So. Did you hear the one about Firefox 3.5.1.?
Yup. Now available for download. It fixes the security flaw. Like the one before that had a security flaw. And the one before that.
It was expected. There were many performance considerations made with Javascript in 3.5, and sometimes very necessary security mechanisms are accidentally bypassed.
To me, security is more important that speed. Of course, I run NoScript which prevents a lot of Javascript from firing off anyway, except for the sites I whitelist. So I'm not keen on upgrading just for the Javascript performance improvements. I block the majority of Javascript on the Internet.
Of all the criminals I want to see locked up, it is the fellas mucking up the internet I really would love to see staring at the world through iron bars.
Unfortunately most of those "fellas" aren't common criminals. Many of them are actually state-sponsored employees in other nations.
Understand the majority of these people aren't just **** hacking in their basement. **** in their basement are often script kiddies who know little more than where to find hacks to try out. Those people aren't even hackers.
Hackers are people who are very experienced software developers with years of disassembly and other reverse engineering experience. In many cases, the exploits are found legitimately by security experts. A lot of people working in the "grey hat" arena, as part of their job function.
But once the exploits are known, less scrupulous people take that information and create compromises, typically most "black hats." Again, a lot of them aren't westerners and are sometimes even state-sponsored.
At least the 0 day exploits are less common, especially with Firefox which is developed very transparently. I'm not so much worried about the ones we know, but the ones we don't, and the "black hats" don't share. Those are where the 0 day exploits come about, which you really need to worry about.
Intrusion detection is only good at detecting what is known.
