Firefox 25.0.1 - the security update that wasn't?

Filed Under: Featured, Firefox, Vulnerability

Firefox just pushed out a minor browser update, bumping its version number from 25.0 to 25.0.1.

I don't allow Firefox full autonomy over my updates, preferring to use the Check but let me choose option, so I was presented with a now-familiar popup to let me know what was on offer:

A security and stability update for Firefox is available: Firefox 25.0.1. It is strongly recommended that you apply this update for Firefox as soon as possible.

"There's not much point," I thought, "in using Let me choose if I don't do some reading first, even though I almost always decided to board the update train at once."

The Release Notes reiterated the security-related importance of the update:

FIXED - 25.0.1: New security fixes can be found here [link]

And the Known Vulnerabilities page listed five critical, three high and two moderate security advisories:

Eagle-eyed readers, however, will notice that these look very much like the bugs that were fixed in 25.0.

In fact, they are the security fixes from 25.0, all of them listed as patched on 29 October 2013.

A small mystery, to be sure, but not an encouraging one for users who like to read, learn and understand more about security patches before applying them.

What happened?

Perhaps there weren't actually any security fixes, but Mozilla's release boilerplate just assumed that there probably would be, and warned you anyway?

Or perhaps there were security fixes, but Mozilla released the update and published all the boilerplate pages before updating the pages to which they link?

→ Apple takes the latter course most of the time: you get a link to a generic security page (Apple's well-known landing page HT1222) that usually only gets updated later with the link you really want. Let's hope Mozilla hasn't copied Apple's often laboured and sluggish disclosure strategy.

What to do?

As you can probably guess, I just shrugged and boarded the train.

The update was only 236KB, so there wasn't a lot to it, and everything seemed to work.

Is this the way of the future?

In a recent Chet Chat podcast, fellow Naked Security writer Chester Wisniewski asked that very same question, albeit in a slightly different way.

Chet coined the term local cloud as a light-hearted way of describing applications that you install and run locally, but which might as well not have a version number because they just update automatically over the internet, on a schedule to suit themselves.

In other words, local cloud applications are like cloud apps in the sense that "you get what you get," even though they load and run offline, and you don't need to run them in a browser.

Google's Chrome is as good as there already; Apple's iOS and Mozilla's Firefox are getting pretty close.

Android is as good as there, too, with the added confusion that different Google partners and providers push out their updates at wildly varying times. (Some Android devices never get the latest updates at all, sometimes leaving them vulnerable indefinitely, perhaps to enormous security holes).

Is this a good thing?

Take a listen to the discussion in the podcast, and let us know what you think.

(We start talking about Android at 6'01" and about the local cloud concept at 9'48".)


Audio player above not working for you? Download to listen offline, or listen on Soundcloud.

, , ,

You might like

19 Responses to Firefox 25.0.1 - the security update that wasn't?

  1. Anonymous · 305 days ago

    I wondered about this update, too. Let us know if you find out what it really was.

  2. I wondered also and could not determine any real info. so I also just updated and have seen no issues from it.

  3. Anonymous · 305 days ago

    Some "Firefox N.0.1" releases only contain fixes for non-security bugs that weren't caught by beta users before the "Firefox N" release. Frequent crashes on systems with malware, broken sites in countries with few beta users, etc.

    I don't think it would make sense to list every bug fixed 25.0.1, any more than it would make sense to list every bug fixed in Firefox 25. But if you're really curious, it's all open-source:

    http://hg.mozilla.org/releases/mozilla-release/pushloghtml?fromchange=FIREFOX_25_0_RELEASE&tochange=FIREFOX_25_0_1_RELEASE

  4. Isaac Kwan · 305 days ago

    According to Firefox's Play Market page, the update contains a security update for "Recently identified security vulnerability".
    (Source: https://play.google.com/store/apps/details?id=org.mozilla.firefox&hl=en_US)

  5. Anonymous · 305 days ago

    I use the "Check for updates, but let me choose whether to install them" option. I checked for updates manually, but do not have the "Ask Later" button. Downloading of update started immediately.

  6. Canuck · 304 days ago

    Been a firefox user since their inception - dumped it earlier this month for Chrome. It has gotten too bloated, unresponsive and a pain to keep your extension working with their constant updates. It's little wonder their market share continues to drop.

    • Nicolas B. · 303 days ago

      Firefox has no market share, Firefox is free.

      • 4caster · 303 days ago

        Firefox is free at the point of use, but it makes money by selling advertisements on its site. We pay for it whenever we buy any goods or services advertised there.
        It is just the same with ITV and Sky television.

    • I run the beta and I haven't had any issues for months.
      I even heavily modified my configuration in the about:config which should in theory break more things...

  7. Meszina · 304 days ago

    NSS (Network Security Services) has been updated to 3.15.3 with the Firefox 25.0.1 update.

    The following security-relevant bugs have been resolved in NSS 3.15.3:

    https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.3_release_notes#Security_Advisories

  8. Anonymous · 303 days ago

    FX 25.0.1 was primarily released to fix a bug that caused the browser to freeze while playing videos. Any additional security fixes were incidental, part of a nightly build that was promoted to stop the lockups.

    • Paul Ducklin · 303 days ago

      I wonder why the notification that popped up to tell me about the update didn't say that?

      It very specifically directed me to information about security fixes...information that wasn't there when I followed the links offered.

    • Marianne · 300 days ago

      Funny... Had no freezing problems with FF 25. Now I've updatet to 25.0.1 and all hell broke loose. Keeps freezing while playing video's. Freezes when cursor stands still. Have to restarts FF several times a day because of this... I'm a FF fan but will use Chrome for now :(

  9. grace · 303 days ago

    my computer says now (after upgrading to 25.01)
    "The integrity of the upgrade can't be verified."

    excuse me????

  10. Nicolas B. · 302 days ago

    Now the link from the release notes has the info :

    "Fixed in Firefox 25.0.1 — MFSA 2013-103 Miscellaneous Network Security Services (NSS) vulnerabilities"

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog