Maximum PC JavaScript RSS Feed

Mozilla Launches Jetpack Gallery for Firefox, Offers No-Restart Add-ons

Pulkit Chandna — Thu, 12 Nov 2009 18:44:14 -0600

Mozilla today unveiled the Jetpack Gallery, a place for developers to showcase their Jetpack add-ons. Jetpack is a Mozilla Labs project that lets developers build Firefox add-ons using HTML, CSS, and JavaScript. While the newly launched gallery – still in beta - gives developers the opportunity to host and promote their Jetpacks, it lets Firefox users browse, install and rate Jetpacks. Installing Jetpacks is quite easy and doesn’t even require a browser restart, save for the very first Jetpack that a user installs. The Jetpack Gallery currently features over 30 add-ons.

Mozilla Releases Firefox 3.5.4 Patch to Fix 16 Vulnerabilities

Bart Salisbury — Wed, 28 Oct 2009 14:35:12 -0500

Clearly there is nothing that hackers won’t go after in the attempt to monkey about with your computer’s innards. Any opening, no matter how insignificant, needs to be closed before it can be exploited. With this in mind Mozilla today released an update to Firefox, upping its version to 3.5.4, that patches 16 weaknesses, eleven of which are critical.

Hackers were busy on the obvious: the browser engine, JavaScript, and open-source media libraries; as well as the less obvious: the GIF color map parser and the string-to-number converter. In its security advisory, Mozilla reports: “Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.”

Mozilla notes that the JavaScript vulnerabilities can cause browser crashes. Those not able or unwilling to upgrade are recommended to turn JavaScript off.

If you’re still hanging out in Firefox 3 you’ve also got a security patch waiting for you. Version 3.0.15 was released, addressing nine problems, four of which Mozilla tagged as critical.

Image Credit: Mozilla

Murphy's Law: Mozilla Crowdsources Open Source

David Murphy — Thu, 27 Aug 2009 15:30:20 -0500

It sounds like Buzzword Bingo, but a new Mozilla Labs project is applying an open-source, crowd-sourced routine to solve common Web developer issues. The program's called TestSwarm, and I must confess, it's a novel idea for increasing a developer's ability to test out new JavaScript framework on a variety of browsers at once. And the fact that this an open-source project is cooler still: Aspiring testers can load the framework onto their own servers and set up their own test routines at will.

TestSwarm was developed by one of the Mozilla Foundation's JavaScript Tool Developers, John Resig, to deal with the scalability issues that factor into JavaScript code testing. To Resig, the proper testing platform includes at least five different browsers split into 12 total versions per operating system. Although he doesn't go into this length in his example, you should triple that number to factor in the Windows XP, Windows Vista, and Windows 7 operating environments.

Factor these (now) thirty-six tests against an average of ten test suite iterations--a minimum number of variances that Resig runs in a common jQuery testing environment. That's three hundred and sixty runs for every test you create, more if you're expanding to include OSX and Linux platforms. And did I mention that the best results tend to occur when actual human beings are behind the testing instead of some automated attempt at user interaction? Yeaaaah...

So how did Resig address this grand problem of JavaScript testing scalability? You should know--you're a part of the solution, after all.

To a user, the TestSwarm client just simply works. When you load up the page, the program checks to see what browser you're using and determines whether it's one that is needed for a round of tests. If so, TestSwarm pops up a little window and asks you for your help. If you choose to enter a username and agree to join the fun, you're placed in a holding queue. The TestSwarm client checks for new tests to run on your machine over a set interval of time. If a particular test screws up, a detailed note is sent back to TestSwarm to help developers identify the root cause of the issue. They also receive a giant color-coded chart that shows off the different tests and browser permutations, as well as a visual representation of tests that succeeded, succumbed to minor errors, or completely fell apart.

As a concept, I think TestSwarm is an awesome way to go about using the power of a community to spare one poor person (or a group of people/suckers) from having to run an absurd amount of test iterations in the name of usability. It's analogous to the successful efforts one sees from the many distributed computing applications floating around the Internet. And just as there seems to be an infinite number of [subject]@home distributed programs, I would kill anywhere from three to six people to get a variant of TestSwarm themed for CSS/HTML checks. Instead of looking for faults in JavaScript runs, the client could load up a target Web page into a connected user's browser, find some way to finagle a screenshot or otherwise record the look of the page, and email that back to the original developer. Gone are the hours spent checking the look of a single page across squillions of platforms.

