 1:06pm: Daniel Veditz noticed a new "topcrash" and filed bug 489647. Topcrashes are like Firefox's equivalent of a "Top 10 list" from the automatic crash reporter.
- 1:16pm: Developers narrowed down the time frame of the regression and identified a couple of possible pushes that might have caused it.
- 11:17pm: The exact problem was described. Essentially, a fix to one problem got tangled up in a fix to another problem, which resulted in an incomplete patch being applied.
April 23:
- 3:46am: A test case was created.
- 3:52am: A patch was created to fix the bug.
- 10:20am: The patch was checked into source control.
- 12:30am: The fix was approved for an emergency release.
- 5:04pm: The bug fix was verified on 3.0.10 builds on Linux.
- 11:52pm: The bug fix was verified on 3.0.10 builds on Windows.
Once the fix was approved and verified the process of pushing out a new automatic update was started.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Fixed ! Open Source in Action......
No, actually Mozilla quality control <i>blew</i> it
- just maybe - they should take some more time
to properly test their changes.
I mean, it is not like this was only triggered
in some obscure, intricate scenario. It was
reported by multiple users within hours of the
3.0.9 release. I know they are the heroes and
all, but seriously!
Nobody can write completely bug-free code, but
if you create a culture where you always value
speed over quality, this is going to happen
again, again and again. And these bug just seem
so easy to trigger that a properly designed
test suite should have caught them.
There is a reason Firefox is now <i>the</i>
browser with the <i>most vulnerabilities</i>,
an honor which used to belong to IE6 back in
the day.
And it's not just the introduction of new
vulnerabilities that should be a cause for
concern. Firefox is also the most buggy browser
overall. And that's a problem as more and more
organizations are relying on the browser as a
platform for in-house mission critical
applications. Bugs which may be a minor
nuisance to most of us may be devastating for a
company whose applications trigger it.
Microsoft gets this. And they have improved
vastly over the latter years. Firefox is now in
the same league. They can no longer just be the
smart, agile kid who can afford a few missteps.
Utter rubbish.
That would explain Vista right? Duh!
Re:
Explain this then....
Re:
The solution is worse than the cure
Simply put, the owner is no longer ultimately in control of his computer if there's a TPM chip installed and active. You think the thought of Iran and North Korea getting nuclear weapons is scary? Let me paint a more realistic scenario for you.
While the rest of the world puts pressure on those two rogue nations and manages to keep traditional WMDs out of their hands, Iran manages to place one single spy in the right program at Microsoft. Meanwhile, TPM chips, marketed as a feature that makes your computer more secure, become as ubiquitous in 10 years as GPUs are today.
Now 99% of existing computers have an Internet-based security system in them, and Iran has the key, a metaphorical "big red button" that would shut down every computer in the United States, doing more overall damage than a nuclear explosion in one of our cities.
This is some very evil technology, and it needs to be banned by law, not welcomed as the solution to security problems.
Hardly
http://www.informationweek.com/news/security/encryption/showArticle.jhtml?articleID=208800939&pgno=1&queryText=&isPrev=
Wow are you desperate. From the article:
You have to have physical access
For the moment, yes...
RE; Explain this then....
So wrong.......
For example, the code red patch for exchange servers took 3 fixes to their patch right when the first patch took down exchange servers all over!
But you already knew that, you just wanted to troll against anything not Microsoft again, as always.
so an MS mistake nearly 10 years ago
P.S. CodeRed was IIS specific.
Lot of comments to your post
RE: Fixed ! Open Source in Action......
include the version #
3.0.10 is with the fix I think.
it was in the article...
Ubuntu didn't give me the update right away
nt