Sophos Cloud Optix
Firefox just pushed out a minor browser update, bumping its version number from 25.0 to 25.0.1.
I don’t allow Firefox full autonomy over my updates, preferring to use the Check but let me choose option, so I was presented with a now-familiar popup to let me know what was on offer:
A security and stability update for Firefox is available: Firefox 25.0.1. It is strongly recommended that you apply this update for Firefox as soon as possible.
“There’s not much point,” I thought, “in using Let me choose if I don’t do some reading first, even though I almost always decided to board the update train at once.”
The Release Notes reiterated the security-related importance of the update:
FIXED - 25.0.1: New security fixes can be found here [link]
And the Known Vulnerabilities page listed five critical, three high and two moderate security advisories:
Eagle-eyed readers, however, will notice that these look very much like the bugs that were fixed in 25.0.
In fact, they are the security fixes from 25.0, all of them listed as patched on 29 October 2013.
A small mystery, to be sure, but not an encouraging one for users who like to read, learn and understand more about security patches before applying them.
What happened?
Perhaps there weren’t actually any security fixes, but Mozilla’s release boilerplate just assumed that there probably would be, and warned you anyway?
Or perhaps there were security fixes, but Mozilla released the update and published all the boilerplate pages before updating the pages to which they link?
→ Apple takes the latter course most of the time: you get a link to a generic security page (Apple’s well-known landing page HT1222) that usually only gets updated later with the link you really want. Let’s hope Mozilla hasn’t copied Apple’s often laboured and sluggish disclosure strategy.
What to do?
As you can probably guess, I just shrugged and boarded the train.
The update was only 236KB, so there wasn’t a lot to it, and everything seemed to work.
Is this the way of the future?
In a recent Chet Chat podcast, fellow Naked Security writer Chester Wisniewski asked that very same question, albeit in a slightly different way.
Chet coined the term local cloud as a light-hearted way of describing applications that you install and run locally, but which might as well not have a version number because they just update automatically over the internet, on a schedule to suit themselves.
In other words, local cloud applications are like cloud apps in the sense that “you get what you get,” even though they load and run offline, and you don’t need to run them in a browser.
Google’s Chrome is as good as there already; Apple’s iOS and Mozilla’s Firefox are getting pretty close.
Android is as good as there, too, with the added confusion that different Google partners and providers push out their updates at wildly varying times. (Some Android devices never get the latest updates at all, sometimes leaving them vulnerable indefinitely, perhaps to enormous security holes).
Is this a good thing?
Take a listen to the discussion in the podcast, and let us know what you think.
(We start talking about Android at 6’01” and about the local cloud concept at 9’48”.)
Audio player above not working for you? Download to listen offline, or listen on Soundcloud.
I wondered about this update, too. Let us know if you find out what it really was.
I wondered also and could not determine any real info. so I also just updated and have seen no issues from it.
Some “Firefox N.0.1” releases only contain fixes for non-security bugs that weren’t caught by beta users before the “Firefox N” release. Frequent crashes on systems with malware, broken sites in countries with few beta users, etc.
I don’t think it would make sense to list every bug fixed 25.0.1, any more than it would make sense to list every bug fixed in Firefox 25. But if you’re really curious, it’s all open-source:
http://hg.mozilla.org/releases/mozilla-release/pushloghtml?fromchange=FIREFOX_25_0_RELEASE&tochange=FIREFOX_25_0_1_RELEASE
According to Firefox’s Play Market page, the update contains a security update for “Recently identified security vulnerability”.
(Source: https://play.google.com/store/apps/details?id=org.mozilla.firefox&hl=en_US)
I use the “Check for updates, but let me choose whether to install them” option. I checked for updates manually, but do not have the “Ask Later” button. Downloading of update started immediately.
Been a firefox user since their inception – dumped it earlier this month for Chrome. It has gotten too bloated, unresponsive and a pain to keep your extension working with their constant updates. It’s little wonder their market share continues to drop.
Firefox has no market share, Firefox is free.
Firefox is free at the point of use, but it makes money by selling advertisements on its site. We pay for it whenever we buy any goods or services advertised there.
It is just the same with ITV and Sky television.
Ads ? Where ?
I run the beta and I haven’t had any issues for months.
I even heavily modified my configuration in the about:config which should in theory break more things…
NSS (Network Security Services) has been updated to 3.15.3 with the Firefox 25.0.1 update.
The following security-relevant bugs have been resolved in NSS 3.15.3:
https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.3_release_notes#Security_Advisories
Ha! Thanks. (That _could_ have been made easier to find by people who following the pointers labelled “Fixed” that were presented during the update.)
One of the bugfixes listed there was “Bug 850478 – List RC4_128 cipher suites after AES_128 cipher suites.” That sounds good.
The mentioned bugs did not warrant the FF 25.0.1 release. I think the FF 17.0.11esr update released at the same time is easier to diff:
https://hg.mozilla.org/releases/mozilla-esr17/rev/1cda5cffe4d7
Looks like they fixed a buffer overflow in Null_Cipher() ?
Bingo. I was right. This is CVE-2013-5605:
https://access.redhat.com/security/cve/CVE-2013-5605
https://bugzilla.redhat.com/show_bug.cgi?id=1030807
https://bugzilla.mozilla.org/show_bug.cgi?id=934016
FX 25.0.1 was primarily released to fix a bug that caused the browser to freeze while playing videos. Any additional security fixes were incidental, part of a nightly build that was promoted to stop the lockups.
I wonder why the notification that popped up to tell me about the update didn’t say that?
It very specifically directed me to information about security fixes…information that wasn’t there when I followed the links offered.
Funny… Had no freezing problems with FF 25. Now I’ve updatet to 25.0.1 and all hell broke loose. Keeps freezing while playing video’s. Freezes when cursor stands still. Have to restarts FF several times a day because of this… I’m a FF fan but will use Chrome for now 🙁
my computer says now (after upgrading to 25.01)
“The integrity of the upgrade can’t be verified.”
excuse me????
Now the link from the release notes has the info :
“Fixed in Firefox 25.0.1 — MFSA 2013-103 Miscellaneous Network Security Services (NSS) vulnerabilities”