Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Firefox security problem affects OS X, Windows, Linux
TGDaily ^ | Friday, August 14, 2009 08:36 | TG Daily Staff

Posted on 08/17/2009 2:49:23 AM PDT by Swordmaker

A site claims that there is a "fundamental problem" with Firefox updates using the OS X operating system.

Linux and Windows operating systems are affected too.

Paul Sture says that if you run as a non-admin user on OS X, Firefox grays out the check for updates menu item and doesn't automatically tell you when security updates are available.

Firefox, he says, only allows Update Checking when you have write access to the Firefox application although most people do their daily work on a non-privileged account.

He says he's pointed out the flaw to the Secure IT Foundation.

There's more details here .


TOPICS: Computers/Internet
KEYWORDS: firefox; macfud
Seems to be working fine in my standard user account OSX install that I use to regularly surf the Internet.

I like how these people headline OSX as being flawed, but then add, parenthetically, that Windows and Linux are also affected by the vulnerability.

How about it? Are any of you "grayed out" from updating FireFox? I'm not.

I call it a FUD article on all three platforms!

1 posted on 08/17/2009 2:49:24 AM PDT by Swordmaker
[ Post Reply | Private Reply | View Replies]

To: ~Kim4VRWC's~; 1234; 50mm; 6SJ7; Abundy; Action-America; acoulterfan; Aliska; altair; ...
I think this article is FUD... are any of you seeing your FireFox "Check for updates..." grayed out if you are not an Administrator User? Mine's not. PING!

How about you Windows and Linux users? This guy says it affects ALL...


Mac OSX Ping!

If you want on or off the Mac Ping List, Freepmail me.

2 posted on 08/17/2009 2:52:30 AM PDT by Swordmaker (Posted using my iPhone!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: All
Here is the primary source article for the claim above:

I have found a fundamental security problem with Firefox updates on OS X.

Simply put, if you run as a non-admin user on OS X (which is the sensible thing to do), Firefox grays out the Check For Updates menu item, and certainly doesn’t do any automatic notification of security updates, so you can go for days, weeks or even months without realising that an important security update has been released.

Investigation shows that Firefox only enables Update Checking when you have write access to the Firefox application. This completely misses the point that any mildly security conscious person will do ther daily work in a non-privileged account. Heaven help those home users who know nothing about security!

The also begs the question "Do the Firefox folks know their arse from their elbow when it comes to security?"

Yes folks, I am quite angry about this, because I was left exposed myself. Fortunately my use of Firefox is fairly minimal. Lucky me - I would really like to know how many folks got pwned because of this one?

I have pointed out this flaw over at Secure IT Foundation, and the answer I received states that it's also a problem for non-admin WIndows users. They responded with this interesting idea:

...Firefox should be managed as part of a home security policy like the Secure IT Foundation’s Home Computer Policy which includes patching on a regular / urgent basis.

This is also an issue for Ubuntu users, so I suspect it applies to other Unix/Linux variants.

The evidence to date says that at least 3 platforms are affected:

  • MS Windows
  • Linux
  • OS X

The only workaround I can think of on OS X is to keep your eye on the IT news, and log in to a suitably privileged account to check out the availability of Firefox security updates.

Update: A Solaris sysadmin has just informed me that Firefox updates are catered for by the Solaris software update system.

Firefox from a privileged account can have problems too

I forgot to mention the scenario below, which is where I first encountered the problem.

  1. I originally installed Firefox under privileged account User 1.
  2. As part of a spring cleaning exercise, I created a new account User 2 with privileged status and demoted User 1 to non-privileged status.
  3. I created another non-privileged account User 3 for my daily work.

The result of this was that Firefox.app was owned by User 1, therefore my privileged account User 2 didn't have write access to it. Firefox in its wisdom decided from this that it disabled Update Checking for User 2 and I went for a while without any Firefox updates.


3 posted on 08/17/2009 2:59:32 AM PDT by Swordmaker (Posted using my iPhone!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

Reads like FUD at the least, idiocy at worst to me. I’ve run Firefox under a myriad of situations; admin, regular user, etc on my Mac and on my winders machines without ever seeing the Check for Updates grayed out.


4 posted on 08/17/2009 3:53:52 AM PDT by TheStickman
[ Post Reply | Private Reply | To 3 | View Replies]

To: Swordmaker
On this linux (Fedora Core 11) box I'm running on, the option is grayed out.

I strongly disagree with the implication that this is a security issue, however, as the system is set up (by default) to have "root" check for package updates (including installed third-party packages packages, such as Firefox). It's the main reason to stick with installing via "yum" rather than downloading and compiling on your own -- automated package control.

