Archive for the ‘firefox’ Category

More CrunchBang De-Bloat

July 18, 2009

I decided to cut some more bloat. Among (many) other things:

% sudo aptitude remove firefox firefox-3.0 ubufox firefox-3.0-branding
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
The following packages will be REMOVED:
  firefox firefox-3.0 firefox-3.0-branding ubufox
0 packages upgraded, 0 newly installed, 4 to remove and 0 not upgraded.
Need to get 0B of archives. After unpacking 4317kB will be freed.
Writing extended state information... Done
(Reading database ... 105476 files and directories currently installed.)
Removing ubufox ...
Removing firefox ...
Removing firefox-3.0 ...
Removing manually selected alternative - switching to auto mode
Removing firefox-3.0-branding ...
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
Writing extended state information... Done

I was going to seriously vent my spleen about this but I won’t right now except to say that I’m increasingly dissatisfied with Firefox. It’s become a complete pig and I think time has proven that it’s not much safer than any other browser. It has greater requirements than other browsers, including IE. If I need to use a Mozilla-based browser, I’ll use conkeror (which I’ve installed).

I’m getting ready to start removing other things, including openbox (which I’m unlikely to ever use), dwm, vim, and a number of other apps I either don’t use or probably never will. I noticed one of those apps-I-won’t-use was patched the other day. (Speaking of patching, I saw my update yesterday made me a brand spanking new initrd. WTF-ever.)


It may have been easier to do a netinstall/minimal install and only set up what I actually wanted. Which isn’t much at all. Notice I keep wanting “less work” with all this shit only to end up compiling my own damn kernel, downloading sources for things like libmtp to “fix” what’s available in repos, etc.? I also have the latest sources for ratpoison (released in June). Why would I recompile that? Because I don’t think I really need xft for ratpoison — not to mention whatever other patches are applied. There are other things I want to update/fix/recompile. Before long, I’ll have nearly every -dev package for everything I have installed.

Which makes me wonder, if I’m going to keep recompiling stuff I may as well install a source-based distro or build from scratch. At this point, I wish I’d done that when I decided to unify my disparate Linux partitions. If you want something done right, gotta do it yourself.

It’s never too late.

posted from weblogger in emacs
edited to add image and categories

US CERT Security Advisory – Firefox 3.5

July 15, 2009

US Computer Emergency Readiness Team (US-CERT) has issued an advisory about a zero-day exploit involving the JIT compiler for the JavaScript engine in Firefox 3.5. CERT recommends disabling JavaScript until Mozilla can patch; disabling the JIT compiler will reduce JS performance.

Secunia rates this vulnerability as highly critical.

Update 20090627

June 27, 2009

I’m still unable to run yet (lingering fatigue from the flu combined with a heat wave) so my early morning hours are filled with catching up with work. Screwing around with Fedora has been an anti-priorirty until this morning (at 4:30 no less).

I think I booted into Linux three times all week (checked last: four times – twice on Monday, once Tuesday, once this morning). Spent most of the week working within Windows playing catch-up. I never installed Firefox under XP on my AA1; I’ve been using IE8 and Opera instead. I finally installed xulrunner and conkeror, though, yesterday. May install conkeror under Fedora, too.

Here’s GNU screen running mplayer (streaming, emacs opened with probably two dozen more buffers than I’m using or paying attention to (mostly dired — need to see if I can reuse  the same buffer), w3m opened to my blog, and some chatting. This is all within ratpoison, of course. I got rid of that lxpanel thing.


I installed GraphicsMagick instead of imagemagick so my file names are automatically set and everything’s handled with simple keystrokes. I saw that GraphicsMagick did the same things as imagemagick only faster and better with fewer libraries. Not sure how true the claims are but I decided it was worth a try. Only difference I had to adjust to was invoking “gm” before imagemagick command names in my scripts and configuration files (e. g., the aliases and commands I have set up in .ratpoisonrc).

Likely to remove some Gnome bloat sooner than later, but still have some apprehension. I wanted to see where pekwm would fit in comparison to ratpoison and fluxbox. It was much closer to fluxbox so I’ll remove it.

window manager resource use
doesn't include additional/related processes
taken at fresh start
ps aux | grep [window manager name]

lucky13      0.1  0.4  10264  4172 ?        S    04:43   0:00 pekwm
lucky13      1.6  0.4  10808  5068 ?        S    04:46   0:00 fluxbox
lucky13      0.2  0.1   5476  1556 ?        S    04:47   0:00 ratpoison

pekwm with default theme
fluxbox theme "green tea" and very small menu
ratpoison with custom .ratpoisonrc

Not doing anything drastic today beyond tweaking .emacs and moving old scripts to the AA1. I’ve considered upgrading the AA1 to Windows 7 when it’s released (October 22). I’d like to see that everything’s working better under Linux than it has thus far, which is why I still have XP installed and why I’m still leaning towards Windows 7. Right now there are too many things keeping me from considering running Linux-only on this: having to boot with an SD card inserted to use the reader, crazy wireless shit that’s happened on multiple occasions now (changing SSIDs and even disabling the wireless card), etc.

One final note about the DSL hard drive PDF I’ve not been able to finish yet. I don’t know if or when I’ll get around to it between catching up from being sick to vacation to the simple fact that DSL is dead and I think there are too many better options for those who want a traditional hard drive install. I thought interest would wane since DSL’s development has come to a screeching halt (last time I checked, John Andrews had posted no updates, roadmaps, polls for what direction users wanted DSL to go, etc.), but every day I’m getting hits from DSL forum links and from Google searches related to DSL hard drive installs. So maybe I’ll finish it anyway. Even though it’s about half finished (I want to add new screenshots and other images to make it as easy as possible) I’d rather spend that time writing a guide for something under active development. Maybe I’ll post my own poll about all that and see if there’s any interest either way.

Added Smaller Window Managers on Aspire One

March 21, 2009

Continuing to configure PCLOS on my AA1, still some hardware issues to iron out. Still trying to reduce system overhead. Had one total lock up earlier when trying to get the card readers to work; also failed to successfully recover from suspending last night. Way to go, Team Linux. Wankers.

Oh yeah, I also found a newer toy of mine that will not work under Linux. I’ll have a separate post about that tomorrow or Monday. It’s a Windows world, baby. Get over it.

Tired of hardware issues — thankfully, XP works fine — so I’m moving on  to less serious things. I really like KDE but I think it’s a bit much. PCLOS doesn’t have much besides KDE, Gnome, Xfce, fluxbox, windowmaker, and OpenBox in their repositories. Gotta take matters in my own hands. I installed X lib headers. Compiled jwm, dwm, ratpoison. Added kdm desktop session files for each. Need to make jwm menu and add some of my old tweaks. Running ratpoison now. Freaking COOL — ratpoison on an Aspire One with its puny keyboard:


Also compiled emacs, naim, and tmux (BSD-licensed alternative for GNU screen) from source. I have to say tmux is more than a BSD-licensed alternative to screen — it seems to better execute the whole multiplexing concept and it’s a lot smaller.

I’m using pdksh from the repositories (because I saw it listed). Default terminal in ratpoison is Eterm (also from repositories). What else? Dillo from the repositories is going to be replaced by dillo from source and patch for tabs.

I mentioned my aggravation at the way this was configured via the automatic set up and that I could end up doing something drastic. I’m not going to add much more since I have the things I want and need (, mplayer for multimedia, browsers, etc.), and I’m probably going to start removing a bunch of stuff in the interim. Longer term, I’m leaning towards a much leaner install of Slackware or NetBSD. That will have to wait at least another week. Just not enough time to deal with it now.

Edit20090322: Just have a minute to update this. I ditched Eterm for aterm, recompiled ratpoison accordingly (it allows compile-time setting of default X terminal). Here’s a shot of a tmux session and a ratpoison window listing.


One of the cool things about tmux is that it automatically updates its bottom title bar with the current process’ names. So I could stop top in the fourth (3) instance and its title would change back to ksh.

I compiled elinks unstable branch yesterday. I’ll probably revert to stable sometime this coming week.

BTW, I really hate the wallpaper (five minutes wasted in GIMP) and that font sucks. I’ll install terminus when I get a chance. No time now.

Mozilla Patches Part Two: Huh

March 26, 2008

Mozilla fixes 10 Firefox flaws, half seen as ‘critical’:

Mozilla also patched potential identity leaks, spoofing bugs and cross-site scripting vulnerabilities in But the fix that caught Storms’ eye was detailed by 2008-18, a fix for LiveConnect, a feature that harks back to Firefox’s predecessor, Netscape Navigator. LiveConnect lets Java applets call a Web page’s embedded JavaScript, or JavaScript access the Java runtime libraries, and it is used by both Firefox and Apple Inc.’s Safari 3 browser.

“Sun has updated the Java Runtime Environment with a fix for this problem. Mozilla has also added a fix to LiveConnect to protect users who don’t have the latest version of Java,” Mozilla said in the advisory.

“Here we have Firefox putting out a mitigation step for a bug in Java,” said Storms. “It’s a welcome addition when one vendor can help out another.”

All 10 vulnerabilities were also patched by the SeaMonkey Project, a separate open-source initiative that develops a multifunction browser suite.

The Thunderbird e-mail client, meanwhile, is affected by the five critical flaws listed in 2008-14 and 2008-15. “Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail,” read the first of the two bulletins. “This is not the default setting, and we strongly discourage users from running JavaScript in mail.”

A release date for Thunderbird to fix the flaws has not been set. According to David Ascher, the head of Mozilla Messaging, the e-mailer’s update will follow Firefox’s by “several weeks.” In a post to his blog last week, Ascher cited several reasons why a simultaneous release of Thunderbird and Firefox updates was impossible. “Some of those resource contentions are due to not enough automation for the Thunderbird release process, and some of it is the consequence of not enough people with the right training,” he said.