It's an awesome idea--at least, I think so. But what do users get for their contributions to either TestSwarm or the now-aptly named TestMurph?

Such is a question that invariably arises whenever I think of distributed computing applications or, really, even the open-source world in general. The two travel down similar paths in this regard. In distributed computing, you're contributing to an effort larger than yourself for (mostly) bragging rights and respect among your Internet peers. The same holds true for TestSwarm. While I don't necessarily mind helping some dude test out his JavaScript, am I going to open up a tab for the TestSwarm loading area every time I start a version of Firefox? Not really.

Sure, Resig could turn TestSwarm into a downloadable application that launches browser windows during your computer's idle time. But that's a pretty hefty amount of code spread across multiple operating systems, not to mention an increased amount of steps and potential annoyances for users looking to help out. It's a catch-22 if I ever heard one: To increase TestSwarm's popularity and applicability, one has to increase the program's complexity and user interactivity. But unless TestSwarm is exposed to as many permutations of browsers, operating systems, and setups as possible, the entire point of the platform dies away.

To his credit, Resig has opened the doors with an innovative idea for online testing that's sure to be replicated, modified, and distributed in the days to come. In fact, there's been a bit of interest in corporate versions of TestSuite, which bodes well for future TestSwarm spin-offs. I just hope that, for all his work and creativity, the single variable out of Resig's control doesn't ultimately prove to be the suite's undoing. Were there only some equally innovative way to encourage the adoption of the experiment by its chief guinea pigs--that's the real question here.

David Murphy (@ Acererak) is a technology journalist and former Maximum PC editor. He writes weekly columns about the wide world of open-source as well as weekly roundups of awesome, freebie software. Befriend him on Twitter, especially if you have an awesome app or game you're dying to recommend!

Privacy Shmrivacy, Web2.0collage.com Knows Where You've Been

Paul Lilly — Wed, 22 Jul 2009 10:21:00 -0500

Think your browsing history is secure from prying eyes so long as you never leave your PC unattended? Think again. A new site, Web2.0collage.com, digs through your browser's history and then constructs a collage of the web2.0 websites that you've visited.

"Web2.0collage.com mixes art and technology to raise privacy concerns," the site states on its homepage. "Many of us consider our browser history to be private, but that is no longer the case. Any website you visit can determine your browser history by exploiting the very features designed to enhance your Internet experience, a fact many people are not aware of."

Web2.0collage.com works its artistic magic by using JavaScript and them assembling the pieces together in a collage of thumbnails. What you do with it is up to you -- the site links to Zazzle.com to give you some ideas -- but if you're concerned about who's snooping your browser history, you should probably start by clearing your cache.

Mozilla Fesses Up to a Critical Vulnerability in Firefox 3.5

Pulkit Chandna — Wed, 15 Jul 2009 19:21:58 -0500

Mozilla has confirmed the presence of a critical vulnerability in Firefox 3.5. The vulnerability is nestled in the browser’s Just-in-time (JIT) JavaScript compiler – part of the new TraceMonkey engine – and can be used to execute malicious code. Hackers may lure gullible Firefox 3.5 users to websites containing code meant to exploit the flaw. While Mozilla burns the midnight lamp in finding a solution, you can simply disable the JIT. However, it must be noted that disabling the JIT will have an adverse effect on JavaScript performance.

Image Credit: FavBrowser

How To Protect Yourself from Newly Discovered "Critical" JavaScript Vulnerability in Firefox 3.5

Paul Lilly — Wed, 15 Jul 2009 13:30:11 -0500

According to Mozilla, a bug was discovered last week in Firefox 3.5's Just-in-Time JavaScript compiler and was disclosed publicly on Monday. Mozilla classifies the vulnerability as "critical," saying it can be used to execute malicious code. More specifically, by exploiting the bug, a hacker could trick a victim into viewing a malicious website containing the exploit code.

"This vulnerability is due to an error in the way JavaScript code is processed," the US-CERT acknowledged. "Exploitation of this vulnerability may allow an attacker to execute arbitrary code. Additionally, exploit code is publicly available for this vulnerability."

