Mozilla and Firefox 5: Upgrade or Die!
In shifting gears to a faster pace of development and release, Mozilla has opted to abandon security support for Firefox 4 immediately upon the release of version 5, which came out this week. This could be a risky move, since many users neglect to update their browsers immediately for various reasons, despite the pop-up reminders Firefox periodically displays.
Jun 24, 2011 5:00 AM PT
Mozilla released Firefox 5 earlier this week, just three months after rolling out Firefox 4 and a month after it released version 5 in beta.
Version 5 has "more than 1,000 improvements," which include the "Do Not Track" privacy feature and support for the CSS Animations standard, among other things.
In its rush to make the Web better, however, Mozilla is taking criticism for not making it especially clear to users that it would stop issuing vulnerability patches for Firefox 4.
That has given rise to concerns that users who delay updating for various reasons may not realize they'll lack protection against the latest malware.
"Firefox 5 is the security update for Firefox 4, and we do not plan to release a Firefox 4.0.2," Johnathan Nightingale, the Mozilla Foundation's director of Firefox engineering, told TechNewsWorld.
Should Mozilla have more forcefully notified Firefox 4 users that they have to upgrade to version 5? Should it include automatic updates instead of just sending users a pop-up window reminding them to update their browsers?
Fear and Loathing in the Browser Update World
The rapid-fire release of browser updates -- Mozilla aims to issue a new version every three months -- may leave some users bewildered and others bothered.
One issue some users have pointed out is that Firefox add-ons and plug-ins aren't updated in sync with the release of new versions of the browser.
That might leave users in a quandary: Lose your plug-ins or lose your security.
"Users who don't wish to update are exposing themselves to potential security risks," James Reid, manager of threat research at Webroot, told TechNewsWorld.
"On the other hand, upgrading now may create issues with existing plug-ins, which may not immediately be supported in Firefox 5.0," Reid said.
Incompatibility between users' Firefox add-ons and version 5 of the browser could be one of the main reasons they may delay upgrading their browsers, suggested Francis Brown, managing partner at Stach & Liu.
Add-ons are one of the key reasons for Firefox's popularity.
In retrospect, Mozilla could perhaps have been more explicit about dropping security support for Firefox 4, Brown remarked. For example, it could have included a note about terminating security support for version 4 in the notification prompt to upgrade to Firefox 5, he said.
Gotta Go With the Update Flow
The need for online security may outweigh users' reasons for not upgrading their browsers.
"This isn't like Microsoft Office or an operating system, where it makes sense to stay with an earlier version for compatibility or cost reasons," Jim McGregor, chief technology strategist at In-Stat, told TechNewsWorld.
"You get Mozilla's software for free, and consumers should know by now that, just like they do for Adobe Acrobat or Flash, they should update their browser whenever an update is available," McGregor said.
"As a manager of threat research, I consider the benefits of patching known browser vulnerabilities more important than many of the inconveniences that may come along with early adoption," Webroot's Reid affirmed.
Should We Get Updates on Autopilot?
Google automatically updates its Chrome browser in the background, so it's always protected against the latest threats, a practice that perhaps paid off when it survived the Pwn2Own 2011 competition unscathed earlier this year.
Opinion is divided on whether other browser vendors should follow Google's lead.
"For the average user, I recommend automatic updating of their browser, the way Chrome does, as many users simply ignore updates otherwise," Webroot's Reid stated.
Automatic updates would be a good thing because browsers are a security feature, In-Stat's McGregor said.
However, automatic updating of the Firefox browser will reduce its appeal, Stach & Liu's Brown told TechNewsWorld.
"One of the best things about Firefox is the degree of control and customization that users have over the browser," Brown pointed out.
"I think giving the end user the option to install updates now or wait until a more convenient time to do so is definitely the right approach," Brown explained.
The Paradox of Speed and Security
The release cycle for new versions of browsers has been drastically shortened as the players seek to trump each other's products with newer and better ones.
That bumped-up product cycle has both advantages and disadvantages.
"Security is typically the first area to be sacrificed when developers are under increased pressure to get out new software releases," Stach & Liu's Brown pointed out.
"The industry will need to be vigilant in scrutinizing the security of new browser releases," Brown warned.
On the other hand, hackers are ramping up their assaults and coming up with inventive new attacks, so browsers whose vendors lag in issuing an update pose a security risk.
"Hopefully, this rapid release approach will also result in the faster patching of security vulnerabilities," Brown remarked.
That's exactly what Mozilla thinks.
"By releasing small, focused updates more often, we are able to deliver improved security and stability even as we introduce new features, which is better for our users, and for the Web," Mozilla's Nightingale said.
"If a serious security issue is found between regularly scheduled Firefox updates, we will release an interim update quickly, as we always have," Nightingale stated.