fanbitches will struggle here.

i.e gets shafted by a flaw, so people move to Opera (as per "security experts" advice),oh poo that has holes,off to FF, ahh crap. Safari...Ooopss

Yup we are all buggered.

Typical of Microsoft to release a half finished, half baked browser with all these XSS vulnerabilities and so on, plus charging over the odds for Apple's shiny look on this Chromey shiny Safari Vista!

Bah... I'm off to hand code HTML packets on my tuxedo wearing flightless cold bird flu iPenguin with the controlled hardware software combo from Redhatmondtino.

That'll teach us for gloating at the poor old IE users, eh?

Nice to see the Google spyware gone from V2, as well. If that doesn't get me flamed, nothing will. I need a few flames; it's rather cold today ;o)

I will install noscript, I will install noscript, I will install noscript.

It would seem that both Opera and Mozilla think it it is a good day to bury bad news, with all the hysterical attention the latest IE exploit is getting.

MS, Opera, and Mozilla are all rushing out critical fixes this week. Maybe one development model isn't inherently better than another. Maybe the only real way to ensure browser developers care about security is to enforce it from the user end by maintaining the competition and letting your favorite developer know you can and will switch whenever they seem to get too lazy...

Oh, wait, this is The Register. Opera got theirs out first! Suck on that, monolithic and open-source development fanbois!

But I was told that Firefox was perfect. (See comments on the MS zero-day patch article).

Maybe I misunderstood?

all those who are gloating over this happening to non-IE browsers should consider how long Mozilla etc. had the serious bug open and being exploited for, and how long IE was over exposed...

As I understand it, XSS is using Javascript(or similar) to make objects from one domain appear to be from another. It also appears that every browser out there that supports scripting has found to be unsafe in it's handling of XSS.

So, my question is, is this a flaw in the implementation or is this how things were originally intended to work? The recent article about Google's scripts being referenced by Obama's website suggests that scripts from other domain are supposed to appear to be from the original domain and that the real problem here is that people let anyone who feels like it embed anything they like on their pages.

Secondly, using NoScript even before it's "XSS Prevention" used to prevent a lot of problems provided you whitelisted your sites correctly -- what's the difference between this and the new "XSS attack prevention"

Can anyone who knows their stuff explain?

As always, I'll upgrade to Firefox 3 when they fix the UI and give us back a proper way of storing bookmarks.

Honestly, though, I don't understand the fanboys: the only reasons I can see why Firefox is actually perceptably better than any other browser is the plugins that (theoretically) give the USERS control over their browsing experience, and even there, the only two that really matter are Adblock and Noscript, without which the internet is basically broken and unusable. This is not the future I was promised.

The funniest thing about this is the blurb on the "Welcome to FireFox 3.0.5" page declaring Firefox is the safest browser known to God and man. Hubris, anyone?

"IE's buggered! Change browser"

"Duuh OK"

*Installs Firefox*

*Spends rest of day watching Firefox fall down*

How about some decent testing before releasing what appears to be a technology which has merely provided us more vulns? No! I don't want fries with my McFail...

And of course, those Firefox plug-ins (AdBlock and NoScript) were written to imitate native Opera features...

I think browsers are like AV - all vendors are going to have issues from time to time, and we all need to pay attention to updates and revisions. The big test for vendors is how responsive they are to fixing problems (right now, Apple appear to be the slowest of the major browser vendors - they even make MS look good by comparison!).

"This is not the future I was promised."

Awwww, poor thing.

BTW, I've heard some nasty rumors about Santa Claus and the Easter Bunny, too.

glad they've fixed the security holes.

now is there any chance of doing something to stop the OSX version of FF3 leaking memory like a sieve, hogging 30% processor time while in the background and gradually grind-i-n-g t--o a c--r--a--w--l as the hours go by?

Can't someone just make a browser that doesn't have gaping security holes to start with? Asking a lot right? Maybe if they didn't worry about supporting all this scripting junk.

