Firefox update in the enterprise
Multiple banks are removing Firefox due to vulnerabilities. They have found as I have told them multiple times that there is no centralized method to ensuring firefox remains up to date. The admx files from github do set the appautoupdate and backgroundappupdate to a value of 1 to indicate updates but all PCs are at different levels from 90.0 to 95.0 and I've found that even with the auto update switch on that many pcs do not auto update due to users leaving firefox up and ignoring the restart. The autoupdate task runs only if the user is logged on and that allows users to browse with an insecure version of Firefox that can lead to data breaches. CVEs lead to threats to exploit the CVE and that leads to risk that leads to data breaches. These CVEs are tracked by the NVD and this puts security in the hands of users instead of the business and the business has decided to remove firefox from their environments due to this fact.
I know mozilla is NFP but to maintain firefox in an enterprise environment, it need a better update process such as Google Chrome and Edge Chromium.
CVE-2021-38503 CVE-2021-38504 CVE-2021-38505 CVE-2021-38506 CVE-2021-38507 CVE-2021-38508 CVE-2021-38509 CVE-2021-38510
The above are current CVEs of High risk in one environment that has decided firefox will no longer be used.
All Replies (4)
We now update Firefox when it is not running which will help a lot with this problem.
I don't see a Chrome policy that forces the user to restart their browser unless I'm missing something?
https://support.google.com/chrome/a/answer/6350036
So other browsers have this same issue if a user doesn't restart their browser.
We discuss with IBM the same problem and our team has found that google chrome and edge policies do update in the background and their task runs weather the user is logged on or not. Further, the Chrome updates run as system which ensures that the browsers remain current. Lastly, we modify the registry to force the browser to check more often by setting the LastChecked registry key to 0. Chrome and Edge do update without browser restart on over 20,000 of our systems we manage.
Firefox however has the task Firefox Background Update 308046B0AF4A39CB set to run only when the user is logged on and NOT run with the highest privileges. Out teams and IBM have determined that machines where an administrator logs on and remains logged on when the task runs maintains the Firefox update in the background. But when non-admins log on, the task does not have sufficient rights to update in the background meaning that Firefox quickly falls out of compliance on corporate machines where UAC and administrative privileges are limited.
Our empirical testing on thousands of machines has determined that Mozilla could change the task to run both at logon as any user and daily with the highest privileges (system) may be the proper method to maintain currency of Firefox browser as we do in our enterprise customers with Microsoft Edge and Google Chrome.
We do see the benefit of Firefox, it is a safe and robust browser, but it could greatly benefit by enhancing it's background updater to run as system daily to keep the browser updated. Our team would gladly work with Mozilla on this with Mozilla as we specialize in Enterprise Risk Management for some of the world's largest organizations.
Sorry for the major delay on this.
After talking to the team there seems to be something wrong with the install of the Mozilla Maintenance Service.
It definitely should be able to run with elevated privileges and update.
Is it possible the Mozilla maintenance service isn't installed at all?
"as long as the Mozilla Maintenance Service is working properly, there is really no reason that Background Update should need to be run as SYSTEM. We don't need the privileges, really. IIUC, it seems that we are mainly interested in the ability to run a task without a user logged in."
The best way to move forward here would be to open a bug at bugzilla.mozilla.org and we can work with the install team to figure things out.