Firefox Updates

For the third time in the past 30 days, there is a Firefox update including security fixes. Firefox 3.0.10 is out.
“And you want to be my latex salesman”

I dont mean to get all Jeff Jones here, but it seems to me there is a bit of tarnish on that “security king” crown that people give to Mozilla.
Software is going to have bugs. I’m glad Mozilla patches them but more than once a month is getting a bit annoying. Its highlighting a problem that Mozilla doesn’t seem to care about. Enterprise patch deployment.
Mozilla loves to brag that their users apply patches. That’s the problem, you’ve got to use it to get prompted to update it. Even then the end user may turn off checking for updates.
Currently to get Firefox/Thunderbird updates to occur, I can either pray or send out emails, or use NAC to block their access to the network until Firefox is patched.
I can’t believe I’m saying this, but Quicktime and JAVA may have the better idea. JAVA has an always running updater process. I believe Quicktime (via Apple Software Updater) is using Scheduled tasks .
I’d love to just be able to use a logon script or NAC to be able to run C:\program files\Mozilla Firefox\updater.exe which would then prompt the user if a Firefox update was necessary. I’ve searched the Internet to see if this is possible. So far no dice.
Share your thoughts on keeping Firefox updated in the enterprise in the comments.

2 Comments

  1. If a user has FF installed but never uses it (and presumably it’s not the default browser), it won’t get updated. So what? Code has to run to be vulnerable.
    I think Sun wants Java to update all the time because installing browser toolbars is probably their most reliable revenue stream.
    You can probably gets some hints on using updater to do your bidding from http://hg.mozilla.org/mozilla-central/file/5a8a199bd62a/toolkit/mozapps/update/src/updater/updater.cpp around line 1219. By the looks of it you give it the path to the .mar file from ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases/3.0.10/update/win32/en-US/ and the pid of the calling process (which it assumes is FF).
    Keep in mind though that updater.exe *installs* the update, it doesn’t check for updates or download them. The check source is at http://hg.mozilla.org/mozilla-central/file/5a8a199bd62a/toolkit/mozapps/update/content/, which is part of the app in chrome/toolkit.jar.
    Seems like it’d be easier to just upgrade users who aren’t current using https://wiki.mozilla.org/Installer:Command_Line_Arguments, although it looks like you’d have to parse application.ini to get the version. (I run nightly builds because I like that kind of pain, so my version numbers look irrelevant.)

  2. While not as prevalent, there have been URI specific vulnerabilities that can be exploited whether or not the software is used.
    I’m also pretty sure, “its ok they dont use it” is going to be a great answer the next time an auditor asks me about all the unpatched systems.

Comments are closed.