While Mozilla said it is currently working on a fix, Firefox 3.5 users don't have to be sitting ducks. Mozilla says the vulnerability can be mitigated by disabling the JIT in the JavaScript engine, which you can accomplish by doing the following:

Enter about:config in the browser's location bar
Type jit in the Filter box
Double-click the line containing javascript.options.jit.content and set the value to false

Mozilla warns that this is a temporary fix and will reduce JavaScript performance. Once an official fix has been put in place, you'll want to go back in and change the value back to true.

If you'd rather not mess around with about:config settings, you can still disable JIT by running Firefox in Safe Mode, which is accessible from the Mozilla Firefox folder.

Murphy's Law: Is a Firefox 3.5 Really That Fast?

David Murphy — Wed, 01 Jul 2009 12:45:58 -0500

Happy day-after-Firefox-release day. If you're one of the 3.2 million Americans to download the latest release of the browser as of this column's writing, congratulations. You, like your peers, have recognized the value of upgrading to faster and better technology products! If that sounds weird, that's the point. It should. According to Net Applications, around twenty percent of users (out of a survey sample of around 160 million people) still use an older version of a Web browser, be it Internet Explorer 6, Firefox 2, or either Safari 3.1 or 3.2. You are not among them; I salute thee.

You've probably read a lot of marketing in the last 24 hours about how fast, awesome, and packed-full of features the new Firefox 3.5 release is. Since you've had a chance to play with the release candidate of this latest upgrade starting in early June, this shouldn't come as much of a surprise. But let's cut through the press release and examine the real facts: Just how much faster is Firefox 3.5 over its browser brethren? Has Mozilla's newest TraceMonkey JavaScript engine delivered a princess or a barrel?

Yes and no.

If we're just considering a Firefox-only universe then, yes, the browser's performance is quite an improvement over its predecessor 3.0.11 release. You can partially thank Adobe for that. Mozilla interwove the company's just-in-time compiler nanojit, released as open-source in 2006, alongside a new tracing system to create Firefox's new JavaScript engine. Without getting too technical, the tracing engine streamlines Firefox's operations by recording the path that frequently accessed JavaScript code takes through an interpreter. It then compiles this trace into native code, which can be called up and duplicated faster than passing the code through the interpreter once again.

The industry-standard SunSpider JavaScript benchmark attempts to highlight differences in browser performance by running through a series of real-world use patterns. More than that, the program runs through enough iterations of the tests to calculate a measurement of the run's statistical significance--a determination of the accuracy of your results and their validity for real-world comparisons. Using this very benchmark, Harry McCracken of Technologizer notes that Firefox 3.5 delivers a performance improvement that's 2.4 times faster than Firefox 3.0.11. But Google's Chrome 2.0 beta takes the cyber-cake in the end, just squeaking by Mozilla's masterpiece on the benchmark charts.

(+1) Google Chrome

Samara Lynn from ChannelWeb ran her own SunSpider browser evaluation, sticking to Google Chrome, Firefox 3.5, and Internet Explorer 8. Her numbers gave Chrome an advantage of nearly 600 milliseconds, or a 39 percent decrease in time from Firefox 3.5 to Chrome. Internet Explorer 8 sank to the bottom of the listing as if it had a rock tied around its status bar, delivering a time of 8,131.8 milliseconds to Chrome's 924.2 (lower is better).

So who's right? Lynn? McCracken? TGDaily, which puts Chrome's time at 628.4 milliseconds (a 48 percent decrease compared to Firefox 3.5)? Nobody and everybody. While the rankings between the browsers remain the same within these three sites, as well as my own personal comparisons of Firefox and Chrome in SunSpider, the numbers vary depending on the system setup. That makes it a little difficult to decide the close races, especially since TGDaily has Chrome beating out Safari by roughly 60 milliseconds. At least we can all agree that Chrome is faster than Firefox 3.5, right?

(+1) Google Chrome

A similar situation occurs on Futuremark's Peacekeeper browser benchmark. Although TGDaily claims that Chrome won't run it, both Lynn and I received scores when running the program through Google's browser. She has Chrome beating out Firefox 3.5 by a score of 2747 to 1843, a 49 percent speed increase from Firefox 3.5 to Chrome. I found a 55 percent increase in performance on my own benchmark run, with Chrome overtaking Firefox 3.5 to the tune of 3,073 to 1,978. Just for the sake of a good joke, Lynn pegs Internet Explorer's performance on this test at a whopping 675. That's not even half of her recorded score for Firefox.

