I have found a fundamental security problem with Firefox updates on OS X.
Simply put, if you run as a non-admin user on OS X (which is the sensible thing to do), Firefox grays out the Check For Updates menu item, and certainly doesn’t do any automatic notification of security updates, so you can go for days, weeks or even months without realising that an important security update has been released.
Investigation shows that Firefox only enables Update Checking when you have write access to the Firefox application. This completely misses the point that any mildly security conscious person will do ther daily work in a non-privileged account. Heaven help those home users who know nothing about security!
The also begs the question "Do the Firefox folks know their arse from their elbow when it comes to security?"
Yes folks, I am quite angry about this, because I was left exposed myself. Fortunately my use of Firefox is fairly minimal. Lucky me - I would really like to know how many folks got pwned because of this one?
I have pointed out this flaw over at Secure IT Foundation, and the answer I received states that it's also a problem for non-admin WIndows users. They responded with this interesting idea:
...Firefox should be managed as part of a home security policy like the Secure IT Foundation’s Home Computer Policy which includes patching on a regular / urgent basis.
This is also an issue for Ubuntu users, so I suspect it applies to other Unix/Linux variants.
The evidence to date says that at least 3 platforms are affected:
- MS Windows
- Linux
- OS X
The only workaround I can think of on OS X is to keep your eye on the IT news, and log in to a suitably privileged account to check out the availability of Firefox security updates.
Update: A Solaris sysadmin has just informed me that Firefox updates are catered for by the Solaris software update system.
Reads like FUD at the least, idiocy at worst to me. I’ve run Firefox under a myriad of situations; admin, regular user, etc on my Mac and on my winders machines without ever seeing the Check for Updates grayed out.
My “automatically check for updates to... Firefox” is grayed out (running unpriveleged on Ubuntu). It is however checked, so presumably updates will be checked for. The other two “Installed Add-ons” and “Search Engines” were not grayed out, so I unchecked them (I want as few update checking thingies as possible).
I would wager that the huge number is something just a bit less than 0.
Firefox from a privileged account can have problems too
I forgot to mention the scenario below, which is where I first encountered the problem.
The result of this was that Firefox.app was owned by User 1, therefore my privileged account User 2 didn't have write access to it. Firefox in its wisdom decided from this that it disabled Update Checking for User 2 and I went for a while without any Firefox updates.