Firefox Automatic Update

Dan Morrill By Dan Morrill
Expert Author
Article Date:

Firefox automatic update might be something security folks need to watch out for when they automatically update.

Most companies do not want employees to automatically update their software, they usually have some kind of patch management system that allows them to push patches to the clients across the enterprise in either staggered or depending on size, all at once. Firefox though has an automatic update cycle for their extensions that need to fall under patch management process, and might not be able to.

By design, each Firefox extension — any of a number of free software applications that can be added to the popular open-source browser — is hard-coded with a unique Internet address that will contact the creator’s update server each time Firefox starts. This feature lets the Firefox browser determine whether a new version of the add-on is available. Source: Washington Post

The scenario thought of in the article is the rogue AP in a coffee shop, but given how easy it is to hijack a domain, people who are hosting their own Firefox extensions on their web sites are (depending on their hosting company) more vulnerable in the end for domain hijacking. As well, depending on how often they visit their own web site will show how long this process can work. In fairly short order, a large number of Firefox browsers can be compromised.

This is not new; this is a risk, and a risk that can be taken care of by turning off the automatic update feature in Firefox initially to assess the risk. One quick and dirty solution to the problem for internal network users who have an internal DNS system is to do internal control of the automatic updates, you can set up a staging server and do a quick internal DNS redirect for the extension so that you can test them and then provide them to the internal network clients.

This will not influence systems that are not on the internal network. However, it does require that there be a staging server, and people watch to see which Firefox extensions are updated, test them, and then provide them. These are usually parts of a patch management system, just adding on the complexity of testing browser extensions. This also requires that the company be monitoring for vulnerabilities in the browser and downloading patches.

Good valid hack, with a good valid solution that is worth checking out.


About Dan Morrill
Dan Morrill runs Techwag, a site all about his views on social media, education, technology, and some of the more interesting things that happen on the internet. He works at CityU of Seattle as the Program Director for the Computer Science, Information Systems and Information Security educational programs.

Leave a Reply

Your email address will not be published. Required fields are marked *

  • 160×600
  • Newsletter Signup

    Newsletter Signup

    * Your Email Address:
       First Name:
       Last Name:
  • 336×280