Mozilla issues fix after it lets cert expire and Firefox add-ons go belly-up

Credit to Author: Gregg Keizer| Date: Mon, 06 May 2019 12:21:00 -0700

Mozilla over the weekend scrambled to come up with a fix for a bug that crippled most Firefox add-ons.

Engineers issued an update for the desktop browser Sunday afternoon that addressed the issue. That update followed a Saturday hotfix released via a little-known component that lets Mozilla feed pre-release code to Firefox users and then collect data from the browser.

The problem was traced to the certificate used by Mozilla to digitally sign Firefox extensions. When the organization neglected to renew the certificate, Firefox assumed the add-ons could not be trusted – that they were, in other words, illegitimate at best, potentially malicious at worst – and then disabled any already installed. Add-ons could not be added to the browser for the same reason.

Mozilla acknowledged the screw-up Saturday. “We’re investigating an issue with a certificate which may cause your @firefox extensions to stop work working or fail to install,” the company’s Add-ons Twitter account stated.

Some users were livid. “How much longer? This is nuts,” ranted aa_lique in a message to a support thread. “Nothing is working now.” Others threatened to dump Firefox or said they’d already switched to a rival.

A few took it in stride and asked others to calm down. “Your lives will not be permanently ruined … don’t go hyperventilating,” advised scruffy1. “Breathe in, breathe out; it will be better soon.”

Mozilla crafted a temporary fix for the desktop versions of Firefox and pushed the patch to the browser using the Studies system. Mozilla uses Studies to push test code, sometimes for new features, to a subsection of the Firefox user base; the organization has also used Studies to collect data on users’ reactions to sponsored content.

The highlighted “study” was actually a hotfix pushed to Firefox starting on Saturday to address the crippled add-ons debacle. Mozilla issued a browser update on Sunday.

Studies is switched on by default, something that likely surprised most users. To change Studies’ settings, users should call up Firefox’s Preferences, select “Privacy & Security” from the pane on the left, scroll to the “Firefox Data Collection and Use” section, then check or uncheck the box labeled “Allow Firefox to install and run studies.”

(To view the completed studies and those underway, users can type about:studies in the address bar and press Enter/Return.)

Mozilla used Studies to deploy the hotfix as soon as possible rather than make users wait for a full browser update. Some reported that they didn’t receive the hotfix or that it had not enabled Firefox’s add-ons.

Sunday afternoon, Mozilla shipped a Firefox update – 66.0.4 – that corrected the certificate chaining error and put things right. “There are remaining issues that we are actively working to resolve, but we wanted to get this fix out before Monday to lessen the impact of disabled add-ons before the start of the week,” wrote Kev Needham, a product manager on the add-ons team, in a post to a company blog. The “remaining issues” Needham mentioned included themes that may need to be enabled manually and some add-ons that must be reinstalled.

Also updated: Firefox on Android and Firefox ESR (Extended Support Release), the enterprise-grade version that stays feature-static for a year or more.

Although Mozilla acted quickly – the Firefox update was available about 48 hours after reports began flooding social media – the certificate gaffe may trigger desertions. Firefox, whose user share languished over much of the past year in the single digits, doesn’t have room for error. Mozilla’s browser last month had less than a sixth of the share of Google’s Chrome and only 70% of Microsoft’s two browsers, Internet Explorer and Edge.

http://www.computerworld.com/category/security/index.rss