Ascher defended the lag by noting that while JavaScript is turned on by default in Firefox, it is not in Thunderbird. “We could delay releasing Firefox until Thunderbird was ready, in the interest of mitigating the risk of someone using knowledge from the Firefox release to try and attack Thunderbird users,” said Ascher. “But that would mean leaving over 150 million users vulnerable. So, applying the correct math, we release Firefox security updates as soon as possible, and Thunderbird security updates as soon as possible.”

Nice that the Firefox people can help cover Sun’s asses but not Thunderbird’s.

Firefox, Thunderbird, Seamonkey Critical Update Released

March 26, 2008

Firefox update fixes critical security vulnerabilities:

A security vulnerability allows attackers to fake a borderless popup from a background tab using crafted web pages and place it in front of the user’s active tab. This could be used to spoof form elements and phish for data such as login data. Attackers can also circumvent the method used by some websites to protect against cross-site request forgery (CSRF) if server-side protection is based solely on referrer checking, as it is possible to fake the HTTP referrer (MSFA-2008-16). The Mozilla browser may reveal personal data if a user possesses a personal certificate which the browser presents automatically during SSL client authentication. According to security advisory MFSA-2008-17, following the update the browser asks the user before presenting the client certificate when it is requested by a website.

Most of the security vulnerabilities also affect the Thunderbird mail client and the Seamonkey browser suite. The security advisories refer to Thunderbird version and Seamonkey 1.1.9, in which these bugs should be fixed. These versions are not yet, however, being distributed automatically. Firefox users should install the update without delay, as the vulnerabilities can be exploited using crafted web pages to inject trojans.

I was surprised by this when I fired up Windows today and was informed was ready to install. User beware…

Firefox 3 Initial Impressions – VectorLinux Site Hacked

March 21, 2008

I read an article that the Mozilla folks are so proud of Firefox 3 beta 4 that they’re encouraging it for average users. So I decided I would give it a spin.

I downloaded the tarball and set it up in /opt. From a console, I opened it up. I got the first box asking if I wanted to import my bookmarks and settings from Seamonkey (which was installed by default in Vector, and which I manually upgraded rather than using their package because I didn’t want to slow my computer down with all the slick Vector imagery — an issue which I’ll address soon). I did. It then announced my settings were brought over and asked if I wanted the Mozilla search page or my existing home page. I selected my home page.

Then the fun began. Some Arabic writing appeared on the window title bar. And in the tab. My first concern was that I had downloaded an Arabic version instead of the American English one. Looked at it. Umm, nope. Got the right one.

Vector apparently opens to their website when browsers are fired up the first time. That’s another peeve of mine — when someone insists on including configurations that direct me to their sites (you think six links to different parts of the site aren’t enough? am I really important enough to count me when I run seamonkey and firefox the first time?). In the process I found out their site’s been hacked.

This is a later shot when I realized what was going on (and I left open a tab when checking on this to make sure the file I downloaded didn’t have any known issues). But you get the point.

When I realized what was going on, I decided to open the site in dillo and that’s when I found out the criminal did a bit more. Dillo displayed it, Firefox resulted in a 404.

Anyway, hitting a hacked site because the distro I’m using includes a hit to that page in the default install even if I don’t use their packaging has given me a more negative impression of Vector than Firefox. I’m sure others who are using Vector for the first time this evening have the same impression — maybe worse.

I haven’t had time to weigh how much better Firefox 3 behaves with respect to memory, nor have I had time to delve into any new features. So far I see a familiar interface that handles things identically to earlier versions. I’ll have more time this weekend to try it out.

Opera, Firefox Adding Embedded Video Tag

December 7, 2007

Mozilla, Opera look to make video on the Web easier – Yahoo! News:

Firefox and Opera will support a new HTML tag specifically for embedding video in Web pages. As long as the browsers support a video’s specific codec, or encoding method, the browsers will then be able to play the video without launching third-party enabling software, said Chris Double, a Mozilla engineer. Mozilla and Opera are also working to support the royalty-free video codec Ogg Theora.

QuickTime Exploit Affects Firefox Users

December 2, 2007

I know I mentioned this the other day but here’s more information. The vulnerability is in QuickTime Player 7.2 and 7.3, and iTunes versions through 7.4.

QuickTime proof-of-concept exploit published:

The exploit can also be used in a Web browser by having the user click on a URL. The attack has been tested against “some of the common Web browsers,” but with Internet Explorer 6/7 and Safari 3 Beta the attack is prevented.

Firefox users are not as lucky. Because Firefox allows users to play multimedia files in the QuickTime Player application, the current version of the exploit works perfectly against Firefox if users have chosen QuickTime as the default player for multimedia formats, according to Symantec.

Firefox Updates to Fix!

November 30, 2007

Just a few days after Firefox issued a major security fix, along comes another update. Should this breed confidence or suspicion? I’m leaning toward suspicion.

Mozilla Firefox Release Notes:

What’s New in Firefox
Release Date: November 30, 2007
Stability Update: This release corrects a problem that was found in the previous release, Firefox