Apple Software Update delivers Safari by default

apple safari For years, software manufacturers have been bundling applications together. Chances are if you download an instant messaging client from Google, Microsoft, or Yahoo, you’ll also be asked to install their toolbar and search engine. I would say that such behavior has come to be expected when you download something new. Including optional packages in updates however, is not something that is done regularly. Microsoft doesn’t include new applications in automatic updates, for instance. You can imagine the uproar there would be if they did – it was bad enough when they included IE7 (an update to existing software).

Apple recently started doing this with its Software Update service. Instead of including just updates for iTunes, the service now includes Safari by default. Mozilla CEO John Lilly explains:

Anyone who uses iTunes on Windows has Apple Software Update installed on their machines, which does just what I’ve described above: it checks for new patches available for Apple-produced software on your Windows machine, alerts the user to the availability, and allows updates to be installed. That’s great — wonderful, in fact. Makes everyone more likely to have current, patched versions of Apple’s software, and makes everyone safer.

The problem here is that it lists Safari for getting an update — and has the “Install” box checked by default — even if you haven’t ever installed Safari on your PC.

Lilly points out that this is wrong, because it “means that an update isn’t just an update” and that it “undermines the safety of users on the web”. I have to agree with him.

Tom Krazit at CNET says this isn’t a big issue:

If you don’t want Safari, don’t click “install.”

Normally I’d say he makes a good point, but this is different. Apple hasn’t made Safari an opt-in choice for users, they’ve checked it by default. Most users will just click install, meaning they’ll get Safari too.

Not cool, Apple.

Read: CNET, John Lilly

Browser Extensions

Post ImageAs I mentioned before, I have been testing Internet Explorer 7 Beta 2. As part of my testing, I have been using it almost exclusively. Turns out, some pages simply do not render in IE7! Sometimes this is because the rendering engine has changed so much, other times its because of crappy programming on the part of the web developer. In any case, I found that I needed to load these pages in Firefox (sounds eerily familiar to when I started using Firefox way back when and had to view pages in IE).

I have had the IEView extension for Firefox installed forever – it lets you right click on a page or link and display it in Internet Explorer. Today I came across FirefoxView, which as the name suggests, lets you right click a page or link in IE to display in Firefox. I love it! The only strange thing? It’s a Firefox extension that adds things to IE – go figure!

I am starting to think my friend Kevin was right. We chatted last week about the two browsers and he remarked that unless IE had extensions like Firefox, there was no reason for him to switch. I have to admit, I wish IE had extensions like Firefox.

New Feed Icon

Post ImageYou might have read lately that Microsoft and Mozilla have decided to standardize their icons for feeds on the one used in Firefox. The Microsoft RSS Team reported they would adopt the Firefox icon a couple weeks ago:

We’ll be using the icon in the IE7 command bar whenever a page has a feed associated with it, and we’ll also use it in other places in the browser whenever we need a visual to represent RSS and feeds.

The Outlook 12 team has announced they’ll be using the same icon. Great news!

I think it is great news indeed! A standard icon will go a long way towards making web feeds even more mainstream, especially since I would expect many other companies to now adopt the icon as well. I have added the icon to my website, which you’ll see on the black bar above, next to the web feed icon. I haven’t yet decided if I’ll get rid of the web feed icon or keep it. I guess the new icon is really the “web feed icon” now!

The new icon is a departure from the RSS or XML icons, which is very good. Here’s what I wrote in August:

There’s some really simple reasons that we should be calling them web feeds. When you ask your friend or co-worker about something on the Internet, do you talk about visiting an “HTML page” or a “web page”? Does your web browser (not “HTML page browser”) load up “HTML pages” or “web pages”? Clearly, you talk about web pages, and that’s what your browser loads. There are three very good reasons we use the term web pages…For the very same reasons, we should be using web feeds, not RSS feeds.

Now that the graphic no longer says “rss” or “xml” or any word or acronym at all, I think it will become much easier to adopt the name “web feed”. And yes, we still need a name you can say in words, just like Prince was still called Prince after he adopted an icon to represent himself!

Firefox 1.5 Released

The Mozilla Foundation has released the first major revision to Firefox, version 1.5. I downloaded and installed it tonight on both machines without any problem. In fact, I quite like how simple upgrading the extensions was – much improved over previous installs. Here’s what’s new:

New in the 1.5 version are more sophisticated security and performance features. In addition to a more effective pop-up blocker, the updated browser is designed to ease security updates. The program checks daily for patches, downloads them automatically and then prompts users to install them, said Chris Beard, vice president of products at Mozilla.

