Firefox 37.0.2 Released

Mozilla released an update to the Firefox 37 branch on Monday, April 20th with the Firefox 37.0.2 release. This update addressed these issues:

Depending on their update settings, users will be prompted to update within the next 24-48 hours. Users can also manually update by going to the Firefox Help Menu and selecting About Firefox and follow the prompts to update. Alternatively users can also down and manually install the update via site.

The next planned release for Firefox is Firefox 38/Firefox 38 ESR on May 12, 2015.

More about Extension Signing

Back in February we mentioned Extension Signing Coming Later in 2015. Recently the Mozilla Add-ons Blog posted a follow up The Case for Extension Signing. There is a lot of interesting information in this article, including this very shocking statistic which puts into prospective just how badly broken the current Mozilla Firefox add-on system is:

The Web experienced by tech-savvy developers, however, is not the Web experienced by most people. While only fourteen add-ons hosted on our site have more than a million users, and only two of those have more than 3 million, many tens of millions of users have non-hosted add-ons that were installed without their informed consent. Users run the risk of picking up unwanted extra add-ons and other software every time they download software over the Internet. Even updates of software that many users find indispensable or software from download sites run by trusted news organizations come bundled with these unwanted extras. Their Internet experience is being shaped by these third party add-ons in ways they did not choose and that benefit third parties and not the user. Most of these unwanted add-ons are advertising related in some way, tracking user actions and altering content. These add-ons are not created with user security in mind and can break fundamental browser security. These violate another of Mozilla’s basic principles: Individuals’ security and privacy on the Internet are fundamental and must not be treated as optional.

Many of the complaints I see at Go Firefox! are about these unwanted advertising/tracking add-ons (extensions/toolbars). The users can’t understand how these add-ons get installed. In almost every case it was something else they were installing which secretly added the add-on. Most of these software developers bury the option (usually under Custom Install) to install or not install the add-on. Then they try to protect themselves by disclosing (usually buried) in their End User License Agreement (EULA) or their Terms of Service about this optional (in that you need to choose NOT to install it) extension. Worse yet though are the updates for Anti-Virus programs, content plugins such as Flash and Java almost always are trying to sneak some type of add-on into Firefox. In the case of Adobe Flash, the option to opt-out is in plain site, but many users just keep clicking ‘next’ and not paying attention to the prompts.

This is not the first time Mozilla has tried to get a handle on the installation of unwanted add-ons. Almost three and half years ago in November 2011 with Firefox 8, Mozilla had introduced a couple add-on control features. One of these features was to ensure that an add-on installed outside of Firefox, would only be enabled if the user choose to do so. The user would get a pop-up message the next time they started Firefox following the installation of the add-on asking if they wished to authorize this add-on. It looks like that mechanism is still there, but I guessing like so many other safe-guard systems Mozilla as added over the years, it has been circumvented by these malicious developers.

Many developers have asked why we can’t make this a runtime option or preference. There is nowhere we could store that choice on the user’s machine that these greyware apps couldn’t change and plausibly claim they were acting on behalf of the user’s “choice” not to opt-out of the light grey checkbox on page 43 of their EULA. This is not a concern about hypotheticals, we have many documented cases of add-ons disabling the mechanisms through which we inform users and give them control over their add-ons.

While the Extension Signing may put a developers who don’t host their add-ons on AMO, I think it is one of the better options. Some extension developers have asked about getting their own (code-signing) certificates.

The other common question is why developers can’t have their own certificates and sign their own add-ons. This would require Mozilla to function as a Certificate Authority which is currently not in our expertise. It also means we would not be able to run security scans on the add-on code. The only thing preventing a malicious add-on in that case would be the strength of our contracts requiring non-malicious code and our ability to bring legal action should those contracts be breached. This approach would favor established companies in jurisdictions where we have offices and would be extremely unfair to individual developers, especially those outside those regions. We feel the community would be better off if we put our resources into the review and scanning process that can treat everyone equally rather than setting up a certificate issuing infrastructure.

Two problems I see with this scenario right off the bat. First a code-signing certificate runs about $200 USD per year per extension. For many of these extension developers it is a side project. They saw something that could be changed with Firefox they felt would be beneficial to the users. Developers are already burdened with the costs of the space as well as the bandwidth for hosting their extension(s). Most developers don’t charge for their extensions, simply they ask for a donation. So to add another $200 per year (again per extension) would make it too costly for these developers to self-host their extensions (though I not sure of their reasoning for not hosting through AMO). Second and more importantly, Mozilla (unlike Microsoft and Google) is a non-profit organization. I could foresee Mozilla taking “legal actions” as a major burden on their finances which could result in them having to cut or even stop funding on other projects.

Greasy Scripts finds userscripts

“Remember Greasefire? It was an add-on for the Firefox browser that would alert you whenever userscripts were available for sites that you visited in the browser.
“The extension used userscripts-org as its source, a site that is no longer available. Since it has not been updated since 2012, it is not working either anymore because of this.
“Enter Greasy Scripts, a brand new add-on for Firefox that brings the functionality back to life, albeit in a slightly different form.
… “

Source: gHacks Tech News
--->“> <a href=Greasy Scripts finds userscripts on sites you visit in Firefox

‘Couldn’t load XPCOM’ Error on Startup

This seems to be a common error some people encounter with Firefox. First, XPCOM has nothing to do with Windows XP, rather it is Cross Platform Component Object Model. It is a cross-platform component model from Mozilla (more info at Wikipedia). Not sure what causes this error other than a file or files for XPCOM in the main Firefox uninstall some how get removed or corrupted. However, the fix is fairly simple and painless: re-install Firefox.

Uninstalling Firefox will NOT remove your profile folder or settings, it simply removes the Firefox browser from your computer. Once you have removed Firefox, (using another browser) go to to download the latest version of Firefox. Once you complete the installation, Firefox should launch without issue and with your profile.



What you do when Firefox uses too much memory

“… While memory usage has improved significantly in recent years, complaints about it have not stopped. If you browse sites like Reddit for example, you still find user’s complaining about the memory hog Firefox today.
“Here are tips to analyze the issue in Firefox
“The first thing you should do is run Firefox without add-ons and customizations. Each add-on or extension you install may add to the browser’s memory usage. Some add-ons, like Adblock Plus for example, may use more memory than the browser itself. …”

Source: gHacks Tech News
--->“> <a href=What you do when Firefox uses too much memory