LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Firefox 1.0.1 and automatic updates

[Posted March 2, 2005 by corbet]

The Firefox 1.0.1 release was announced on February 24. As expected, this release had a fix for the IDN spoofing vulnerability which did not actually disable international domain names; instead, such names are mangled into punycode and presented to the user in that form. Various other security-related problems were also fixed in 1.0.1.

One of Firefox's features is automatic updates: the browser can phone home to find out whether an updated version has been released and, if so, offer an upgrade to the user. Many people have been surprised that the automatic update mechanism apparently did not work with 1.0.1. Instead, they had to notice some other way that a new version was available and download it themselves. Not, perhaps, the best example of how Firefox can respond to security issues.

It turns out that a couple of problems were at work here. The first is that the Mozilla Project's infrastructure simply wasn't up to trying to update millions of users at once. So the project decided to spread things out. Automatic updates were disabled entirely for a while, then they were turned on for parts of the network at a time. According to Asa Dotzler's weblog, the folks in Argentina and Andorra were the first to get their updates, followed by Russia, then, eventually, the rest of the world.

Even then, however, it turns out that only Windows users were offered updates. A bug in the automatic updater rendered it unusable for versions of Firefox running on other operating systems, so it was disabled for non-Windows users. And that is why most readers of this page, likely as not, never saw an update notification.

Now was a good time for this sort of shakedown of the Firefox update system. There were real security problems to fix, but none of them were screamingly urgent. Sooner or later, there will be a vulnerability for which a rapid update is required. Hopefully, by then, the infrastructural issues and update system glitches will have been ironed out.

(Log in to post comments)

Firefox 1.0.1 and automatic updates

Posted Mar 3, 2005 8:34 UTC (Thu) by evgeny (guest, #774) [Link]

> it turns out that only Windows users were offered updates.

The pro-windows direction of the development of Firefox is really worrying. Have you noticed that in the list of extensions available the "OS" selector chooses "Windows" by default (switching according to User-agent was obviously an unmountable task after being exhausted on PR campaigns)!?

Firefox 1.0.1 and automatic updates

Posted Mar 3, 2005 9:16 UTC (Thu) by ppedroni (subscriber, #6592) [Link]

> The pro-windows direction of the development of Firefox is really worrying.

Why? It's the Windows environment that needs some better browser than IExploder, and that's where Firefox must be pushed. On GNU/Linux, MacOSX, etc. there is already plenty of choice and several good browsers.

Firefox 1.0.1 and automatic updates

Posted Mar 3, 2005 16:49 UTC (Thu) by hackerb9 (guest, #21928) [Link]

> The pro-windows direction of the development of Firefox is really worrying.

I'm not too worried. As mentioned below, GNU/Linux distros seem to handle security updates just fine without every application having to write separate code for it.

I suspect that the motivation for the automatic update feature in Firefox is to work around deficiencies in Microsoft Windows. I've heard that MS Windows can update itself with security patches, but I wonder if that includes patches for third-party applications. Anyone know?

-Ben

Firefox 1.0.1 and automatic updates

Posted Mar 3, 2005 17:01 UTC (Thu) by evgeny (guest, #774) [Link]

> I'm not too worried. As mentioned below, GNU/Linux distros seem to handle security updates just fine without every application having to write separate code for it.

I don't care about these automatic updates either. It's just one of a few (I mentioned another one and can add a couple more) signs of windows becoming platform #1 in the firefox development. That's what annoys me.

Firefox 1.0.1 and automatic updates

Posted Mar 17, 2005 22:57 UTC (Thu) by turpie (guest, #5219) [Link]

It was a bug! They disabled it for now because it didn't work for the non-windows platforms. Why do you assume it wont be fixed in a later version?

Firefox 1.0.1 and automatic updates

Posted Mar 3, 2005 11:20 UTC (Thu) by alex (subscriber, #1355) [Link]

I'm not sure how the auto-update feature is meant to work when I run my browser as a unprivilged user. I know some things are tweakable with .xpi extensions but core problems in the browser?

Besides I prefer my system to be kept upto date by my distro package managment which will roll its own version in due course. I'm not overly worried.

Firefox 1.0.1 and automatic updates

Posted Mar 3, 2005 16:42 UTC (Thu) by hackerb9 (guest, #21928) [Link]

I agree. I trust Debian's package management system to handle basic security for all the applications on my GNU/Linux box. That's one of big benefits of Free software.

I wouldn't mind Firefox alerting me that a security update is needed. It might be a good reminder to run 'apt-get update; apt-get dist-upgrade'.

But I don't want any arbitrary application asking for root privileges, even if only to overwrite its own binary. Can you imagine the security nightmares that would cause?

-Ben

Firefox 1.0.1 and automatic updates

Posted Mar 3, 2005 23:15 UTC (Thu) by mongre26 (guest, #4224) [Link]

Hehe, you are right, allowing a regular user application like a web browser access to the most priviliged components of a system is tantamount to a security nightmare...wait...that is exactly how windows works. :(

That simple level of security, afforded to all MacOSX and Linux users is completely foreign in the "run as administrator account" paradigm of Windows.

Automatic updates in the browser are less important for MacOSX and Linux users since their security updates come in the form of an automated package system that downloads, resolves dependencies and installs the required changes seemlessly and generally without problems. MacOSX of course like windows is limited to a much smaller space of programs than Linux given that Apple only supports what it ships, which is a lot less than a standard linux distro. However at least MacOSX makes you enter your admin password before it goes nuts.

It is great the updater is looking positive for Windows. For Linux we already have a great system.

~$ su -
...
~# <insert favorite tool here> update

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds