Firefox makes extension porting easier as security crackdown looms

August 27th, 2015 | Edited by | software


New tools should help developers bring their extensions over from Chrome or Opera, but existing extensions may have trouble surviving the shift.


Mozilla is pushing ahead with a plan to block unsigned Firefox browser extensions, though it’s offering better developer tools as consolation.
As Mozilla has previously indicated, it will soon require a security check for all third-party Firefox extensions. Starting with Firefox 41, which launches on September 22, Mozilla will block all unsigned extensions, though users will be able to override this protection if they want. However, that override won’t be available for all beta and release versions of Firefox 42 and higher, as they’re released. (Nightly and Developer additions will still allow unsigned extensions with the user’s override permission, ostensibly for testing.)
Mozilla has said that the new signing procedure is necessary to stop ad injections and malicious scripts. Add-on guidelines and a blocklist are no longer enough, Mozilla argues, as it’s become too difficult to track and discover malware before the damage is done. The move is not without controversy, as some users rely on extensions that are no longer officially supported by their developers.
To help mitigate these concerns, Mozilla is introducing a WebExtensions API, which it says will allow for low-effort porting of extensions from other browsers, such as Chrome, Opera, and eventually Microsoft Edge . Mozilla says it can review these extensions faster, and they also support a new multi-process version of Firefox that will go stable in December. Multi-process effectively separates rendering and UI chrome from page content, preventing full browser crashes if just one page experiences problems.
As part of these changes, Mozilla also plans to deprecate Firefox add-ons that use XPCOM, XUL, and XBL, possibly in the next 12 to 18 months. While these add-ons allow Firefox to be deeply customizable, they’re also prone to breaking when Mozilla rolls out browser updates, and the switch to multi-process will only exacerbate those problems. The challenge, then, is for Mozilla to build out its WebExtensions and other tools so that developers can offer suitable replacements for existing add-ons.
The impact on you: Make no mistake, these changes will cause some ugliness for Firefox users who rely on add-ons—especially those that don’t exist in other browsers. Even Mozilla is admitting that without considerable development, Firefox-only add-ons will not survive the transition. It’s a huge trade-off as Mozilla pursues a more secure and stable browser, and while it may pay off in the long run, for some users it could diminish what makes Firefox unique in the first place.


Update Firefox now! Fix rushed out for an exploit that steals files off your hard drive

August 13th, 2015 | Edited by | software


Late Thursday night, Mozilla released a security patch for the Firefox browser after finding a  serious vulnerability being exploited in the wild. The vulnerability allows malicious attackers to use some JavaScript magic to “search for and upload potentially sensitive” from your hard drive to their servers.
Mozilla is asking all Firefox users to upgrade immediately to version 39.0.3. Anyone on the Firefox Extended Support release via their school or business should upgrade to version 38.1.1.


The security issue only affects PCs since the flaw relies on an interaction between Firefox’s PDF Viewer and other parts of the browser. Firefox for Android does not have the PDF Viewer and therefore not vulnerable, according to a blog post by Mozilla’s security lead, Daniel Veditz.
Mozilla first became aware of the flaw after a Firefox user noticed that an ad embedded on a Russian news site was using an exploit to search for sensitive files. The malware would then upload the sensitive files to a server in the Ukraine. This all appears to happen in the background with the user none the wiser. The malware also leaves no trace it was ever on your machine.
The specific exploit found in the wild was only targeting Windows and Linux PCs; however, Veditz warns that Mac users would be vulnerable if the malware had been crafted differently.
On Windows, the malware was looking for some very specific data, including configuration files for several different FTP upload programs including Filezilla, the subversion version control system, S3 Browser, and the PSI Plus and Pidgin chat clients that are popular choices for encrypted, off-the-record messaging.
The impact on you at home: If you use any of the programs mentioned above, Mozilla advises you to change your passwords and any keys associated with them. If not, you should still update your browser as soon as possible in case other, as-yet-unknown exploits are looking for sensitive files you do have on your system.
Firefox will update automatically in time, but to do it manually right now, click on the “hamburger” settings menu on the upper right hand side and select the question mark icon at the bottom of the drop-down window. Next, select About Firefox and the browser will check for updates. This is also the screen where you can see your Firefox version number. If you are running 39.0.3 you’re good to go.


Firefox is headed to iOS, browser restrictions be damned

December 9th, 2014 | Edited by | software


After years of vowing not to bring Firefox to the iPhone and iPad, Mozilla is changing its tune—and is presumably willing to work with Apple’s rules.
“We need to be where our users are so we’re going to get Firefox on iOS,” Mozilla Release Manager Lukas Blakk wrote on Twitter. TechCrunch believes he was paraphrasing Jonathan Nightingale, Mozilla’s Vice President for Firefox, who revealed the plans during an internal company event.
Mozilla isn’t a complete stranger to iOS. Four years ago, the organization released Firefox Home, which synced bookmarks and tabs from other devices but was not a full-fledged browser. Mozilla shut down the app in 2012. While Mozilla now lets users sync their tabs and bookmarks with an online login, iOS users have been left out, potentially making Mozilla less attractive as a whole.


In the past, Mozilla has said that it wouldn’t offer Firefox on iOS because Apple doesn’t allow third-parties to use their own browsing engines. Chrome, for instance, is based off the same WebKit rendering engine as Safari, despite having its own engine called Blink for other platforms. Mozilla has bemoaned thisdominance of WebKit as promoting a “monoculture,” in which mobile webmasters only target WebKit to the exclusion of other browsers and open standards.
Unless Mozilla has a trick up its sleeve, it seems the organization will freeze its anti-Webkit crusade as it tries to win back lost users.
The story behind the story: While celebrating Firefox’s 10-year anniversary last month, Mozilla stressed its newfound emphasis on privacy, with new features like a “Forget” button and support for the DuckDuckGo search engine, which doesn’t track users. For Mozilla, bringing similar features to iPhone and iPad users may be worth adopting Webkit, even if it is a loveless embrace.