How about you Windows and Linux users? This guy says it affects ALL...
Mac OSX Ping!
If you want on or off the Mac Ping List, Freepmail me.
I like how these people headline OSX as being flawed, but then add, parenthetically, that Windows and Linux are also affected by the vulnerability.
How about it? Are any of you "grayed out" from updating FireFox? I'm not.
I call it a FUD article on all three platforms!
How about you Windows and Linux users? This guy says it affects ALL...
If you want on or off the Mac Ping List, Freepmail me.
I have found a fundamental security problem with Firefox updates on OS X.
Simply put, if you run as a non-admin user on OS X (which is the sensible thing to do), Firefox grays out the Check For Updates menu item, and certainly doesn’t do any automatic notification of security updates, so you can go for days, weeks or even months without realising that an important security update has been released.
Investigation shows that Firefox only enables Update Checking when you have write access to the Firefox application. This completely misses the point that any mildly security conscious person will do ther daily work in a non-privileged account. Heaven help those home users who know nothing about security!
The also begs the question "Do the Firefox folks know their arse from their elbow when it comes to security?"
Yes folks, I am quite angry about this, because I was left exposed myself. Fortunately my use of Firefox is fairly minimal. Lucky me - I would really like to know how many folks got pwned because of this one?
I have pointed out this flaw over at Secure IT Foundation, and the answer I received states that it's also a problem for non-admin WIndows users. They responded with this interesting idea:
...Firefox should be managed as part of a home security policy like the Secure IT Foundation’s Home Computer Policy which includes patching on a regular / urgent basis.
This is also an issue for Ubuntu users, so I suspect it applies to other Unix/Linux variants.
The evidence to date says that at least 3 platforms are affected:
- MS Windows
- Linux
- OS X
The only workaround I can think of on OS X is to keep your eye on the IT news, and log in to a suitably privileged account to check out the availability of Firefox security updates.
Update: A Solaris sysadmin has just informed me that Firefox updates are catered for by the Solaris software update system.
I strongly disagree with the implication that this is a security issue, however, as the system is set up (by default) to have "root" check for package updates (including installed third-party packages packages, such as Firefox). It's the main reason to stick with installing via "yum" rather than downloading and compiling on your own -- automated package control.
On Linux, you generally get updates from your distribution, anyhow. So, this is pretty much a non-issue.
There are a few people who post here (and will probably chime in on this thread) who will do anything to try to tear down Apple - they don't mind lying, misrepresenting, or just plain ignoring facts to do it. I wouldn't be surprised if one of those posters penned that "article".
And no, it does not appear to affect this machine I am on.
Mine is greyed out on my Win7 box, but not my Ubuntu boxes, nor XP. So, maybe it’s an UAC issue, at least on Windows?
That said, Auto Updates work regardless on which user is logged in. Check yours.
Also, I don’t see any mention of versions or if Firefox was installed under Admin rights or user rights.
Firefox from a privileged account can have problems too
I forgot to mention the scenario below, which is where I first encountered the problem.
The result of this was that Firefox.app was owned by User 1, therefore my privileged account User 2 didn't have write access to it. Firefox in its wisdom decided from this that it disabled Update Checking for User 2 and I went for a while without any Firefox updates.