Other improvements include “forward” and “backward” browsing buttons designed to load Web pages more quickly. A new drag-and-drop feature for browser “tabs” lets users keep related pages together.

If you’re a Firefox user, definitely download the upgrade!

UPDATE: It seems that all of the engines I had in my search box were removed after upgrading, and now when I try to add them again, they appear as blank entries in the list! Not sure what the deal is with that!

Read: CNET

Using Firefox? You're not safe!

Post ImageI have said it before, and I’ll say it again: Firefox isn’t really all that secure! It only seems more secure because it doesn’t have a large enough market share to warrant attacking. Fortunately, some other people have noticed this and done some excellent analysis, like George Ou and ZDNet:

Now that Firefox has become the first viable contender to Microsoft Internet Explorer in years, its popularity has brought with it some unwanted attention. Last week’s premature disclosure of a zero-day Firefox exploit came a few weeks after a zero-day exploit for Internet Explorer appeared on the Internet. Firefox not only has more vulnerabilities per month than Internet Explorer, but it is now surpassing Internet Explorer for the number of exploits available for public download in recent months.

In the post, George shows that since March of this year, Firefox has encountered 40 vulnerabilities, compared with Internet Explorer’s 10. And since April 2005, there have been 11 exploits for Firefox compared with only 6 for Internet Explorer. One could make the case that Internet Explorer 6 has been around longer and thus many of it’s problems were fixed prior to March of this year. It would be interesting to see some data on that. Of course, Firefox shouldn’t have had any of the same vulnerabilities though, as it was released after IE6 and should have been able to learn from it’s mistakes, right?

A new report from Symantec found similar results, but also noted that hackers still focus their efforts on IE – no doubt because of the size of IE’s market share and installed base:

According to the report, 25 vendor-confirmed vulnerabilities were disclosed for the Mozilla browsers during the first half of 2005, “the most of any browser studied,” the report’s authors stated. Eighteen of these flaws were classified as high severity. “During the same period, 13 vendor-confirmed vulnerabilities were disclosed for IE, eight of which were high severity,” the report noted.

The average severity rating of the vulnerabilities associated with both IE and Mozilla browsers in this period was classified as “high”, which Symantec defined as “resulting in a compromise of the entire system if exploited.”

See the browser wars aren’t really Firefox versus IE at all. No, the browser wars are hackers versus vendors.

Firefox 1.0.5 Released

Post ImageThe latest update to Firefox was released today by the Mozilla Foundation, version 1.0.5. No new features, but there are a number of security fixes, as well as improvements to stability.

Firefox 1.0.5 is a security update that is part of our ongoing program to provide a safe Internet experience for our customers. We recommend that all users upgrade to this latest version.

Release notes are up, and you can download from the Mozilla site.

I love Firefox, and use it as my main browser. I just wish that people would realize that it has the same potential for security problems as every other browser, including Internet Explorer. I mean, look at the issues that were fixed in this version – “Code execution through shared function objects”, “Standalone applications can run arbitrary code through the browser”, and a bunch of others. Nobody’s perfect!

Read: Mozilla Firefox

Will Firefox always be more secure?

Speaking at PC Forum, Mitchell Baker of the Mozilla Foundation proclaimed that Firefox will always have less security vulnerabilities than Internet Explorer, even as its popularity grows. But he didn’t stop there! Baker went on to say:

“There is this idea that market share alone will make you have more vulnerabilities. It is not relational at all.”

No? I guess we’ll find out when Firefox has more than the 5% market share it has now. I am willing to bet the number of vulnerabilities will increase. Furthermore, Firefox will experience new security breaches at a faster rate than Internet Explorer ever did. Why? Because it’s open source. A hacker has to play with IE a bit, use some trial and error, to get the desired result. With Firefox, anyone can look at the code. As soon as Mozilla patches something, a hacker (for lack of a better name) can go and look at the code for the patch to see if it was in fact implemented correctly.

Don’t get me wrong, I love Firefox. It has been my default browser on all computers for a long time now. It’s just that I don’t agree with the “invincibility” some open source pundits think they have. Sooner or later it’ll all come crashing down.

Read: CNET