I will upgrade to Ff3 when they give us a way of turning off the annoying new address bar (and also ideally the rendering of tabs when you drag them to move them but that isn't a priority)

Unwanted and unsolicited 'features' ftl.

If you don't know how to manage your bookmarks in Firefox 3, you're probably too thick to use it anyway.

Why makes you think it was done hastily? Evidence please.

The fact that 4 out of the 5 update releases for FF3 have been on a Wednesday (including this one) suggests that it was planned.

Each time I have tried Firefox 3.0 on Windows 2000, it just gobbles CPU and is unusable. Will be sticking to FF2 for as long as possible.

re : the annoying new address bar

try the "oldbar" extension

"Can't someone just make a browser that doesn't have gaping security holes to start with?"

Try w3m. Or lynx, links and the like. Or Dillo if you *need* a graphic mode. Of course, these are secure because they don't run scripts, so you won't be less safe with FF and scripts disabled.

You can use a filtering proxy to tidy up the pages, too. But then again, all the fancy JS sites will be broken. Seriously, who the heck started this scripting madness in the first place? Give me my HTML web back!

I've noticed that too, I thought it was just my mac (I only have access to one). I was even considering going back to Safari, no really.

@AC 17th December 2008 17:55 GMT:

Funny, I thought "better browser" was supposed to mean something like "we don't dictate our view of how you should work on you the way Microsoft does." That was incorrect?

@AC 17th December 2008 19:09 GMT:

Funny, I could have sworn the point was at least in part to improve the experience for the user and to make it easier, rather than to stick things in databases that are no longer realistically maintainable through shell scripts and, as I recall, make dialogue boxes non-resizeable. Or are we defining "improved" in the typical "it works for me, therefore there's no problem" FOSS-developer way?

I just wrote to mozilla to tell them I will not be installing ff3 until they allow users to turn off the "Awesome"(sic) address bar functions.I do not suppose they will pay any attention.

In what world is an SQL database an appropriate method of storing bookmarks? Just because some FF developers have so many bookmarks they need a database to keep track of them doesn't mean everybody does (and yes, I know FF3 stores a lot more than bookmarks there, equally without logical reason). Instead of foisting their half-baked ideas on everyone who uses FF they should rather get rid of all their obsolete and redundant bookmarks, or implemented it as an extension. This is definitely an itch that didn't need scratching.

My feeling is that there must be a reason that every single browser on a Windows platform suffers from security holes. As long as the underlying operating system allows the application complete access to the system, rather than running it in a sandbox, we will see a never ending sequence of patches as yet more exploits are discovered in an ever expanding code base.

Now, if it was built on top of an inherently secure, compartmentalised operating system, it wouldn't matter how buggy the browser was, the users data would be protected.

I am sure that Linux and Mac are not perfect in this respect either.

How do you justify the headline for this article claiming Mozilla "rushed out" this security update? FF security updates are regular events, nothing new or "rushed" about this one I can see. No zero day vulns like IE just had - now that update was rushed out. Just because MS have rushed out a fix doesn't mean anyone else's updates have to be described as rushed. If you have any evidence for this claim then please provide it.

If I want ur pass...

Browsers are designed to tell it.

Paris, 'cuz being designed for something ain't all bad.

You go to a site and the list of "companion" sites that have content required in then runs like 10 or more...

Yes nothing like fill up ones content with 3rd party uncontrollable stuff...

NOT!

I am sick and tired of these Firefox Updates and am seriously considering going back to Internet Explorer

So, you fiddle around with your bookmarks using "Organise Bookmarks" until they do what you want, then you select the Backup/Restore button and you can then backup, restore or even <gasp!> Import and Export as HTML.

Why is that difficult?

That'd be the same Firefox 3 I'm running on 4 Macs with no memory leaks, about 3% CPU usage with sessions usually running all week... I'd have a look at the extensions you're running.

And isn't No-script a No-brainer?

as you can see by going to https://wiki.mozilla.org/Releases, this release has been planned for weeks and is part of Mozilla's regular update. The next one is planned for Feb 3rd. Presumably we can expect another Register article about security panics on Feb 4th. Or would the Register prefer it if browser makers didn't patch their software?

FF2.0.0.19 will no longer be updated? EXCELLENT-- finally will be rid of those annoying "do you want to update now" popups that always seem to pop up when I'm doing something really important (such as working on my banking site, about to click on a sell order on my brokerage site, or about to snipe something on eBay). Now FF 2 is TRULY perfect.

The one that irks me is how the Back pulldown and Forward pulldown were merged into a single list with less total entries. Yes, IT DID MATTER. A lot of the time the page I want to jump back to is 10-15 pages back, especially if you've been browsing about on Amazon or similar. Now you only get 7 forward, 7 back, and the confusion of seeing the page you are currently on.

Add to that FF3';s adoption of a NONSTANDARD cookie file format and their removal of useful stuff from Tools/Page Info and FF3 is a major regression for me. What? You thought Mozilla was all about standards? That went out about 4 years ago. Ever since its been all about the chrome, baby! Look at that snazzy backforward button that looks like something stolen from MS. How many extra cycles does it take to draw that versus a standard rectangular region?

Oh, and when FF first came out, then again in FF2 they took stuff out of Preferences and buried it in about:config. Now, with FF3 its still buried in about:config but you're warned that you are mucjking about in an area where you shouldn't! Seriously? Just to change my Ctrl+Wheel behavior?

Most of the people commenting here are crybabies. I use version 3 with no problems other than minor changes to about:config between major releases. I even got used to the awesomebar after guessing I would never like it. Now the sql storage is my ally, and I have no problem running even the nightlies on my windows, tiger and Linux boxes (even the slow ones). So why all the retardation? Are you not the people supposedly considering yourselves tech-literate? and Especially about the frequency of updates.. What the hell is wrong with you if you don't like your free software to be kept up to date? Guess there's just no pleasing some jerks.

Stop moaning. It's free.

If you don't like it, use another browser or write your own. Nobody's stopping you.

@Keith Doyle

No, you won't get any more updates for FF2. Of course, if you get screwed over by a vulnerability in an old and unsupported version of FF which you are using to control and run your finances via the web, then don't go whining that it's all Mozilla's fault. It won't be. It'll be your "change is scary" Luddite conservatism which is to blame.

My Firefox 3.0.4 on Ubuntu 8.10 seems to be chugging along without any problems.

Why am I not overwhelmed with paranoid type anxiety?

Anyway what with Climate Change/Financial system Meltdown/ Credit Crunch/ Mr. Madoff of New York etc , I am surprised all you lot have not gone into your bunkers by now

Want to turn off the 'Awesome' bar? Allow me to let you in to a closely guarded secret - you can do it! Just by typing, you don't need no stinkin' extension!

It's even been published on El Reg several times already!

There's a top secret L33t HaX0r way of finding out what to do. The thing is: there's this pretty good website called 'Google' that runs this, like, index of the Internet. And the best thing is - you can search it! So if you go to Google and you type in something really complex like

turn off Firefox awesome bar

Any one of the 74,800 hits will tell you ...

In the 'Awesome' bar type

about:config (and press Enter)

Find the line for

browser.urlbar.matchonlytyped

Click that line so that the value changes to true

The end.

Now put your computer back in the box it came in, and send it back to the manufacturer asking for a full refund.

So lets imagine for a moment that somebody took the advice of security "experts" and swapped to Firefox and then got shafted by the vulnerability. Would the "experts" accept responsibility for handing out untested advice?

Well, after reading the Reg for some six months, I've finally installed Noscript, so thanks Reg commentators, evidently repetition does work. Had Adblock and Firephorm for some time (with BT until they change the T&Cs), for some time.

I still think Firefox is the best (and safest) when you include the plugins IMHO.

+1 to Firefox 3.

So they're not issuing any more updates for FF2. That's responsible.

Funny isn't it the the lovely, touchy feely people at Mozilla are forcing their EUs to upgrade when even Microsoft don't indulge in that sort of behaviour. Updates for earlier versions of IE are still produced. And don't give me all that bull about their being non profit making. If they want to be taken seriously in the market then they need to provide the same service as the other players in the market.

