CYBERSPACE – Firefox 2.0, Internet Explorer 7.0 and Opera 9.1 have all hit the Web recently and both tech blogs and review sites are alive with feedback, bug reports, praise from brand-loyalists, and good old-fashioned, new media-style hating.Slashdot reports that although downloads of Firefox 2.0 exceeded 2 million in less than 24 hours, “a growing number of users are reporting bugs, widening memory leaks, unexpected instability, poor compatibility, and an overall experience that is inferior to that offered by prior versions of the browser.”
Among the complaints about Firefox 2.0 noted by Slashdot users are the “bulky” theme, which is described as “inconsistent on different platforms, and inferior to the highly refined and very user friendly theme of 1.5;” blacklist-based anti-phishing technology that the Slashdot user review terms “weak;” compatibility issues with the “large existing libraries of extensions, themes and plugins currently available for earlier versions of Firefox;” and the complaints that the “well known memory leak issue, which causes the Firefox browser to consume ever increasing amounts of RAM…. has been carried over into yet another generation.”
The upshot of the Slashdot piece is not “Firefox 2.0 is bad;” rather that one might describe the conclusion as “Firefox 1.5 is better than 2.0, so consider not upgrading until they iron out some of these bugs.”
On the Opera front, the far lesser-known (and proportionately lesser-used) browser recently issued version 9.1, which touts upgraded fraud protection that is neither blacklist nor whitelist-based.
Opera instead employs a database built on “trust information” supplied by Geo-Trust. According to the Opera “Desktop Team” blog, when a user browses a site they have not visited before Opera sends a request for site information to the Opera server, a request which contains the domain name of the site and a hash value of the URL. The Opera team blog notes that they do not send the full URL, but “we need a fingerprint of the full URL in case you visit a dangerous page on a site that is otherwise harmless.”
The reply from the server comes as an XML document that reports the “trust level” of the domain in question. According to the Opera team blog, this reply is cached by Opera for a time indicated by the server, meaning that “information about well-trusted sites can be cached for a longer period than for unknown sites.”
Opera does not store information on the servers that allows them to track individual users, IP addresses are discarded, the system does not utilize cookies or other session information, and no information is supplied directly to third parties – all elements intended to enhance security for Opera users and to close holes inherent to other anti-fraud features that include automated server-client reporting.
Microsoft’s launch of 7.0, like the launch of Firefox 2.0, has been of a bumpy ride.
Danish security firm Secunia posted an advisory noting a security flaw by which attackers can harvest user names and passwords from unsuspecting 7.0 users.
According to Secunia CTO Thomas Kristensen, if a 7.0 user visits a website created by a potential attacker/hacker and then opens a “trusted” site, like a bank or online shopping site that has a pop up window, the attacker could put new content into the popup, enabling them to phish for the user’s sensitive financial data, user names and passwords, or other information.
When this problem was originally discovered in June of 2004, Microsoft supplied instructions for a workaround solution in IE 6, which was to disable the setting labeled “Navigate sub-frames across different domains.” According to Kristensen, the setting is disabled by default in IE 7, but the new default does not appear to prevent the possibility of such an attack.
Secunia rates the flaw as “moderately critical,” but Kristensen said there’s no indication that any sites or hacks are specifically targeting that vulnerability in IE 7.
