Skip to comments.Firefox security problem affects OS X, Windows, Linux
Posted on 08/17/2009 2:49:23 AM PDT by Swordmaker
A site claims that there is a "fundamental problem" with Firefox updates using the OS X operating system.
Linux and Windows operating systems are affected too.
Paul Sture says that if you run as a non-admin user on OS X, Firefox grays out the check for updates menu item and doesn't automatically tell you when security updates are available.
Firefox, he says, only allows Update Checking when you have write access to the Firefox application although most people do their daily work on a non-privileged account.
He says he's pointed out the flaw to the Secure IT Foundation.
There's more details here .
I like how these people headline OSX as being flawed, but then add, parenthetically, that Windows and Linux are also affected by the vulnerability.
How about it? Are any of you "grayed out" from updating FireFox? I'm not.
I call it a FUD article on all three platforms!
How about you Windows and Linux users? This guy says it affects ALL...
If you want on or off the Mac Ping List, Freepmail me.
I have found a fundamental security problem with Firefox updates on OS X.
Simply put, if you run as a non-admin user on OS X (which is the sensible thing to do), Firefox grays out the Check For Updates menu item, and certainly doesnt do any automatic notification of security updates, so you can go for days, weeks or even months without realising that an important security update has been released.
Investigation shows that Firefox only enables Update Checking when you have write access to the Firefox application. This completely misses the point that any mildly security conscious person will do ther daily work in a non-privileged account. Heaven help those home users who know nothing about security!
The also begs the question "Do the Firefox folks know their arse from their elbow when it comes to security?"
Yes folks, I am quite angry about this, because I was left exposed myself. Fortunately my use of Firefox is fairly minimal. Lucky me - I would really like to know how many folks got pwned because of this one?
...Firefox should be managed as part of a home security policy like the Secure IT Foundations Home Computer Policy which includes patching on a regular / urgent basis.
This is also an issue for Ubuntu users, so I suspect it applies to other Unix/Linux variants.
The evidence to date says that at least 3 platforms are affected:
- MS Windows
- OS X
The only workaround I can think of on OS X is to keep your eye on the IT news, and log in to a suitably privileged account to check out the availability of Firefox security updates.
Update: A Solaris sysadmin has just informed me that Firefox updates are catered for by the Solaris software update system.
Reads like FUD at the least, idiocy at worst to me. I’ve run Firefox under a myriad of situations; admin, regular user, etc on my Mac and on my winders machines without ever seeing the Check for Updates grayed out.
I strongly disagree with the implication that this is a security issue, however, as the system is set up (by default) to have "root" check for package updates (including installed third-party packages packages, such as Firefox). It's the main reason to stick with installing via "yum" rather than downloading and compiling on your own -- automated package control.
My “automatically check for updates to... Firefox” is grayed out (running unpriveleged on Ubuntu). It is however checked, so presumably updates will be checked for. The other two “Installed Add-ons” and “Search Engines” were not grayed out, so I unchecked them (I want as few update checking thingies as possible).
Check for updates is greyed out out for me in debian, but I run Swiftfox. It's in my repositories list so it checks for updates every time I update the system, which I do 2-3 times per week.
No worries here.
Linux here, FF 3.5.2, I don’t see an update option. But then I never run it as root, so I can’t say if that option shows up if done so. In fact, all my FF security updates come from the opensuse mozilla repository, and it’s checked with other system and application updates. And those do require root privileges to install.
Like I said, I get all my updates from the repositories, and that's checked by the Yast updater.
Grayed out for me too...Ubuntu 8.04, Firefox 3.0.13
On Linux, you generally get updates from your distribution, anyhow. So, this is pretty much a non-issue.
There are a few people who post here (and will probably chime in on this thread) who will do anything to try to tear down Apple - they don't mind lying, misrepresenting, or just plain ignoring facts to do it. I wouldn't be surprised if one of those posters penned that "article".
And no, it does not appear to affect this machine I am on.
I would wager that the huge number is something just a bit less than 0.
Running XP Home as many do and have no problems. It just wants me to update from 3.0.13 to 3.5.2 which I won't do for another few months until they have the bugs worked out of 3.5.
I suppose I could log in as a non-administrator and see what happens, but don't have the time to mess with it.
It never prompted me to update to 3.5.2 but kept patching the older version or addons. But I'd get an error on my local paper site for certain pages, said I needed to dl 3.5.2.
So I did that, and can read the pages again, mainly weather report.
They finally got the xtra tab like IE8 which I like but I figure some of my addons may not work with the latest version, will just struggle along with it. Also they changed history, and I was using show all, nothing there. It took me a bit to figure out you have to double click in today, yesterday, etc., for all to show.
Probably other changes I haven't noticed yet.
Mine is greyed out on my Win7 box, but not my Ubuntu boxes, nor XP. So, maybe it’s an UAC issue, at least on Windows?
That said, Auto Updates work regardless on which user is logged in. Check yours.
Also, I don’t see any mention of versions or if Firefox was installed under Admin rights or user rights.
Firefox updates for Ubuntu come through the update manager, which comes from Canonical. If you check your auto-updates through “about:config”, what does it show there? Mine shows True, but the updates always come from the update manager.
Open a browser window and type “about:config” (without the quotes) and click I’ll be careful, I promise!
The type in the address bar there, “app.update.enabled” (without the quotes), and look to the right. That will tell you if the USER can receive the update or not. (double click the line to change the Value)
Mine showed true too, just set it to false, but it didn’t change the grayed out box. Also tried setting update.mode to zero, same thing, no effect on the grayed out checkbox.
Ah, that did the trick. Set that to false, auto-updates checkbox is turned off now (still grayed out). Now I can relax (I hate auto-update).
If was already greyed out, it won’t change it.
It’s NOT greyed out by default on installation. BUT, if you click it, it WILL grey out, and stay that way. LOL
That’s on FF 3.0.13 on Ubuntu 9.04, which started out as hardy, and upgraded every 6 months.
I just checked my Puppy box, it has SeaMonkey and FF (BonEcho). SeaMonkey and FF both list update notifier=True, and the souce as SeaMonkey Project and PuppyOrg, respectively.
I think somneone had a bad hair day, maybe they found a Gray hair???
You are exactly correct. If you have a multi-user system, you still have to be an administrator to that system. So login once in a while as admin and take care to things.