"So, you fiddle around with your bookmarks using "Organise Bookmarks" until they do what you want, then you select the Backup/Restore button and you can then backup, restore or even <gasp!> Import and Export as HTML"

Even better, install the foxmarks plugin and you can share/backup your bookmarks on every PC you use

I take it that i'm the only person who doesn't really have a problem with Firefox 3 then?

That said, i'm thinking about jumping ship to Chrome once it comes out of Beta.

Actually, I just looked at the Google Chrome page and it's missing the Beta tag, so it looks like i'll be downloading and installing that when I get home today then!

Could the fans of the RetardedBar please explain why:

a) The FF3 "organise bookmark" interface is shittier than FF2's?

b) I have to export or backup my bookmarks in FF3 after editing any of them, or else the changes are reverted when I restart Firefox? And no, there are no permission problems.

And to those RetardedBar haters who can't Google, there are actually serveral things that need to be done to reduce the annoyance factor.

1)If you wan't the dropdown list, install the Oldbar extension, this makes the dropdown list appear like FF2's, but doesn't change the RetardedBar's behavior.

Then In about :config

2) set browser.urlbar.matchOnlyTyped to true

3) set browser.urlbar.maxRichResults to 5 or so, or 0 if you don't wan't the drop-down at all.

This reduces the annoyance factor significantly. There are a couple of other settings that can be tweaked, but these are the most important. More are coming in FF3.1

These setting would not be there if not for all the diligent bug-reporters who endured and rode out a tide of hatred from the Mozilla fanbois, and plain arrogance by several developers, during the Alpha and Beta testing of FF3.

"i'm thinking about jumping ship to Chrome once it comes out of Beta."

http://www.internetnews.com/commentary/article.php/3790856/Googles+Chrome+Should+Still+Be+In+Beta.htm

Preach it, AC.

IE6: released 27 August 2001, supported until 13 Jul 2010

FF2: released 24 October 2006, supported until 16 December 2008

And people wonder why grown-up organisations - who are often squeezed to complete the evaluation, sign-off and rollout of an app in under two years find it hard to take the Mozilla org seriously? We are, after all, talking about an application which famously is about as amenable to centralised management as a pissed-off tomcat.

(aside: where's the Asa-Dotzler-with-horns piccy?)

Interesting that the FF3 fanbois are all ACs. At any rate, unlike most people (apparently), I don't depend on the browser for security. And that includes protection against phishing sites, buffer overflows and stealth XML, ActiveX or other such nonsense.

FF3 has resurrected all of the same reasons I stopped using Netscape, Mozilla and, for that matter, IE. The developer's just don't get it. They can't keep themselves from bloating the browser with unnecessary and redundant features such as tabs and databases (and for that matter, bookmarking-- which need to be accessed on all the user's computers and shouldn't be stored at all on web clients). And while they're so busy adding useless features, critical ones they should be concentrating on are completely ignored (like user interruption protection-- THOU SHALL NOT STEAL KEYBOARD FOCUS AWAY FROM ME WHILE I"M TYPING -- and while that may be the OS' job, if they're not doing it, the browser can and should).

I may move away from FF2 at some point, but I can tell you it ain't gonna be to FF3.

If 2.0.0.19 is the final version of FF2, how come I've just been offered 2.0.0.20 ?

I'm just glad there is Seamonkey available, which doesn't treat you like a clueless newbie like IE and FF (as it wants to imitate IE) do.

For anyone frustrated with FF, try Seamonkey, same browsing engine as FF, therefore same extensions and plugins as FF, but much better UI, more configurable, and no useless cpu-consuming gimmicks.

I already tried that, it doesn't solve the main problem:

if I want to go to google, I start to type it in. When I type go, google should appear, being the most visited address starting with go. Instead, I get random websites that contain go in their title bar, or, even more annoyingly, IN THE MIDDLE OF THE URL. I only want it to match the start of a URL, not the middle, and not titles at all.