Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Really unhappy with Mozilla. Does this effect all versions of Firefox? Quantum only? The bug report itself is not viewable publicly either.


True they could have been clearer on the versions affected, but tbh you should keep with the latest supported anyway.

Security bug reports are often restricted for some time after a new release to help prevent reverse engineering to find the bug.



The only additional information on that mozilla link is that the issue is "fixed in Firefox 67.0.3 and Firefox ESR 60.7.1". The only information about affected versions is that an unspecified set of "Firefox, Firefox ESR" are vulnerable.

The report doesn't include anything about which version introduced the bug. Is this a recent bug, or has it been around for many years? If it's old, is there any information available that might indicate how long malicious actors have been exploiting this vulnerability? Apparently the answer to the last question is "yes", as Mozilla claims that "We are aware of targeted attacks in the wild abusing this flaw." For how long? How many people might be affected?; "targeted" could mean a single individual or a very large group with some specifically targetable attribute.

There is a lot more to security than "just upgrade to the latest release". Also, while fears about public malicious actors learning from disclosure rarely outweigh the important benefits gained by allowing the public to defend themselves and learn form the incident, in this particular case where malicious actors are already exploiting the bug in the wild, there is little to be gained by keeping information hidden from the public.


What right would the Firefox team have to invade the privacy of the "target" to detail who they are to the Internet as a whole?

HN users frequently complain that "automatically check for updates" is somehow an invasion of privacy. Meeting your demand, revealing the target of an attack publicly, would certainly be an invasion of privacy — one a thousand times more trust-violating than any auto-update check could be.

What of your needs is met by making such a request? What is your direct and personal benefit from knowing the target of the attack? Why are you willing to sacrifice the privacy of that target for that personal benefit?


What about mobile versions? What about Beta, Developer, Nightly versions?


Firefox app on my Android phone was updated yesterday to 67.0.3, and the release notes mention the security fix.


There's more than one mobile version.

Latest Android Nightly build is 68.0a1 from 2019-05-04.

Latest Android Beta build is 68.0beta, from May 21, 2019 (actually from APK name it's 68.0b11).

Latest iOS Release build is 16.0, from April 15, 2019.

By the way, latest Desktop Beta build is 68.0beta, from May 22, 2019, and latest Desktop Nightly build is 69.0a1, from May 20, 2019 - and there's no information about whether they affected too.


The iOS version should be unaffected, as Firefox for iOS does not include its own JS engine (it uses the one provided by the system), which is where this vulnerability is.

For the Desktop version at least, if you download the current beta (68.0beta11), you'll notice that it was built two days ago. The latest nightly was built today. The changelog for these is just not kept up to date.


Please do not assume people are not running current release just because they are lazy and have not upgraded.

The user experience was degraded at FF57 for many individuals who need extensions that will not work with ff>56 or that developers have abandoned out of frustration with Mozilla. When all the extensions I find necessary are functional (or with suitable replacements) I will switch.


I would be more concerned about all the other vulnerabilities in FF56 then just this one.

https://www.cvedetails.com/vulnerability-list.php?vendor_id=...


Well you are running an unsupported version, so Mozilla doesn't have to concern themselves with backports.

If you still want to use your extensions AND receive browser updates, you should move to a different browser (maybe waterfox?)


Firefox 56 is unlikely to ever receive security patches every again. You are incredibly vulnerable by staying behind.


If you don't want Firefox Quantum, you should still switch to a supported browser that kept XUL, such as Basilisk.

Also I'm curious, what extensions are missing? Most of my pre-quantum extensions, such as Tree Style Tabs, have been updated now.


> I'm curious, what extensions are missing?

There are a couple I sorely miss. Disable Ctrl-Q died, and so did Toggle Animated GIFs. Now I have to keep an extra tab open with a warn-on-page-close handler to prevent Ctrl-Q fat-fingering from killing my session. And I've just disabled video/GIF animations entirely, instead of using the cool extension which let me start/stop them on demand.

I also used to have a cool cookie exporter extension, which was useful in combination with wget for scraping sites that required a login. I admit I haven't searched for a replacement, though, so maybe there is one.


I get the annoyance with deprecating extensions. But seriously the <edit>main</edit> person you are harming by running vulnerable un-patched software is yourself.

EDIT: s/the only person/the main person/


If only this was true. People with unpatched software running are prime targets for inclusion in a botnet and then they are damaging other with their reckless behavior.



Obligatory xkcd reference https://xkcd.com/1172/


This is exactly the problem with the culture that's formed around software and the security industry in general --- people are using the excuse of "security" to force other utterly unwanted and hostile changes, and then act surprised and angry when people don't update.

Doubly so when the advice given is basically "bend over and take it" --- especially when Mozilla has made statements like this in the past:

https://blog.mozilla.org/security/2013/01/29/putting-users-i...

"Users should have the choice of what software and plugins run on their machine."

In any case, I hope NoScript is one of the extensions you're already using, because this is another vulnerability that requires JS to exploit. JS off by default already gets rid of the vast majority of them.


Not sure how Mozilla are forcing anything


Mozilla has been very destructive, and I have had to restrain Firefox in a number of different ways. It's Updater.app will disregard your wishes and repeatedly download updates over and over again. This happened to me when I had to turn in an assignment and I was on a 2G connection a few years ago. Most of their updates are unidirectional, even though they don't need to be. And major features are quietly removed, as if it is just normal for your car's speedometer to disappear one morning. This ends up feeling like gas-lighting. At least Chrome's updates are small and hard to notice, but Firefox has all the same disregard for users, except they are very clumsy about it. And the official response from them has been that if their updates destroy your profile folder, that you should have made a backup and it was your fault for assuming that their software wouldn't do a destructive update.


The tone-deafness of the comments here is astounding. The fact that these posts are rapidly downvoted further reinforces my point.

It's not just Mozilla, it's the whole "update culture": "you must take these important fixes for remotely-exploitable vulnerabilities, and also all of that other stuff" --- of which everyone would probably want the former, but no one really wants the latter.

When the "choice" of browsers that can view the majority of sites, including advanced JavaScript, is basically between Firefox or the various flavours of Chrom(e/ium), there is no real choice!

tl;dr: To say I am annoying with the state of things is an enormous understatement. The browser culture is getting more and more user-hostile and "security" is being used as an excuse to put users under the noose, this encouragement of "learned helplessness" is insane. Fuck this idiotic "it's for your security" bullshit.


I'm sorry you are getting downvoted. You are absolutely correct. I've gotten in many discussions about this exact same thing on HN. I at one point I had an exchange with someone about terrible bad Pale Moon was because it let users do things like override HSTS settings, and otherwise undo decisions that Mozilla had made.[1]

I actually have highly specialized profiles that make heavy use of XUL addons that I have developed over the years for very specific things, and I hate how careful I have to be that an update won't come and delete them. It would be one line of code to make a backup of a profile before "upgrading" it...

[1]: https://news.ycombinator.com/item?id=19527615

Anyway, it's a much bigger problem, and it's cultural as much as technological. And you're not alone and you're not crazy for seeing it.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: