How about you Windows and Linux users? This guy says it affects ALL...
Mac OSX Ping!
If you want on or off the Mac Ping List, Freepmail me.
Posted on 08/17/2009 2:49:23 AM PDT by Swordmaker
A site claims that there is a "fundamental problem" with Firefox updates using the OS X operating system.
Linux and Windows operating systems are affected too.
Paul Sture says that if you run as a non-admin user on OS X, Firefox grays out the check for updates menu item and doesn't automatically tell you when security updates are available.
Firefox, he says, only allows Update Checking when you have write access to the Firefox application although most people do their daily work on a non-privileged account.
He says he's pointed out the flaw to the Secure IT Foundation.
There's more details here .
I like how these people headline OSX as being flawed, but then add, parenthetically, that Windows and Linux are also affected by the vulnerability.
How about it? Are any of you "grayed out" from updating FireFox? I'm not.
I call it a FUD article on all three platforms!
How about you Windows and Linux users? This guy says it affects ALL...
If you want on or off the Mac Ping List, Freepmail me.
I have found a fundamental security problem with Firefox updates on OS X.
Simply put, if you run as a non-admin user on OS X (which is the sensible thing to do), Firefox grays out the Check For Updates menu item, and certainly doesn’t do any automatic notification of security updates, so you can go for days, weeks or even months without realising that an important security update has been released.
Investigation shows that Firefox only enables Update Checking when you have write access to the Firefox application. This completely misses the point that any mildly security conscious person will do ther daily work in a non-privileged account. Heaven help those home users who know nothing about security!
The also begs the question "Do the Firefox folks know their arse from their elbow when it comes to security?"
Yes folks, I am quite angry about this, because I was left exposed myself. Fortunately my use of Firefox is fairly minimal. Lucky me - I would really like to know how many folks got pwned because of this one?
I have pointed out this flaw over at Secure IT Foundation, and the answer I received states that it's also a problem for non-admin WIndows users. They responded with this interesting idea:
...Firefox should be managed as part of a home security policy like the Secure IT Foundation’s Home Computer Policy which includes patching on a regular / urgent basis.
This is also an issue for Ubuntu users, so I suspect it applies to other Unix/Linux variants.
The evidence to date says that at least 3 platforms are affected:
- MS Windows
- Linux
- OS X
The only workaround I can think of on OS X is to keep your eye on the IT news, and log in to a suitably privileged account to check out the availability of Firefox security updates.
Update: A Solaris sysadmin has just informed me that Firefox updates are catered for by the Solaris software update system.
Reads like FUD at the least, idiocy at worst to me. I’ve run Firefox under a myriad of situations; admin, regular user, etc on my Mac and on my winders machines without ever seeing the Check for Updates grayed out.
I strongly disagree with the implication that this is a security issue, however, as the system is set up (by default) to have "root" check for package updates (including installed third-party packages packages, such as Firefox). It's the main reason to stick with installing via "yum" rather than downloading and compiling on your own -- automated package control.
My “automatically check for updates to... Firefox” is grayed out (running unpriveleged on Ubuntu). It is however checked, so presumably updates will be checked for. The other two “Installed Add-ons” and “Search Engines” were not grayed out, so I unchecked them (I want as few update checking thingies as possible).
Check for updates is greyed out out for me in debian, but I run Swiftfox. It's in my repositories list so it checks for updates every time I update the system, which I do 2-3 times per week.
No worries here.
Linux here, FF 3.5.2, I don’t see an update option. But then I never run it as root, so I can’t say if that option shows up if done so. In fact, all my FF security updates come from the opensuse mozilla repository, and it’s checked with other system and application updates. And those do require root privileges to install.
Like I said, I get all my updates from the repositories, and that's checked by the Yast updater.
Grayed out for me too...Ubuntu 8.04, Firefox 3.0.13
On Linux, you generally get updates from your distribution, anyhow. So, this is pretty much a non-issue.
There are a few people who post here (and will probably chime in on this thread) who will do anything to try to tear down Apple - they don't mind lying, misrepresenting, or just plain ignoring facts to do it. I wouldn't be surprised if one of those posters penned that "article".
And no, it does not appear to affect this machine I am on.
I would wager that the huge number is something just a bit less than 0.
Running XP Home as many do and have no problems. It just wants me to update from 3.0.13 to 3.5.2 which I won't do for another few months until they have the bugs worked out of 3.5.
I suppose I could log in as a non-administrator and see what happens, but don't have the time to mess with it.
It never prompted me to update to 3.5.2 but kept patching the older version or addons. But I'd get an error on my local paper site for certain pages, said I needed to dl 3.5.2.
So I did that, and can read the pages again, mainly weather report.
They finally got the xtra tab like IE8 which I like but I figure some of my addons may not work with the latest version, will just struggle along with it. Also they changed history, and I was using show all, nothing there. It took me a bit to figure out you have to double click in today, yesterday, etc., for all to show.
Probably other changes I haven't noticed yet.
Mine is greyed out on my Win7 box, but not my Ubuntu boxes, nor XP. So, maybe it’s an UAC issue, at least on Windows?
That said, Auto Updates work regardless on which user is logged in. Check yours.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.
Firefox from a privileged account can have problems too
I forgot to mention the scenario below, which is where I first encountered the problem.
The result of this was that Firefox.app was owned by User 1, therefore my privileged account User 2 didn't have write access to it. Firefox in its wisdom decided from this that it disabled Update Checking for User 2 and I went for a while without any Firefox updates.