5/08/2005 11:10:00 PM - Do Not Trust.org
If you're not aware, some new security holes have been found in Firefox. Ok, so that sort of thing happens from time to time. This is the first one that has seriously bothered me. The reason is that it affects UMO. To put it simply, the bug exploits the XPI whitelist. Well, there's a lot more to it than that, but that's how it affects me. There is only one site on the whitelist: UMO. The only way to prevent this particular situation from being abused is to make UMO not be trusted. The solution: do-not-add.mozilla.org. This means that UMO has suddenly become very annoying. The only permanent solution will be for everyone to upgrade to the very latest version of the browser once a patch is released. I hope that mozilla.org will backport the bug to every affected branch. I also hope that they are able to release the change as a binary patch. Even better would be instructions for people to make their own binary patch if they redistribute or compile the browser themselves.
Of course any site that you've added to your XPI whitelist is vulnerable. That means that UMO will have to permanently filter out the older user agents and force them to upgrade. If you choose to spoof your UA instead of patching, then you're being dumb.
I think that what bothers me the most is that this bug isn't the fault of UMO, but we get punished for it. And there's nothing I can do about it. I feel so powerless.
