Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Firefox update in the enterprise

  • 4 replies
  • 1 has this problem
  • 17 views
  • Last reply by Mike Kaply

more options

Multiple banks are removing Firefox due to vulnerabilities. They have found as I have told them multiple times that there is no centralized method to ensuring firefox remains up to date. The admx files from github do set the appautoupdate and backgroundappupdate to a value of 1 to indicate updates but all PCs are at different levels from 90.0 to 95.0 and I've found that even with the auto update switch on that many pcs do not auto update due to users leaving firefox up and ignoring the restart. The autoupdate task runs only if the user is logged on and that allows users to browse with an insecure version of Firefox that can lead to data breaches. CVEs lead to threats to exploit the CVE and that leads to risk that leads to data breaches. These CVEs are tracked by the NVD and this puts security in the hands of users instead of the business and the business has decided to remove firefox from their environments due to this fact.

I know mozilla is NFP but to maintain firefox in an enterprise environment, it need a better update process such as Google Chrome and Edge Chromium.

CVE-2021-38503 CVE-2021-38504 CVE-2021-38505 CVE-2021-38506 CVE-2021-38507 CVE-2021-38508 CVE-2021-38509 CVE-2021-38510

The above are current CVEs of High risk in one environment that has decided firefox will no longer be used.

Multiple banks are removing Firefox due to vulnerabilities. They have found as I have told them multiple times that there is no centralized method to ensuring firefox remains up to date. The admx files from github do set the appautoupdate and backgroundappupdate to a value of 1 to indicate updates but all PCs are at different levels from 90.0 to 95.0 and I've found that even with the auto update switch on that many pcs do not auto update due to users leaving firefox up and ignoring the restart. The autoupdate task runs only if the user is logged on and that allows users to browse with an insecure version of Firefox that can lead to data breaches. CVEs lead to threats to exploit the CVE and that leads to risk that leads to data breaches. These CVEs are tracked by the NVD and this puts security in the hands of users instead of the business and the business has decided to remove firefox from their environments due to this fact. I know mozilla is NFP but to maintain firefox in an enterprise environment, it need a better update process such as Google Chrome and Edge Chromium. CVE-2021-38503 CVE-2021-38504 CVE-2021-38505 CVE-2021-38506 CVE-2021-38507 CVE-2021-38508 CVE-2021-38509 CVE-2021-38510 The above are current CVEs of High risk in one environment that has decided firefox will no longer be used.

All Replies (4)

more options

We now update Firefox when it is not running which will help a lot with this problem.

more options

I don't see a Chrome policy that forces the user to restart their browser unless I'm missing something?

https://support.google.com/chrome/a/answer/6350036

So other browsers have this same issue if a user doesn't restart their browser.

more options

We discuss with IBM the same problem and our team has found that google chrome and edge policies do update in the background and their task runs weather the user is logged on or not. Further, the Chrome updates run as system which ensures that the browsers remain current. Lastly, we modify the registry to force the browser to check more often by setting the LastChecked registry key to 0. Chrome and Edge do update without browser restart on over 20,000 of our systems we manage.

Firefox however has the task Firefox Background Update 308046B0AF4A39CB set to run only when the user is logged on and NOT run with the highest privileges. Out teams and IBM have determined that machines where an administrator logs on and remains logged on when the task runs maintains the Firefox update in the background. But when non-admins log on, the task does not have sufficient rights to update in the background meaning that Firefox quickly falls out of compliance on corporate machines where UAC and administrative privileges are limited.

Our empirical testing on thousands of machines has determined that Mozilla could change the task to run both at logon as any user and daily with the highest privileges (system) may be the proper method to maintain currency of Firefox browser as we do in our enterprise customers with Microsoft Edge and Google Chrome.

We do see the benefit of Firefox, it is a safe and robust browser, but it could greatly benefit by enhancing it's background updater to run as system daily to keep the browser updated. Our team would gladly work with Mozilla on this with Mozilla as we specialize in Enterprise Risk Management for some of the world's largest organizations.

more options

Sorry for the major delay on this.

After talking to the team there seems to be something wrong with the install of the Mozilla Maintenance Service.

It definitely should be able to run with elevated privileges and update.

Is it possible the Mozilla maintenance service isn't installed at all?

"as long as the Mozilla Maintenance Service is working properly, there is really no reason that Background Update should need to be run as SYSTEM. We don't need the privileges, really. IIUC, it seems that we are mainly interested in the ability to run a task without a user logged in."

The best way to move forward here would be to open a bug at bugzilla.mozilla.org and we can work with the install team to figure things out.