Why did the bug occur that disable all Firefox add-ons? Mozilla's CTO Explains Future Challenges


by

geralt

A bug that caused Firefox add-ons to be disabled at the same time was reported on May 4, 2019, and Mozilla distributed the latest stable version three days later to fix it. This is a blog post by Eric Lescola CTO of Mozilla on what is the problem, what has Mozilla dealt with and what is the issue to be solved in the future.

What we do when things go wrong-The Mozilla Blog
https://blog.mozilla.org/blog/2019/05/09/what-we-do-when-things-go-wrong/



Add-ons disabled or failing to install in Firefox | Mozilla Add-ons Blog
https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/

Mozilla to Delete Usage Data Collected From Firefox Addon Fix
https://www.bleepingcomputer.com/news/software/mozilla-to-delete-usage-data-collected-from-firefox-addon-fix/

Mozilla to track infrastructure time-bombs in wake of recent Firefox armagadd-on | ZDNet
https://www.zdnet.com/article/mozilla-to-track-infrastructure-time-bombs-in-wake-of-recent-firefox-armagadd-on/

On May 4, 2019, a bug was reported that Firefox add-ons were disabled all at once, making it impossible to download or install new files. This bug was caused by the expiration of the intermediate certificate, and the latest stable version 'v66.0.5' was released on May 7, 2019, and the issue was corrected. In addition, 'Firefox ESR' v60.6.3 and the Android version 'Firefox' v66.0.5 with the same correction on 8th are also released.

Technical Details on Firefox Add-on Outage-Mozilla Hacks-the Web developer blog
https://hacks.mozilla.org/2019/05/technical-details-on-the-recent-firefox-add-on-outage/

Firefox emphasizes an add-on that customizes the browser to your own taste and enhances the value of the online experience, and over the past few years the Firefox development team has spent a lot of time making the add-on more secure. However, some of the add-ons are malicious to harm users, and the power of the add-ons is so strong that it takes a lot of effort to build and deploy a system to protect users from malicious add-ons. will do.

According to The Mozilla Blog, the add-on deactivation that occurred this time was caused by an error in the implementation of such a system. In an effort to protect users from malicious add-ons, Mozilla requires digital signatures on all add-ons, but this intermediate certificate expires on May 4th of UTC (Time Coordinated Universal Time) and the time zone Users' add-ons located on the western side of the Pacific due to

In order to address issues quickly, Mozilla first released a system extension using the data acquisition system ' Studies '. It was distributed to all users who enabled Studies, but there was a problem that it was necessary to upload usage data to Mozilla in order to enable Studies. So we finally got to distribute 66.0.4 and 66.0.5 as a way to solve the problem without the Studies.



Regardless of what the user thinks, those who disabled the add-on turned on telemetry in Studies and sent the data to Mozilla, so Mozilla is distributing a modified version of Firefox Decided to discard all data collected by the time it was Also, if you don't want to upload telemetry data to Mozilla, it explains how to disable the Studies that you had enabled.

The development team believes that the basic design of the add-on system is stable, and it is stated that the system will be corrected so that similar errors will not occur in the future. Firefox's Eric Lescola CTO 'must first find a better way to track all the status used in Firefox' 'then you need a mechanism to publish updates more quickly' 'And We should look more broadly at the security architecture to provide adequate security while minimizing the risk of add-on corruption. '

The official report of this case is scheduled to be released in the third week of May.

in Software, Posted by darkhorse_log