Firefox 14 is out *yawn*
Other than 14 security issues fixed, there’s not much going on here, folks.
They’ve got 5 critical, 4 high, and 5 moderate severity issues patched. As is usual lately, many of them were actually fixed by Google for Chromium and got merged into Firefox. (They both use many of the same Free/Open Source libraries.)
Elsewhere, we see that there’s some progress with memshrink.
These aren’t as easy to sort, due to the ongoing nature of the memshrink project. Some users who have been using older Firefox versions have seen improvements in memory usage because Mozilla has been leaning on extension developers to fix broken extensions that use memory stupidly. These tend to be proprietary extensions from big companies that are not known for quality software design. (McAfee and Microsoft are big offenders) If you do have crappy extensions like these, get rid of them.
This problem mainly affects Windows users because you guys tend to have Firefox extensions installed in “drive-by incidents” when you install unrelated software or when Microsoft feels like taking a shit all over your browser. Take a minute to look through your add-ons and make sure that you are only using ones you actually want. There are uninstall and disable buttons for the rest. The problems that incompetent extensions create tend to be blamed on Firefox even though Mozilla has nothing to do with them. Alternatively, you can just get rid of Windows and install something like Kubuntu where this stuff never happens.
Moving on, we bust out the magnifying glass and see what new features we have.
I only noticed two that were worth mentioning.
1. There’s a click to load plug-ins feature now. It is off by default and hidden under about:config. It breaks a few sites, but this sort of thing is badly needed, as plug-ins like Adobe Trash tend to be 99% obnoxious and 1% useful.
2. The HTTP Pipelining system seems to have been reworked, that too is under about:config and off by default.
Two interesting stories on The H Online regarding the Flame malware for Windows.
This means that Flame has been out there for over two years and no antivirus software has done anything about it.
The forgery was simple to pull off since Microsoft’s Certificate Root doesn’t keep proper track of their keys and uses weak DES which most e-commerce sites haven’t bothered to use since the EFF demonstrated that it could be easily cracked using commodity PC hardware from 1998.
This demonstrates a couple things I’ve been saying all along.
1. Why do browser makers not bother to make sure that “Trusted” certificate roots can actually be, you know….trusted? You have Mozilla, Google, and Opera conspiring to keep CACert out, but all of them would trust insecure Microsoft keys from Microsoft’s certificate authority. What’s more disturbing is that Windows apparently recognizes Microsoft’s DES keys. I doubt that it would allow you to sign a kernel module with them, but it would be sufficient to suppress the security warning that pops up that says the software isn’t signed.
2. Antivirus software is pointless. It has marginal effectiveness against common malware, and no effectiveness at all with more sophisticated malware. It’s hard to tell whether this is incompetence or because the US government and Israel write malicious Windows software all the time, and they’d rather that users of Windows not be protected from it.
There’s news that Mozilla is considering supporting the patent-encumbered and dangerous MPEG-4 formats known as “h264″ and “aac”. LINK (As reported by The H Online)
It’s unfortunate that it has come to this, but I am in favor of doing it in the way they have described. Albeit unenthusiastically…
We know that there is a dangerous and criminal organization out there called the “MPEG-LA” that doesn’t innovate or produce anything, but acts as a “patent pool” to sue victims who try to implement media codecs without their permission. They “own” several thousand “essential” patents (meaning that you can’t implement the spec without violating them) describing what h264 with aac does.
Microsoft and Apple, which are also criminal cartels, are also members of the MPEG-LA, and are trying to wipe out the open and unencumbered VP8 and Ogg Vorbis combination known as WebM by refusing to support it in Safari and Internet Explorer.
Mozilla and Opera have so far not implemented MPEG codecs because they would be gouged by the MPEG-LA’s innovation tax.
The problem for the user, which is caught in the middle, is that sites that are out there today and insisting on MPEG-4, such as Vimeo, won’t work in Firefox or Opera in HTML 5 mode, and require the proprietary binary blob with gazillions of security problems known as “Adobe Flash” to play their content.
Mozilla is not proposing to ship the offending codecs themselves, but to just use the ones on the system, if any. On Windows, they can hook into DirectShow, on OS X they can hook into Quicktime, and on Linux they can hook into and use anything Gstreamer can play. Of course Android, iOS, and Windows Phone (with all three people who have one) all have their own media codecs.
The problem with this is that it shifts the responsibility to the user to make sure they have codecs. In most cases, the platform in question is promoted by some big company that sees the MPEG-LA siphoning their profits as a cost of doing business, but the codecs are there nonetheless and Firefox is currently not making use of them. It’s the case where a person uses free and open source software, such as a Linux distribution, and doesn’t want top be gouged and run nonfree MPEG Cartel-sponsored gstreamer codecs (from Fluendo), that they have to make a choice about whether to use the codecs that infringe US patents (such as the free and open source gstreamer codecs). In the case of proprietary software, the choice was already made for them, as most choices usually are.
Therefore, my position is… With the objection to the MPEG-LA cartel even being allowed to exist at all. That Firefox should use whatever the user has installed. Refusing to play formats for which the user already has codecs is ridiculous. The user should ideally be using software that respects his or her freedom (such as the gstreamer-bad and gstreamer-ugly codecs, which is where ones with patent problems end up). Even more ideally, the laws should be changed to invalidate every last software patent out there so that the user is free to do what they wish with their own computer, and programmers are free to make software that can compete with established monopolies like Microsoft and Apple. Until then, a couple of minority browsers ignoring those codecs won’t make those codecs go away any more than some Linux distributions not officially providing MP3 codecs has made MP3 go away. Those sites are out there, and users should not feel compelled to use proprietary software such as Internet Explorer, Safari, and Google Chrome to simply view them. Just as users who encounter MP3s, while this is unfortunate, should not have to use proprietary software to play those MP3s.
