Firefox security problem affects OS X, Windows, Linux

TGDaily ^ | Friday, August 14, 2009 08:36 | TG Daily Staff

[Swordmaker]

A site claims that there is a "fundamental problem" with Firefox updates using the OS X operating system.

Linux and Windows operating systems are affected too.

Paul Sture says that if you run as a non-admin user on OS X, Firefox grays out the check for updates menu item and doesn't automatically tell you when security updates are available.

Firefox, he says, only allows Update Checking when you have write access to the Firefox application although most people do their daily work on a non-privileged account.

He says he's pointed out the flaw to the Secure IT Foundation.

There's more details here .

[papasmurf]

Also, I don’t see any mention of versions or if Firefox was installed under Admin rights or user rights.

[papasmurf]

Firefox updates for Ubuntu come through the update manager, which comes from Canonical. If you check your auto-updates through “about:config”, what does it show there? Mine shows True, but the updates always come from the update manager.

[papasmurf]

Try this.

Open a browser window and type “about:config” (without the quotes) and click I’ll be careful, I promise!

The type in the address bar there, “app.update.enabled” (without the quotes), and look to the right. That will tell you if the USER can receive the update or not. (double click the line to change the Value)

[palmer]

Mine showed true too, just set it to false, but it didn’t change the grayed out box. Also tried setting update.mode to zero, same thing, no effect on the grayed out checkbox.

[palmer]

"app.update.enabled"

Ah, that did the trick. Set that to false, auto-updates checkbox is turned off now (still grayed out). Now I can relax (I hate auto-update).

[papasmurf]

If was already greyed out, it won’t change it.

It’s NOT greyed out by default on installation. BUT, if you click it, it WILL grey out, and stay that way. LOL

That’s on FF 3.0.13 on Ubuntu 9.04, which started out as hardy, and upgraded every 6 months.

I just checked my Puppy box, it has SeaMonkey and FF (BonEcho). SeaMonkey and FF both list update notifier=True, and the souce as SeaMonkey Project and PuppyOrg, respectively.

I think somneone had a bad hair day, maybe they found a Gray hair???

[stripes1776]

And, may I add, the idea that a non-admin user should be able to modify a software package on a multi-user operating system is patently crazy. Sometimes there's a darn good reason for deferring software upgrades, even security updates, and non-admin users shouldn't have the ability to override admin decisions like that.

You are exactly correct. If you have a multi-user system, you still have to be an administrator to that system. So login once in a while as admin and take care to things.