(+1) Google Chrome

Just to throw one more benchmark in for good measure--because I don't exactly trust Google's Chrome V8 benchmark that suggests Chrome is nine times faster than Firefox 3.5--TG Daily ran one of my favorite evaluations that tests Flash performance in a browser. The run, called Le Crabe, measures how many individual animations your screen can hold before the frames-per-second score dips below a particular amount (25). On this, Firefox 3.5 crushed the competition, holding out for 636 total crabs on TG Daily's setup to Google Chrome's 241. Stranger still, even Internet Explorer itself pulled out of dead last to deliver an impressive second-place performance amongst Firefox 3.5, Safari, and Chrome.

(+1) Firefox 3.5

You made it this far--so which browser is faster? Eh. To really get a sense of how your browser performs, you have to factor in more than just the JavaScript benchmark numbers. What's the memory use of the browser? What kind of content exists on the sites are you hitting up? What's your Internet connection? While these benchmarking tools have allows us to legitimize the differences between Firefox's versions on a functional level, and help highlight the various browsers' abilities in certain areas of rendering, there's no clear-cut winner based on the numbers. After all, it's difficult to weigh certain performance aspects over others. And as you've seen, individual performance characteristics can vary greatly depending on the testing platform. Browser benchmarks are great for comparing version performance--for a big-picture guide, there's just so much more to consider.

Speed up your geek involvement by befriending David Murphy @acererak. He's three-point-five times as fast a twitterer as any other geek, save perhaps Nathan.

Twitter Users Hope Cure for Mikeyy Worm Lasts

Mark Edward Soper — Tue, 14 Apr 2009 18:47:08 -0500

Over Easter weekend, many Twitter fans were getting worms instead of finding Easter Eggs, as the developer of a rival microblogging site (StalkDaily), one 17-year-old Michael "Mikeyy" Mooney, was busy drawing Twitter users to his site by using the so-called "Mikeyy" or "StalkDaily" worm to infect links and Twitter profiles. According to PCWorld and the Twitter status page, the infection has now been brought under control. But inquiring minds want to know, "what happened?" and "how can we stop a future attack?"

Doing a Google search for "Mikeyy" or "TwitterWorm" isn't the best way to find out, though, as the F-Secure security blog points out that fake news sites are being used to infect curious searchers with (unrelated) malware. So what really happened?

Mikeyy/StalkDaily used XSS (Cross-Site Scripting) and CSRF (Cross Site Request Forgery) attacks (we've discussed XSS a number of times here at MaximumPC.com). Website developer and Twitter expert Lynne Pope offers an excellent analysis of how the Mikeyy/StalkDaily attacks worked, and how you can protect yourself from similar exploits in the future:

The very first thing you must do to protect yourself is this - do not browse to any sites while logged on to another site. Leaving authentication cookies exposed is dangerous. Log off, then navigate away.

Ms. Pope also recommends:

Firefox fans should use NoScript to prevent scripts from running without explicit permission.
Use the Hosts file to block domains pointed to by malware.
Use tools available at LongURL.org to determine where short URLs are actually pointing to (Mikeyy/StalkDaily used bit.ly and tinyurl.com to conceal the actual websites used for spreading the worm).

Were you affected by the Mikeyy/StalkDaily worm? Hit Comment and tell us your war stories.

Maximum PC JavaScript RSS Feed

Mozilla Launches Jetpack Gallery for Firefox, Offers No-Restart Add-ons

Mozilla Releases Firefox 3.5.4 Patch to Fix 16 Vulnerabilities

Murphy's Law: Mozilla Crowdsources Open Source

Privacy Shmrivacy, Web2.0collage.com Knows Where You've Been

Mozilla Fesses Up to a Critical Vulnerability in Firefox 3.5

How To Protect Yourself from Newly Discovered "Critical" JavaScript Vulnerability in Firefox 3.5

Murphy's Law: Is a Firefox 3.5 Really That Fast?

(+1) Google Chrome

(+1) Google Chrome

(+1) Google Chrome

(+1) Firefox 3.5

Twitter Users Hope Cure for Mikeyy Worm Lasts

Twitter logo courtesy of a MESS of commentary.