As a second point for this position, we know Microsoft slips trojan horses into competing browsers on Windows, and so if Mozilla doesn’t do it, Microsoft will wedge in another broken plug-in that is full of security problems to Firefox users on Windows. By making the change in Firefox, they can preempt Microsoft infecting Firefox with more things the user may not have approved of.
It’s unfortunate that this method will make it the user’s problem to decide if they care about using untaxed codecs, but you can thank Microsoft and Apple that someone is going to be stuck with the check.
Just a quick note.
I was (and still am) outraged that Wladimir Palant sneaked into people’s browser preferences and turned on some ads for big companies and parking page parasites that were paying him the big bucks.
There’s now another option; a fork of Adblock Plus called Trueblock Plus. It is derived from Adblock Plus code and is under the same Mozilla Public License as Adblock Plus. Both are free and open source software.
The freedoms that make up “free software” include using the software for any purpose and being able to modify, improve, and redistribute it. In other words, the freedom to “fork” if the upstream dies off, becomes unresponsive to new features that people want, or in the case of Adblock Plus, start to add malicious features that nobody really asked for. (Or for any other reason.)
Right now, the only real modifications to Trueblock Plus are to re-brand it (The name and logos that Adblock Plus uses are trade marks, and are not covered by the free software license of the source code) and to turn off that annoying “Acceptable Ads” antifeature that Wladimir Palant cooked up.
There are also some rough edges in Trueblock Plus. The author of the fork notes that there’s going to have to be some more purging of Adblock Plus branding before Trueblock Plus can progress beyond “preliminary review” status at Mozilla Add-Ons. For example, the Contribute button still links to Adblock Plus’s website. I’m not sure if that’s intentional or not but it says “Contribute to Trueblock Plus”, so I am thinking he may have just searched for and renamed each occurrence of Adblock Plus.
The other problem is that the “Acceptable Ads” code is still there, just disabled by default. Since this code is hardly vital to the operation of the extension, it might be better if Trueblock Plus were to simply revert the commit that added it in the first place. More code in a program means more potential for bugs and security issues, plus the only reason it’s there is so Wladimir Palant can make money by allowing spyware and tracking garbage through by silently switching it on without the user’s consent upon “upgrading” to Adblock Plus 2.0 or later. It is doubtful that any user would opt into something that directly counters the problem that led them to install the software in the first place.
Users who pay attention can still uncheck Wladimir’s Acceptable Ad$ , but he even admits on his website that he’s banking on people not doing that since most people don’t like to tinker and may not even notice what has changed that is allowing ads to get through.
If you have less computer literate friends or relatives, or if you personally don’t want any more nasty surprises from Mr. Palant, then Trueblock Plus might be the way to go.
Today on The Heise Online, they mention that Microsoft is set to automatically download and install the latest version of Internet Explorer that manages to run on the particular Windows version installed. Since XP is the oldest thing they support, those users will get the obsolete Internet Explorer 8 browser, and Windows 7 users will no doubt get IE 9, which is only barely an improvement over IE 8.
I have no idea how they plan on updating Windows Vista users, but that will no doubt be another surprise for anyone foolish enough to actually be using it. There is IE 9 support for Vista (Which is where they will cut off support), but to get it you need a humongous “platform update” full of select backported crap from Windows 7.
Regardless of what version of Windows the user has, an Internet Explorer update is always dangerous since Microsoft continues to claim it is a system component and not a web browser. It means that at best, you need to reboot your computer, and if the upgrade goes wrong it can mean anything from Internet Explorer not working to the Windows shell failing in inappropriate ways. Internet Explorer installations and upgrades have had a significant number of cases of destroying the operating system beyond being salvageable since at least Windows 95.
No decent operating system claims the web browser is an integrated component that can’t be removed. The Internet Explorer situation is a continuing monopoly abuse and Internet Explorer itself is a relic from the 1990s, when Microsoft tried killing Netscape by forcibly installing their own web browser into Windows.
While we’re on the topic, most other operating systems don’t need to reboot after the user updates their web browser, file manager, media player, email client…..
This “almost comical if so many Microsoft victims weren’t suffering through it” situation makes me wonder what kind of a contrived setup those Microsoft funded “studies” used to get “99.999% uptime”. As soon as you apply any patch or update for Windows, it needs rebooted before the new files are used. Even if the user doesn’t want to reboot. Windows will pester them until they do or better yet, start a countdown and reboot the computer without regard to any work the user has left open and unsaved.
This was one factor, out of many, that frustrated me enough to leave Windows. Another factor is that they routinely triage security patches and frequently leave critical flaws open until the next month, like they did with BEAST this month.
That graph is funny, isn’t it? It’s not that Windows has gotten safer, it’s simply that Microsoft is stretching to classify updates that once would have rated critical as “important” based on the factors of “security improvements” in Windows that are often ineffective. (ASLR not being as random as it could be. NX/DEP being off by default for 32-bit software, many applications don’t bother using stack smashing protection because it exposes their programming flaws and causes them to crash, etc.) In many cases the user is left less than protected by what passes as Windows “security improvements” which is why malware is still rampant.
How can any human being tolerate this?