Mozilla releases Firefox 66.0.4 with fix disabled add-ons issue
Mozilla has released an update today for Firefox that fixes the issue with an expired signing certificate that disabled add-ons for the vast majority of its userbase over the weekend.
"A Firefox release has been pushed - version 66.0.4 on Desktop and Android, and version 60.6.2 for ESR. This release repairs the certificate chain to re-enable web extensions, themes, search engines, and language packs that had been disabled," Kev Needham, a member of the Firefox Add-ons team, said today.
"There are remaining issues that we are actively working to resolve, but we wanted to get this fix out before Monday to lessen the impact of disabled add-ons before the start of the week," Needham added.
Expired certificate snafu
If you're not a Firefox user and you're wondering what is this all about, the update comes to address Mozilla's biggest epic fail in the organization's history.
On the night between Friday and Saturday, at May 4, 12:00 am UTC, the digital certificate that Mozilla was using to sign Firefox add-ons (also called extensions) expired. Mozilla was using this certificate to verify that extensions installed in the user's browsers are the same extensions that are hosted on the official Mozilla Add-ons portal.
Once the certificate expired, Firefox browsers couldn't verify the authenticity of locally-installed extensions, and immediately disabled all add-ons in users' browsers.
Additionally, users couldn't re-enable extensions, nor could they install new ones from scratch for the same reason --the signing certificate having expired-- leaving most of Mozilla's 100+ million users without a simple way to re-enable extensions.
The Tor Browser, a Firefox-based off-shoot that also relies on Mozilla's Add-ons site for extensions, also had a crucial extension disabled, weakening the privacy-first browser's overall security posture.
Temporary patch came under criticism
Users came up with various hacks to re-enable extensions, and so did Mozilla, which a few hours after the certificate expired, rolled out a temporary patch.
This temporary patch used the built-in Firefox Studies feature to ship a "study" that added support for a new signing certificate.
However, this temporary solution didn't reach all users. This was because "Firefox Studies" was disabled for users who didn't agree to send telemetry data back to Mozilla.
The Firefox disabled extensions patch requires the Studies feature to be enabled. However, you can't seem to be able to activate Studies without also allowing Firefox to send telemetry to Mozilla. Not good. pic.twitter.com/mv5k1wtwGf
— Costin Raiu (@craiu) May 5, 2019
For anyone spreading conspiracies that the study rolled out by @mozilla @firefox to fix the issue with add-ons is malicious. If you unzip the file and view the source code of the study you can see exactly what it does. It injects the new certificate and nothing more. It's safe! pic.twitter.com/gOPfVS4N1d
— Nathaniel Suchy (They/Them 🏳️🌈) (@nathanielrsuchy) May 5, 2019
The good news is that Mozilla doesn't anticipate new problems after the update to Firefox 66.0.4, which should fix the "disabled add-ons" issue for all users.
All the Chromium-based browsers
More browser coverage:
- Google Chrome 74 released with Dark Mode support for Windows users
- Chrome on Android: Phishing attackers can now trick you with fake address bar
- Ex-YouTube developer reveals how he 'conspired to kill IE6'
- Windows 10 security feature causes 'huge' Chromium performance issues: Fix coming
- Mozilla announces ban on Firefox extensions containing obfuscated code
- Firefox add-ons disabled en masse after Mozilla certificate issue
- How Mozilla uses AI to manage Firefox bug reports TechRepublic
- Brave's privacy-first browser ads arrive with promised payout for you CNET