November 27th, 2011 UK

Silent updating might be some-more accessible to consumers, though it will additionally entice hacker exploitation of a process, a confidence consultant warns

As a proceed to speed up a routine of updating Firefox, Mozilla engineers have been mulling over a wordless refurbish feature, which a single confidence consultant argues is a bad idea.

Currently, when Firefox detects an accessible update, it lets you know and if you determine to implement it, a browser launches a updater program. That module downloads a update, relates it to Firefox, and restarts a browser. While all which is happening, you’re twiddling your thumbs examination a swell club upon your resource screen.

[ Get your websites up to speed with HTML5 currently regulating a techniques in InfoWorld's HTML5 Deep Dive PDF how-to report. | Learn how to secure your Web browsers in InfoWorld's "Web Browser Security Deep Dive" PDF guide. ]

To dress a loiter time in a stream updating process, a Firefox group is deliberation a “silent” alternative. Instead of behaving an refurbish in a foreground, updates would be downloaded in a credentials and commissioned upon a duplicate of a browser in a new directory. The initial time which you launch Firefox after an refurbish has been completed, your aged chronicle of Firefox is substituted out for a new version. “In this scenario, you approaching won’t notice which Firefox has practical an refurbish as no UI is shown,” Firefox Engineer Ehsan Akhgari not long ago wrote in a Mozilla blog.

“Now, a reason which this proceed fixes a complaint is which swapping a directories, distinct a tangible routine of requesting a update, is unequivocally fast,” he added.

Fast though dangerous?
It might additionally be unequivocally dangerous, according to Philip Lieberman, a owner and boss of Lieberman Software, a builder of cue government solutions located in Los Angeles.

“While most IT confidence systems will have to be reconfigured to concede credentials updates to Firefox–which is not a great thing in a initial place–there is risk which hackers could mishandle a refurbish complement to concede them back-door entrance to a user’s computer,” Lieberman wrote currently in Business Computing World.

Sure, wordless updating might be some-more accessible to consumers, a confidence consultant noted, though it will additionally entice hacker exploitation of a process. “If, as you consider appears utterly likely, hackers begin retreat engineering a Firefox credentials updating system–and recollect you have been articulate about open source program here–then it is usually a make a difference of time prior to they mishandle this auto-updating resource to speak up malware,” he wrote.

Later this week during a discussion in India, he continued, it’s approaching which a initial bootkit for Windows 8, which hasn’t even entered a mainstream yet, will be demonstrated by White Hat hacker Peter Kleissner. “It doesn’t take a programming might to figure out that– opposite a backdrop of a Windows 8 bootkit–it shouldn’t be formidable to mishandle a credentials updater for a square of open source program similar to Firefox 10,” Lieberman reasoned.

He maintains which entrance to a updating processes upon a resource should be in a hands of people with executive privileges. That’s loyal upon corporate systems, though it’s additionally loyal upon consumer systems so which owners can carry out what a square of program does to their machines.

The awaiting which administrators would have to give up their carry out of a refurbish routine is a single which should cause both administrators and consumers to howl. “And for a really great reason which this is a recipe for a hacker confidence intrusion in a background,” Lieberman declared.