MozillaZine

"Automatic check for update" to firefox undermines security?

Discussion of bugs in Mozilla Firefox
hamandeggs
 
Posts: 9
Joined: July 11th, 2009, 3:47 am

Post Posted November 11th, 2009, 6:18 pm

What on earth is the rationale behind the current "automatically check for updates" functionality on windows?
The objective must be to ensure the user's browser is as up to date as reasonably possible, yet to achieve this firefox appears to require the security of the local system be compromised.

There are two steps required to ensuring prompt updates:
1 - detect whether there is an update available, which can be done in two ways:
    (i) manually - the user remembers to poll the mozilla website periodically; inevitably they don't check often enough
    (ii) automatically - the browser checks reasonably frequently on the user's behalf. Obviously this is preferred.
2 - apply the update

These are completely separate tasks, yet as I understand it the current firefox logic is that updates can only be automatically checked for if the user also has sufficient local permissions to apply the update.

Which means that just to be notified of an available update either the user has to run firefox as an Administrator, or the permissions on the firefox install must be modified to enable any user to modify it. (http://support.mozilla.com/en-US/kb/Che ... s+disabled)

Neither of those options is great:
running the browser with Administrator privileges gives a successful hack complete access to the entire system; (and presumably every user would need Administrator privileges!)
derestricting access to the installed firefox gives a successful hack complete access to the firefox install, thus compromising all users of the machine, and also the opportunity for any user to inadvertantly damage the install.

Surely this should actually work thus:
1 - updates are automatically checked for regardless of user privilege (unless the user deselects the appropriate tools->options checkbox)
2 - if an update is found then the user's options are:
    - if the user has sufficient privilege to apply the update then all possible options are available
      do nothing/apply/download and apply later/whatever
    - if the user does not have sufficient privilege to apply the update the options are:
      - do nothing
      - download, and apply separately (by doing "run as" on the exe)
      - download and apply by temporarily raising privilege (which requires user credential input)

So, what am I missing? Why is the current setup any good?

LoudNoise
Moderator

User avatar
 
Posts: 38459
Joined: October 18th, 2007, 1:45 pm
Location: Next door to the west

Post Posted November 11th, 2009, 7:10 pm

You don't need to be an admin to get the update notices.
Post wrangler
Notice: If you have a comment on moderation, please post here viewtopic.php?f=11&t=2706389 and don't private message a mod. I don't reply to private messages unless I have previously requested them

Bluefang

User avatar
 
Posts: 7846
Joined: August 10th, 2005, 2:55 pm
Location: Vermont

Post Posted November 11th, 2009, 7:55 pm

A couple things:

- as LoudNoise noted, you will be able to check updates, regardless of your permissions
- the actual program that does the updates is separate from Firefox its self (update.exe)
- only the updater needs elevated permissions
- AFAIK, the elevated permissions only apply to the lifetime of the update process

So the risk from this is fairly minimal.
There have always been ghosts in the machine... random segments of code that have grouped together to form unexpected protocols. Unanticipated, these free radicals engender questions of free will, creativity, and even the nature of what we might call the soul...

hamandeggs
 
Posts: 9
Joined: July 11th, 2009, 3:47 am

Post Posted November 13th, 2009, 3:39 am

LoudNoise wrote:You don't need to be an admin to get the update notices.

Bluefang wrote:A couple things:
- as LoudNoise noted, you will be able to check updates, regardless of your permissions

Why are you so certain that it is supported? as this is not what's stated in that kb article: (http://support.mozilla.com/en-US/kb/Che ... s+disabled)
Firefox may disable software updates if the user you're running Firefox as doesn't have permission to change the Firefox installation directory....
To make Check for Updates... enabled permanently, change the permissions on the Firefox installation directory.

(I'm inferring that the enable/disable of "Check for Updates" menuitem is indicative of firefox's ability to perform a check at all, either automatically or by a user manually selecting that menuitem).

Nevertheless, given your assertions I installed 3.5.2 and experimented:
- I ensured the app.update.* prefs were the same for both users, and reduced the check intervals to 10 secs
- the ordinary user received no update notifications, and also the "check for updates" in the help menu remained greyed out
- the administrator recevied update notifications, and the "check for updates" menuitem was enabled.

So, a bug that affects all firefox installations?
or a bug that only affects some firefox installations?
or a misconfiguration in some way on my install??



Bluefang wrote:- the actual program that does the updates is separate from Firefox its self (update.exe)
- only the updater needs elevated permissions
- AFAIK, the elevated permissions only apply to the lifetime of the update process

So the risk from this is fairly minimal.

Whcih would be fine, if only I could get that far!

Bluefang

User avatar
 
Posts: 7846
Joined: August 10th, 2005, 2:55 pm
Location: Vermont

Post Posted November 13th, 2009, 4:36 am

Try installing the Firefox 3.6 beta. The ability to handle updates as a limited user might have been added after Firefox 3.5 branched for release.
There have always been ghosts in the machine... random segments of code that have grouped together to form unexpected protocols. Unanticipated, these free radicals engender questions of free will, creativity, and even the nature of what we might call the soul...

hamandeggs
 
Posts: 9
Joined: July 11th, 2009, 3:47 am

Post Posted November 13th, 2009, 4:17 pm

Bluefang wrote:Try installing the Firefox 3.6 beta. The ability to handle updates as a limited user might have been added after Firefox 3.5 branched for release.

Just tried 3.6beta2 - the "Check for Updates" menuitem is disabled for the limited user :(
With no actual update available I can't be certain whether automatic checking is occuring [see edit below] - is my belief correct that if the "Check for Updates" menuitem is enabled then automatic checking is also enabled?

Why do yo think "the ability to handle updates as a limited user might have been added..."? Is this a recognised issue? Is there a bugzilla bug/feature for it?


Edit - watching the traffic with wireshark it was apparent that when running as administrator there were requests to aus2-mozilla-org.geo.mozilla.com every 10 secs or so (as per my prefs settings for test purposes), and no such requests for non-priveleged user.

Bluefang

User avatar
 
Posts: 7846
Joined: August 10th, 2005, 2:55 pm
Location: Vermont

Post Posted November 13th, 2009, 7:02 pm

I stand corrected. I remember reading bugs about this a while back, and while there were check-ins, the feature hasn't yet been completed.

Here are the related bugs (don't comment with out reading Bugzilla Etiquette):
https://bugzilla.mozilla.org/show_bug.cgi?id=407875
https://bugzilla.mozilla.org/show_bug.cgi?id=318855
There have always been ghosts in the machine... random segments of code that have grouped together to form unexpected protocols. Unanticipated, these free radicals engender questions of free will, creativity, and even the nature of what we might call the soul...

hamandeggs
 
Posts: 9
Joined: July 11th, 2009, 3:47 am

Post Posted November 14th, 2009, 2:20 pm

Thanks for the links to those bugs - can't believe I didn't find them when I searched the first time!
Seeing how long they've been around, and reading some of the comments against them I'm pretty flabbergasted.

"If a non-privileged user was notified of updates on any system including Vista 64 when they don't have write access to the installation directory then it is a bug." just misses the point completely, and that was written by the assignee of bug 407875.

I feel the apparently low priority this has had for years while fancy new features are continually added is so questionable, especially given the way that "security" has been used as part of the browser's sales pitch.
Because actually this policy makes it easy for hackers: simply check through the list of recent security fixes and take advantage of them knowing that huge numbers of users will not have even been notified that an update is available.

On top of that, or maybe part of the problem, is that it seems that the bug has turned into a big complex chunk of work, and has to be delivered as some whizzy shrink-wrapped whole instead of firstly addressing the all important check-for-update-and-do-nothing-except-report-its-availability first (code which clearly already exists), and then incrementally adding whizzy stuff later.

I can't see any point adding further comments to those bugs - it's all been said before.
I've used mozilla stuff for years and I really like firefox, and I'll keep an eye open for this eventually getting fixed, but in the meantime it's time to use something where security is taken seriously.

Robert S.

User avatar
 
Posts: 4399
Joined: April 24th, 2004, 3:04 am
Location: Bay Area, CA

Post Posted November 20th, 2009, 1:54 am

hamandeggs wrote:Thanks for the links to those bugs - can't believe I didn't find them when I searched the first time!
Seeing how long they've been around, and reading some of the comments against them I'm pretty flabbergasted.

I took over the app update component for Firefox 3.5 after the previous owner of it no longer had time to own it. Looking at any individual bug I completely understand why you would be flabbergasted... I get the same way at times when looking from the outside in on projects / organizations / etc. that I don't have details on the why things are the way they are. I usually take a step back and give them the benefit of the doubt.

hamandeggs wrote:"If a non-privileged user was notified of updates on any system including Vista 64 when they don't have write access to the installation directory then it is a bug." just misses the point completely, and that was written by the assignee of bug 407875.

It isn't unusual for people that don't work with our bugzilla system to misinterpret statements made in bugzilla. This was in reference to the expected behavior of the code and I believe you took it as the desired behavior of the code. If that was the desired behavior then that bug would have been wontfix'd.

hamandeggs wrote:I feel the apparently low priority this has had for years while fancy new features are continually added is so questionable, especially given the way that "security" has been used as part of the browser's sales pitch.
Because actually this policy makes it easy for hackers: simply check through the list of recent security fixes and take advantage of them knowing that huge numbers of users will not have even been notified that an update is available.

It wasn't a low priority by any means... for example, there was a ton of work to be done to get app update to work on mobile and a couple of crashers that caused an incomplete install of Firefox that were higher priority. I don't deny that there were other bugs I have fixed that were lower priority but many of those were breaks from dealing with the more complicated bugs.

hamandeggs wrote:On top of that, or maybe part of the problem, is that it seems that the bug has turned into a big complex chunk of work, and has to be delivered as some whizzy shrink-wrapped whole instead of firstly addressing the all important check-for-update-and-do-nothing-except-report-its-availability first (code which clearly already exists), and then incrementally adding whizzy stuff later.

I actually was taking that exact approach which is why I didn't wontfix the bug for just reporting the update as available in the first place and why I got ui review and landed strings early so it would be possible to fix.

hamandeggs wrote:I can't see any point adding further comments to those bugs - it's all been said before.
I've used mozilla stuff for years and I really like firefox, and I'll keep an eye open for this eventually getting fixed, but in the meantime it's time to use something where security is taken seriously.

Comments regretfully don't make it so that any developer has more time to fix a bug but they have on occasion made me place a bug higher on my priority list. This one was never low on my list but there were other bugs (especially the crasher and mobile bugs) that were higher along with several bugs where I refactored the code so fixing this bug was much simpler / cleaner.

Anyways, https://bugzilla.mozilla.org/show_bug.cgi?id=407875 "Unprivileged users are not notified of security updates" is fixed for Firefox 3.6.

Gingerbread Man

User avatar
 
Posts: 7387
Joined: January 30th, 2007, 10:55 am

Post Posted November 21st, 2009, 3:30 am

Robert S. wrote:Anyways, https://bugzilla.mozilla.org/show_bug.cgi?id=407875 "Unprivileged users are not notified of security updates" is fixed for Firefox 3.6.

Is it also possible to update Firefox from a standard user account using Help > Check for Updates (by triggering a UAC prompt in Windows Vista/7 for example)? If not, is that feature likely to be implemented in the near future (Firefox 3.7 or 4.0)?

hamandeggs
 
Posts: 9
Joined: July 11th, 2009, 3:47 am

Post Posted November 21st, 2009, 6:42 pm

<snip>Robert S. very politley telling me I don't know what I'm talking about </snip>

1 - Please understand my comments refer to mozilla/firefox collectively, and absolutely not individual developers. If an important bug needs extra resourcing then so be it; when I refer to "fancy new features" I mean across firefox as a whole, not what's in your individual stack, eg. that awesome [sic] bar is quite nice, but I'll take better security anyday.

2 - So my flabbergastedness is down to the fact that:
- this bug has been around for 4 years
- this is basic security and should have been sorted pronto

Great to hear it's in for 3.6.

Robert S.

User avatar
 
Posts: 4399
Joined: April 24th, 2004, 3:04 am
Location: Bay Area, CA

Post Posted November 22nd, 2009, 3:14 am

Gingerbread Man wrote:
Robert S. wrote:Anyways, https://bugzilla.mozilla.org/show_bug.cgi?id=407875 "Unprivileged users are not notified of security updates" is fixed for Firefox 3.6.

Is it also possible to update Firefox from a standard user account using Help > Check for Updates (by triggering a UAC prompt in Windows Vista/7 for example)? If not, is that feature likely to be implemented in the near future (Firefox 3.7 or 4.0)?

That's https://bugzilla.mozilla.org/show_bug.cgi?id=529746. btw: the UAC prompt for standard user accounts is essentially no different than the run as prompt for Win2K and XP or Vista and Win 7 with UAC turned off. So, this would be for all Firefox supported Windows versions.
Last edited by Robert S. on November 22nd, 2009, 3:21 am, edited 1 time in total.

Robert S.

User avatar
 
Posts: 4399
Joined: April 24th, 2004, 3:04 am
Location: Bay Area, CA

Post Posted November 22nd, 2009, 3:18 am

Hey hamandeggs, I don't expect you to understand the ins and outs and in no way did I take offense. I understand the belief that it should just be resourced or as I like to put it throw more bodies at the problem but it typically isn't as simple as that regretfully though I do believe we could do better about addressing serious issues such as this one... another difficulty with this is that not everyone sees the same issues as serious but in this case the majority did see it as serious.

Gingerbread Man

User avatar
 
Posts: 7387
Joined: January 30th, 2007, 10:55 am

Post Posted November 22nd, 2009, 11:04 pm

Thank you for the link. I was hoping you had some sort of insider information, but I guess I'll just keep an eye on that bug report.

Robert S.

User avatar
 
Posts: 4399
Joined: April 24th, 2004, 3:04 am
Location: Bay Area, CA

Post Posted November 22nd, 2009, 11:08 pm

You will get the UAC prompt when running as an administrator with UAC turned on but it won't work with a standard user account until that bug is fixed at which point it will just work on all Firefox supported versions of Windows.

Return to Firefox Bugs


Who is online

Users browsing this forum: No registered users and 2 guests