5 posted on 08/17/2009 4:09:27 AM PDT by kevkrom (Obama: Stuck on "Stupidly")
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

My “automatically check for updates to... Firefox” is grayed out (running unpriveleged on Ubuntu). It is however checked, so presumably updates will be checked for. The other two “Installed Add-ons” and “Search Engines” were not grayed out, so I unchecked them (I want as few update checking thingies as possible).


6 posted on 08/17/2009 4:24:54 AM PDT by palmer (Cooperating with Obama = helping him extend the depression and implement socialism.)
[ Post Reply | Private Reply | To 3 | View Replies]

To: kevkrom
And, may I add, the idea that a non-admin user should be able to modify a software package on a multi-user operating system is patently crazy. Sometimes there's a darn good reason for deferring software upgrades, even security updates, and non-admin users shouldn't have the ability to override admin decisions like that.
7 posted on 08/17/2009 6:02:00 AM PDT by kevkrom (Obama: Stuck on "Stupidly")
[ Post Reply | Private Reply | To 5 | View Replies]

To: Swordmaker
How about you Windows and Linux users? This guy says it affects ALL...

Check for updates is greyed out out for me in debian, but I run Swiftfox. It's in my repositories list so it checks for updates every time I update the system, which I do 2-3 times per week.

No worries here.

8 posted on 08/17/2009 6:10:38 AM PDT by CarlosFonke
[ Post Reply | Private Reply | To 2 | View Replies]

To: Swordmaker

Linux here, FF 3.5.2, I don’t see an update option. But then I never run it as root, so I can’t say if that option shows up if done so. In fact, all my FF security updates come from the opensuse mozilla repository, and it’s checked with other system and application updates. And those do require root privileges to install.


9 posted on 08/17/2009 6:12:18 AM PDT by AFreeBird
[ Post Reply | Private Reply | To 2 | View Replies]

To: Swordmaker
Update: Okay, I found the update option in Linux FF 3.5.2. It's buried in Edit>Preferences>Advanced>Update. As a non root user, it's grayed out.

Like I said, I get all my updates from the repositories, and that's checked by the Yast updater.

10 posted on 08/17/2009 6:21:11 AM PDT by AFreeBird
[ Post Reply | Private Reply | To 2 | View Replies]

To: rdb3; Calvinist_Dark_Lord; GodGunsandGuts; CyberCowboy777; Salo; Bobsat; JosephW; ...

11 posted on 08/17/2009 6:34:15 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

Grayed out for me too...Ubuntu 8.04, Firefox 3.0.13


12 posted on 08/17/2009 6:39:08 AM PDT by shorty_harris
[ Post Reply | Private Reply | To 2 | View Replies]

To: Swordmaker
Would this affect Camino on OSX? I checked for updates and it said I was current...
13 posted on 08/17/2009 6:55:50 AM PDT by tubebender (In just two days from today tomorrow will be yesterday...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

On Linux, you generally get updates from your distribution, anyhow. So, this is pretty much a non-issue.


14 posted on 08/17/2009 6:58:00 AM PDT by B Knotts (Calvin Coolidge Republican)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker
I like how these people headline OSX as being flawed, but then add, parenthetically, that Windows and Linux are also affected by the vulnerability.

There are a few people who post here (and will probably chime in on this thread) who will do anything to try to tear down Apple - they don't mind lying, misrepresenting, or just plain ignoring facts to do it. I wouldn't be surprised if one of those posters penned that "article".

And no, it does not appear to affect this machine I am on.

15 posted on 08/17/2009 7:27:19 AM PDT by TheBattman (Pray for our country...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker
I would really like to know how many folks got pwned because of this one?

I would wager that the huge number is something just a bit less than 0.

16 posted on 08/17/2009 7:29:01 AM PDT by TheBattman (Pray for our country...)
[ Post Reply | Private Reply | To 3 | View Replies]

To: Swordmaker
How about you Windows and Linux users? This guy says it affects ALL...

Running XP Home as many do and have no problems. It just wants me to update from 3.0.13 to 3.5.2 which I won't do for another few months until they have the bugs worked out of 3.5.

I suppose I could log in as a non-administrator and see what happens, but don't have the time to mess with it.

17 posted on 08/17/2009 8:43:46 AM PDT by CedarDave (8/15 Rasmussen poll: 54% of registered voters say NO healthcare reform better than passing Obamacare)
[ Post Reply | Private Reply | To 2 | View Replies]

Mine is ok with the automatic updates as I run in the Admin partition I guess. It's not greyed out, but it took me a bit to find where it is.

It never prompted me to update to 3.5.2 but kept patching the older version or addons. But I'd get an error on my local paper site for certain pages, said I needed to dl 3.5.2.

So I did that, and can read the pages again, mainly weather report.

They finally got the xtra tab like IE8 which I like but I figure some of my addons may not work with the latest version, will just struggle along with it. Also they changed history, and I was using show all, nothing there. It took me a bit to figure out you have to double click in today, yesterday, etc., for all to show.

Probably other changes I haven't noticed yet.

18 posted on 08/17/2009 9:15:47 AM PDT by Aliska
[ Post Reply | Private Reply | To 17 | View Replies]

To: Swordmaker
Not grayed-out here in my non-admin account.

I'm using the latest OS X and the latest Firefox.

Shrug.

I'd check on my WinXP system, but that since non-admin accounts are so useless on that OS, it runs as admin.
,br> The article is not just FUD, it's false, incorrect, bogus.

And why is it that when a vulnerability of this sort is alleged, it's always "OMG there's a vulnerability on the Mac!!!! ...and Windows and Linux too..."?
19 posted on 08/17/2009 9:45:44 AM PDT by RightOnTheLeftCoast (I love my country, but I fear it, for it does not love me.)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Swordmaker

Mine is greyed out on my Win7 box, but not my Ubuntu boxes, nor XP. So, maybe it’s an UAC issue, at least on Windows?

That said, Auto Updates work regardless on which user is logged in. Check yours.


20 posted on 08/17/2009 9:52:58 AM PDT by papasmurf (RnVjayB5b3UsIDBiYW1hLCB5b3UgcGllY2Ugb2Ygc2hpdCBjb3dhcmQh)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

Also, I don’t see any mention of versions or if Firefox was installed under Admin rights or user rights.


21 posted on 08/17/2009 9:54:29 AM PDT by papasmurf (RnVjayB5b3UsIDBiYW1hLCB5b3UgcGllY2Ugb2Ygc2hpdCBjb3dhcmQh)
[ Post Reply | Private Reply | To 1 | View Replies]

To: palmer

Firefox updates for Ubuntu come through the update manager, which comes from Canonical. If you check your auto-updates through “about:config”, what does it show there? Mine shows True, but the updates always come from the update manager.


22 posted on 08/17/2009 10:01:14 AM PDT by papasmurf (RnVjayB5b3UsIDBiYW1hLCB5b3UgcGllY2Ugb2Ygc2hpdCBjb3dhcmQh)
[ Post Reply | Private Reply | To 6 | View Replies]

To: shorty_harris

Try this.

Open a browser window and type “about:config” (without the quotes) and click I’ll be careful, I promise!

The type in the address bar there, “app.update.enabled” (without the quotes), and look to the right. That will tell you if the USER can receive the update or not. (double click the line to change the Value)


23 posted on 08/17/2009 10:10:03 AM PDT by papasmurf (RnVjayB5b3UsIDBiYW1hLCB5b3UgcGllY2Ugb2Ygc2hpdCBjb3dhcmQh)
[ Post Reply | Private Reply | To 12 | View Replies]

To: papasmurf

Mine showed true too, just set it to false, but it didn’t change the grayed out box. Also tried setting update.mode to zero, same thing, no effect on the grayed out checkbox.


24 posted on 08/17/2009 10:42:26 AM PDT by palmer (Cooperating with Obama = helping him extend the depression and implement socialism.)
[ Post Reply | Private Reply | To 22 | View Replies]

To: papasmurf
"app.update.enabled"

Ah, that did the trick. Set that to false, auto-updates checkbox is turned off now (still grayed out). Now I can relax (I hate auto-update).

25 posted on 08/17/2009 10:45:00 AM PDT by palmer (Cooperating with Obama = helping him extend the depression and implement socialism.)
[ Post Reply | Private Reply | To 23 | View Replies]

To: palmer

If was already greyed out, it won’t change it.

It’s NOT greyed out by default on installation. BUT, if you click it, it WILL grey out, and stay that way. LOL

That’s on FF 3.0.13 on Ubuntu 9.04, which started out as hardy, and upgraded every 6 months.

I just checked my Puppy box, it has SeaMonkey and FF (BonEcho). SeaMonkey and FF both list update notifier=True, and the souce as SeaMonkey Project and PuppyOrg, respectively.

I think somneone had a bad hair day, maybe they found a Gray hair???


26 posted on 08/17/2009 10:59:19 AM PDT by papasmurf (RnVjayB5b3UsIDBiYW1hLCB5b3UgcGllY2Ugb2Ygc2hpdCBjb3dhcmQh)
[ Post Reply | Private Reply | To 24 | View Replies]

To: kevkrom
And, may I add, the idea that a non-admin user should be able to modify a software package on a multi-user operating system is patently crazy. Sometimes there's a darn good reason for deferring software upgrades, even security updates, and non-admin users shouldn't have the ability to override admin decisions like that.

You are exactly correct. If you have a multi-user system, you still have to be an administrator to that system. So login once in a while as admin and take care to things.

27 posted on 08/17/2009 11:11:23 AM PDT by stripes1776 ("That if gold rust, what shall iron do?" --Chaucer)
[ Post Reply | Private Reply | To 7 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson