Firefox bypasses UAC. Palemoon seems much safer.

Computer Help and Discussions The Lounge
1

I have just seen this comparison relevant to updating (auto or not) between the two browsers, posted Thu May 03, 2012 10:34 am

http://forum.palemoo...&t=710&start=20

Firefox, with silent updates:

  • Keeps the browser at the latest version at all times (if the service works as it should), without you having a say in it.
  • Keeps users actively ignorant of updates (especially if the version number is removed) "Are you running the latest version?" "I don't know"/"I assume so"
  • Provides a startup load point with the windows service (unnecessary resource use)
  • Has a system-level service that has administrative privileges and internet access - a potential security risk
  • Bypasses UAC, that is there for the user's protection

Pale Moon, without silent updates:

  • Keeps the user informed about new versions at all times
  • Provides choice when to download and update, with a recommendation to update asap
  • Keeps users actively aware of updates and installations happening on their system
  • Asks for a single click on the UAC confirmation dialog box, that is there for the user's protection

Pale Moon doesn't cause people to not be updated. Pale Moon is therefore no less secure than a silently updated browser (which seems to be the strange notion I taste in this thread's discussion...).

It's not about if the browser is kept up-to-date, it's about how the browser is kept up-to-date.

If people make the choice not to update, it is their own risk. People are still allowed to take their own risks, right? Besides, most "security vulnerabilities" are theoretical - any that are actually used in the wild are usually dealt with on very short notice.

In the end the silent update can be considered less secure, even regardless of the implementation of it: People are relying on a hidden process that does not inform them if it is working as it should or not. If it's not working as it should, people are given a false sense of security. Botnets exist because people are not aware of the state of their software; silent updates only provide another level of keeping people unaware.

I actually switched from using Firefox to Pale Moon so that I would not be pressured into a frequent cycle of irrelevant updates,

and yet I needed to use the same addons with a very familiar browser.

This was before I knew the potential security risks,

Personally I do not use UAC for myself, so loss of UAC means nothing to me, but it means something to the majority of users.

I would horrified by the realization that any website that I visit has instant knowledge of my operating system and my browser,

and if that site is bad or has been compromised then malware on that site might trigger an imitation Mozilla Silent Update,

and use system-level administrative privileges in a silent no-click attack that wreaks havoc.

Internet Explorer and Active 'X exploits pale into insignificance.

I am so thankful that I now use Pale Moon.

Regards

Alan

2

I believe the service installation is optional, isn't it?

I always use the custom install...

3

Options are not optional for the masses that jump through the hoops that Mozilla puts in front of them.

For those of us that know better it may be optional,

and even if not I am sure we can disable the service,

but then every time the browser is been launched the service might be restarted before the first site is visited :o

Alan

4

That Mozilla Maintenance Server updater can be uninstalled. You can also configure Firefox to work the old way of asking you to update:

Untitled.jpg

5

That Mozilla Maintenance Server updater can be uninstalled. You can also configure Firefox to work the old way of asking you to update:

We may have that capability,

BUT the "recommended: improved security option" option fails to advise that any external internet presence appearing to be Mozilla has authority to bypass UAC and to install whatever it likes.

Could this form the basis for Botnets based solely on Firefox Browsers :o

6

"Improved security" blah, don't think so as there's probably many undocumented/unfound exploits. More falls back to what actual security software people have installed to actually protect them.

7

We may have that capability,

BUT the "recommended: improved security option" option fails to advise that any external internet presence appearing to be Mozilla has authority to bypass UAC and to install whatever it likes.

Could this form the basis for Botnets based solely on Firefox Browsers :o

Maybe, but isn't it more likely that older versions will be hit harder as newer ones plug more holes?

FF doesn't have permission to bypass it on mine, because I always use manual updates, & I always use custom installs.

Botnets... ah yes, well, things happen! But I ain't worried, cause we all die one day... What's worse than that? -> Botnet? :o

8

I actually switched from using Firefox to Pale Moon...

I just switched today, it's a perfect replacement since I can use the add-ons/theme I like.

I hope this fixes one of the main annoyances I had using Firefox for the past two or so years when clicking some links and it wouldn't notice the click forcing me to double-click them.