I applied to lead a session on XULRunner in large software projects at the Mozilla Summit. Unfortunately, that proposal was rejected, no talk for me at the summit. Yet there is apparently some interest in the topic, I got messages from two people who won’t be attending the summit asking for slides. I won’t create any slides but I decided to share my thoughts on the topics I wanted to discuss. Having spent the last three years building XULRunner-based applications (first TomTom HOME, now Songbird) I have some experience in this area. Still, this will be necessarily a one-sided view so don’t hesitate to comment.

Apparently, I am not the only one who noticed that the Flash installation experience has turned from bad to worse. Paul O’Shannessy uses pretty strong language to describe the procedure but I think it is justified. Until recently you could ignore all the bells and whistles and still download the executable which would then install Flash (and only Flash, regardless of the pre-checked crap that you might have forgotten to uncheck). Now you have to install the Adobe DLM extension (never mind that plug-in installation doesn’t usually require a browser restart) and there doesn’t seem to be a way to avoid it. Still wonder why so many people want to see Flash obsoleted by HTML5?

Only two days ago I wrote how browser plugins are the biggest security risk today. And yesterday I experienced first-hand how one would get outdated and insecure plugins installed. I installed Lexware Steuer 2009 (for the German readers: yes, that’s the one you get at Aldi and that always gets good marks in software tests). And then Secunia PSI went berserk warning me about various security threats on my computer. Turned out, this application installed without even telling me: Java Runtime Environment 1.6.0 Update 2 (released July 2007, current version is 1.6.0 Update 18), Flash Player ActiveX 9.0.124.0 (released April 2008, current version is 10.0.42.34), MSXML 4.0 SP2 (released June 2003, current version is 4.0 SP3).

Uninstalling the first two (luckily unnecessary for the core functionality) and updating the last one (required, the application won’t work with MSXML 6.0) solved the problem for me. However, I wonder how many people didn’t notice the security holes being installed on their computer. Also, somebody who isn’t aware of ever installing Java won’t be inclined to update it either. I wonder whether packaging up applications with outdated libraries is common for software you buy on CD (obviously, I don’t do that very often). While I understand that this software is supposed to be installable/usable without an internet connection (you cannot simply download the latest Java version), is packaging up the most recent versions really too much to ask?

Brian Krebs came across one of those websites throwing a battery of exploits at users and took a close look at its administration page. It lists seven exploits, the two most successful ones being for Adobe Reader and Java, followed by two Internet Explorer exploits. At the far end of the list two Firefox exploits can be found as well. From what I understand, only one Adobe Reader vulnerability was unpatched at that time, all other vulnerabilities have been fixed already. For example, the Java exploit targets a security hole that was closed in December 2008, the exploited Firefox vulnerabilities have been closed in Firefox 1.0.5 and 1.5.0.5 respectively.

So, were the bad guys successful exploiting these ancient vulnerabilities? Looks like it, the Java exploit and the exploit for a 2007 Internet Explorer issue caused quite a few infections. If we look at how the browsers “performed”, we see that roughly 17% of Internet Explorer users were infected. Not very surprising, the infection rate of Internet Explorer 6.0 users was almost twice as high as for Internet Explorer 7.0 users, the infection rate for Internet Explorer 8.0 was even lower then. Clearly, people still using IE6 are unlikely to keep up with patches.

Good news: AMO is finally getting serious about improving security of add-ons. Several bugs that I filed almost a year ago and didn’t have time to follow up on have suddenly seen some movement, even to the point of setting a two weeks deadline to resolve the security issues (thanks, Jorge). Sure, this approach won’t make you new friends and one add-on author preferred to remove his add-ons rather than fix them. But it is really overdue to start enforcing policies.

One particularly sore point are RSS feed reader extensions, every time I look into one I find security issues. In my understanding, an extension that regularly deals with untrusted content from the web should implement two security mechanisms:

Recently I found an application that I wrote more than 10 years ago — atomic orbital viewer. Back then I got interested in the pictures of atomic orbitals you get presented in chemistry class, found the special-case formulas for electron distribution and generalized them. And then I wrote an application to visualize these orbitals. Since I didn’t have access to 3D hardware or even literature on 3D graphics I ended up reinventing everything — yes, I used to have that kind of time back then. What came out was a Turbo Pascal (DOS) application where I’ve written almost everything myself, including low-level mouse handling and GUI library.

The big surprise was that this application still more or less worked under Windows XP – if you don’t count occasional stripes in the picture and the cases where it crashed taking down the entire system (probably side-effects of a non-standard VESA graphics driver). Not so much under Windows Vista, it no longer supports graphical DOS applications. Still an application that I would like to have around, so time to reimplement things from scratch. And what’s the technology of choice these days? WebGL! Taking vlad’s Spore viewer as a starting point, it still took me something like 10 hours (I’ve never worked with OpenGL and my linear algebra is a little rusty) but the result is much better than the original application. And with some luck it will still be usable in another 10 years and more.

In case somebody noticed that I’ve been pretty quiet recently — many things happened which kept me occupied. In particular, I started a new job yesterday and will now be developing Songbird. I have been following Songbird’s development since the very beginning and even managed to develop one of the first third-party add-ons for it. It is a very interesting project and a great development team so I am really excited about this.

A while ago there was an announcement that the company Xenocode was providing virtualized versions of applications, particularly browsers. While what they provide isn’t real sandboxes (the applications that you run there can still write files to the disk, e.g. if you download something from the web) it is still an easy way of running browsers without having to install them — Xenocode makes sure that from application’s point of view everything that should be there after installation is there. In particular, you can run Internet Explorer 6 and Internet Explorer 7 on the same machine at the same time — no need for complicated registry hacks. Of course, this should only be used for testing websites that are safe, you won’t get security updates for these Internet Explorer instances.

Originally, you could simply download an executable from Xenocode’s website and run it whenever you wanted. Unfortunately, now you have to install a plugin that will download the executable for you. This means in particular that you can no longer run the application if Xenocode’s website is unavailable (e.g. because you don’t have an Internet connection). And the path to the actual executable isn’t even available in page’s source code any more.

Since everybody is talking about Firefox 3.5 demos these days I though that I would dig up one that I created myself in November. It allows selecting areas of complex shape on an image — e.g. countries on a map. This idea didn’t end up being used for anything but somebody else might find it useful.

Ten years ago I already had to solve this problem. How do you present the user with a map and let him choose a country? Back then I ended up using Win32 API and two bitmaps — one to display to the user and a second invisible bitmap to let the application translate clicks into actual countries by checking the color corresponding to the click position. The visible bitmap was static meaning that it wasn’t possible to show the selected country on the map. But that wasn’t necessary anyway back then. And now I had to solve the same problem, this time for the Mozilla platform.

I came across a Venkman “feature” that was so unexpected that I even filed a JavaScript engine bug on it. Only after Gijs Kruitbosch asked me to test with a clean profile I realized that the JavaScript performance issue I was seeing wasn’t inherent to Firefox but rather something the Venkman extension was responsible for. That’s right, Venkman is degrading JavaScript performance just by being installed, even if you don’t use it. I had Venkman installed “just in case” and this was a big surprise to me.

The technical details: any JavaScript debugger for Firefox (be it Venkman, Firebug or my JavaScript Deobfuscator) uses the debugging interface of the JavaScript engine, it merely serves as a user interface for it. Usually the debugging interface is turned off and only switched on when necessary. The reason for this: when the debugging interface is switched on it makes the JavaScript engine do some bookkeeping which has an impact on performance (about 15% on the SunSpider benchmark according to my measurement).