Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Firefox 3.6 EOL - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Firefox 3.6 EOL

Ever since Mozilla started its controversial new versioning scheme, Firefox 3.6 was still maintained as a stable and supported version of Firefox. Today, Mozilla announced that Firefox 3.6.28, to be released "over the next few weeks", will be the final version of Firefox 3.6. As of April 24th, no more security fixes will be published for Firefox 3.6

Of course, the Firefox version number is at first just a number. One could consider the just released Firefox "11" more like a Firefox 4.11.0 (or 5.11.0). However, plugins and extensions have never quite caught up to the new versioning scheme. 

A Firefox add-on XPI file is a "zip" file, that once unpacked reveals a number of components, including a "install.rdf" file, which among other settings governing the install of the extension lists the range of version numbers for which a certain extension will work. Developers usually do not include future major versions as changes to the extension API and to the Firefox feature set will make it necessary to adapt the extension. This will require extension developers to consistently maintain and update extensions as Firefox releases new major versions.

In some ways, this may be a good thing as this will remove unmaintained extensions. In other ways, developers of valuable extensions may get discouraged by this practice. As a user, you could edit install.rdf file, and modify the range of supported versions. I have done this in a couple cases myself, and had decent succes. However, there is a good chance that this will fail in some cases.

http://blog.mozilla.com/futurereleases/2012/03/23/upcoming-firefox-support-changes/

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS Security West 2019

Johannes

3481 Posts
ISC Handler
BTW FF 3.6.28 has been out since 3/13, based on the release notes date.
FTWMike

24 Posts
Actually, they changed this again, starting with Firefox 10. Add-ons are now compatible with new Firefox versions by default unless explicitly marked otherwise, at least for add-ons hosted on addons.mozilla.org.
Vincent T

14 Posts
I think the trendy version number race was originally only meant to impress end-users, but seems to have left developers confused too. It sends a signal that 'this is a new major release, introduce whatever new features/breakage you like', and suggests to add-on developers that the UI or APIs can never be assumed to be stable.

Fortunately there is a long-term stable ("ESR") series starting with 10.0.3esr; it's kept well hidden on Mozilla's websites in case end-users should accidentally benefit from using it, but the builds can be found within ftp.mozilla.org/pub/mozilla.org/firefox/nightly/ or in Debian's iceweasel packages for their upcoming Wheezy release.

I'm keen to see how browser security (is that not trendy these days?) will hold out between FF 10 ESR against the latest and numerically greatest.
Steven C.

171 Posts
I also don't see what's so special about Firefox 4 5 6 7 8 9 10 11 12 15 25 50 100 1000...... It's just a numbers race between IE and Chrome.

I've found that more often than not, the newer versions of Firefox break websites I use. That's the real reasons I use 3.6.x.
Anonymous
A colleague found 10.0.3esr at http://www.mozilla.org/en-US/firefox/organizations/all.html but it wasn't easy. Sadly though like 11 it won't display the Oracle SGD admin console... (3.6.x was the last version to do that)
Anonymous
Good info at https://wiki.mozilla.org/Enterprise/Firefox/ExtendedSupport:Proposal
including a nice visual for the timelines involved.

Listed under "Risks" at that URL is this gem:
"Over time the ESR will be less secure than the regular release of Firefox, as new functionality will not be added at the same pace as Firefox, and only high-risk/impact security patches will be backported. It is important that organizations deploying this software understand and accept this."
Ben T

4 Posts
@DurangoBnT wow maybe they're right, I certainly mioght feel insecure without my fancy bleeding-edge 3D DOM viewer or whatever new 'standard' HTML5 feature someone dreamt up last week.

The proposed 1-year lifespan of the branch is still quite unimpressive to what enterprises and vendors may expect (or already get, with IE). And from the crazy perspective expressed on that Wiki page I wouldn't be surprised if they cancel all support for this before they even get to Firefox 17.

"There is the potential for confusion among Firefox users between the regular release of Firefox and the ESR," but how much more confusing really is the existence of a (well-hidden) 10.0.x stable branch to users who are anyway going to get 6 major releases, undoubtedly with UI changes, offered to (or forced upon) them in the same duration?
Steven C.

171 Posts
To change your update channel:
1. Close Firefox.
2. Go to the Firefox program directory.
3. Enter defaults\pref
4. Edit channel-prefs.js in Notepad.
Change:
pref("app.update.channel", "release");
to the one you desire. Update channels to choose from:
nightly
aurora
beta
release
Example:
pref("app.update.channel", "beta");
5. Save and exit.
6. Re-open Firefox.
To check the change, open about:config and enter: app.update.channel. The channel should now be the one you chose.
Reference: http://kb.mozillazine.org/App.update.channel
Steven C.
9 Posts

Sign Up for Free or Log In to start participating in the conversation!