November 24th, 2011, 18:17 PM
Firefox's proposed silent updates carry a security risk
As a way to speed up the process of updating Firefox, Mozilla engineers are mulling over a silent update feature, which one security expert argues is a bad idea.
Currently, when Firefox detects an available update, it lets you know and if you agree to install it, the browser launches its updater program. That program downloads the update, applies it to Firefox, and restarts the browser. While all that is happening, you're twiddling your thumbs watching a progress bar on your computer screen.
To skirt the lag time in the current updating process, the Firefox team is considering a "silent" alternative. Instead of performing an update in the foreground, updates would be downloaded in the background and installed on a copy of the browser in a new directory. The first time that you launch Firefox after an update has been completed, your old version of Firefox is swapped out for the new version. "In this scenario, you likely won’t notice that Firefox has applied an update as no UI is shown," Firefox Engineer Ehsan Akhgari recently wrote in a Mozilla blog.
"Now, the reason that this approach fixes the problem is that swapping the directories, unlike the actual process of applying the update, is really fast," he added.
It may also be really dangerous, according to Philip Lieberman, the founder and president of Lieberman Software, a maker of password management solutions located in Los Angeles.
"While many IT security systems will have to be reconfigured to allow background updates to Firefox--which is not a good thing in the first place--there is danger that hackers could subvert the update system to allow them back-door access to the user's computer," Lieberman wrote today in Business Computing World.
Sure, silent updating may be more convenient to consumers, the security expert noted, but it will also invite hacker exploitation of the process. "If, as I think appears quite likely, hackers start reverse engineering the Firefox background updating system--and remember we are talking about open source software here--then it is only a matter of time before they subvert this auto-updating mechanism to inject malware," he wrote.
Full story: InfoWorld