A mere 12 hours after it was announced, Mozilla Foundation has already patched the holes in its software that allow sites to spoof URIs, making it easier to fool people with phishing scams.
In the software world, that is a pretty fast turn around and shows the benefits of open source software. Unless you download only the major releases, Firefox and Mozilla are essentially releasing new versions every 24 hours. Some include minor fixes that go unnoticed to those don’t read the changelog. Others are pretty big changes that could affect millions of users.
How often does Microsoft release a new version of IE?
By the way, Firefox is quickly closing in on the 25 million download mark.
I think it’s fantastic how much good “press” Firefox is getting for that 12 hour fix, when you consider the fact that, um, it ain’t a fix for the ‘sploit, it’s a fix for the fact that until sometime in December, we were ignoring a whole set of prefs including the one to disable IDNs, except for right when you set them. That fix enables you not get phished by letting you completely prevent yourself from getting to domains with non-ASCII characters (except of course that there’s generally an ASCII-only alternative around, since the 800lb gorilla hasn’t implemented IDN yet).
Personally, I don’t see how it really fixesa problem unless they are releasing an actual PATCH to the released version of Firefox. Telling a corporation with 500 machines (or 5,000) running Firefox that they need to download the nightly build instead of patching the released build is not really acceptable. That nightly build will have all sorts of bugs from other code churn. Do people really think that it doesn’t matter?
When I get an IE patch, it’s a PATCH to the SHIPPED version so I don’t have to go redeploy the entire browser (and an untested version at that).
Speaking of Firefox upgrades, do you still have to remove the version installed, before upgrading to another build?