Mozilla Maintenance Service - a security issue?

by tirial

After 28, Firefox added a new program, silently loaded when you update Firefox. This bypasses your settings and could be a security hole. Here's some details and how to remove it.

The Mozilla Maintenance Service is controversial. It installs without requesting permission during a Firefox update. From then on, regardless of your settings, it will update your browser automatically without asking or notifying you that it is doing this.

This sounds like a nice feature, until you consider that it is downloading and executing code to change your computer's settings without telling you it is doing it, asking permission, or allowing you to refuse updates. Here are a few of the concerns

Article image from pixabay.com.

Fedora 20 Linux, 4-Discs DVD Installation And Reference Set

Do you know Linux? Are you new to it? Have you always wanted to try but were afraid, wondering if it was too geeky? Are you using it now but looking for a better installation? A...

PRIZIX INC
Only $26.95

View on Amazon

Technological Bias disclosure

I am not a Windows user.

WARNING: I am a Linux user. Unlikely as it sounds, I will still be saying nice things about Microsoft in this article, and less nice about the Mozilla foundation. Competant handling of technology should be acknowledged.

This piece is mainly written to provide information and advice on options. Citations and links will be given to support my arguments throughout.

My experience

I have been using a slightly older version of Mozilla mainly for browser testing. There is still a significant userbase for Mozilla 28 out there and people familiar with the complaints about the 28/29 upgrade will know why. I therefore had auto-updates turned off.

And when I restarted my test browser it was now running Firefox 31. I assumed initially I had hit the wrong button and updated by mistake. Still, this was useless for testing. I rolled it back to 28 by uninstalling and reinstalling, set every about:config update setting to false, blocked updates on the Options tab, and even tweaked user.js, because I didn't want to do the job twice.

Next day? Firefox 31 again. I rolled it back, hit all the update switches to off - again - and turned the antivirus (Avast) to paranoid before connecting to the web again. And if I hadn't been in processexplorer I would not have seen it start the update. It was something on my system calling out, not an intrusion.

This was when I searched on the web and found more people with the same problem, most of whom were appalled that their settings had been overridden. Mozilla were less than helpful, repeatedly saying people should not be using an outdated browser, and neatly ignoring the issue that they were changing settings on user's computers without consent, and in some cases against their expressed wishes.

This is just one of the user threads:

The Advantages of a silent update

So what does it do?

The Mozilla Maintenance Service is a small program downloaded with most current Firefox updates. It is designed like many Live Update services to pull down updates and update your browser without you having to do anything. This has some advantages obviously:

  • People who are not good with computers can rest assured that their browser will be as up to date as possible.
  • It's less hassle
  • ...

 I can't honestly think of any others. There is one for the developers, as obviously it is easier to create updates if everyone is using the same version of the code.

It sounds fairly simple and close to, say, WindowsUpdate or Norton LiveUpdate. Unfortunately, it isn't.

What is the Mozilla Maintenance Service

Put very simply, the Mozilla Maintenance Service was meant to be LiveUpdate for Firefox: a program that runs in the background and keeps your browser patched and up to date. It sounds simple, so how controversial can this be?

  • It installs without requesting consent or informing you that it is being installed
  • It creates no shortcuts or updates to let you know it has been installed
  • It performs updates silently, without letting you select or decline patches
  • It ignores the previous user settings on downloads - you can have the standard settings to only download with permission checked and it will ignore them
  • It does not come with an uninstaller.
  • It downloads and executes code on your machine as Administrator without your knowledge.

For me, none of these are really acceptable, but the last one is the huge problem. That can be very badly misused, and the safety precautions in most LiveUpdates to prevent malicious code execution are turned off by default. The fact it runs as Admin bypasses many security procedures and even some anti-virus programs.

How is this different from Windows Updates?

Isn't it impossible to spread a virus this way?

Windows Updates ask you to configure how often you want the system to update, whether you want to allow it, and lets you choose exactly what updates you want. This is important as it means if there is a problem with a update, you can hold off on downloading it until it is fixed.

For example, a few years back there was a problem with a Windows XP update that conflicted with the Zonealarm firewall. Users could simply skip that update and wait for the patched one, which came out a few days later.

If this had been Firefox's Mozilla Maintenance Service, machines would simply have stopped working the moment they were connected to the web, and users would not have known why, or been able to stop it.

Isn't it impossible to spread a virus this way?

For anyone wanting to see how such a system can be abused even with precautions, see the Flame virus, also known as the WindowsLiveUpdate virus*. Cnet has details here: 

Under the same principle it would only be a matter of time before someone released the Firefox Maintenance Service.

Any users who had "click to confirm you want to install updates" under Microsoft Updates set were safe if they clicked no to the update. Mozilla Maintenance Service doesn't have this setting.

*(no, the claims of a WindowsLiveUpdate virus weren't entirely a hoax. Some emails were hoaxes, usually the ones that told you to damage your PC, but other people heard about Flame and got the name wrong when they passed on a warning.)

Why might users want an outdated browser?

There are reasons to run an outdated browser, even some to run it as your main browser as long as you have taken security precautions with secondary programs including firewall and anti-virus.

  1. Compatibility testing - not all users update regularly (see how many XP users there are out there?) and if you are building a website it is as well to make sure it can run in all browsers. Not all browsers interpret even basic HTML the same way.
  2. An add-on not supported by later editions of the browser - For example the very popular ForecasterFox (https://addons.mozilla.org/en-US/firefox/addon/forecastfox-weather/reviews/) is not supported in later versions.
  3. Look and Feel - Mozilla's main suggestion is that refusal to upgrade is purely about how Firefox looks. If this is your reason, then the classic theme restorer, available from https://addons.mozilla.org/en-US/firefox/addon/classicthemerestorer/  will provide an older look and feel.
  4. Objecting to MMS - yes, objecting to the updating service is a reason not to update your browser.
  5. Personal Preference - it's a reason, not necessarily a good one, but it is still a reason.

How to prevent silent updates

Disabling or removing the MMS

There are two ways to do this.

1) Turn it off.

Caution. the standard about:config settings do not work - they can all be set to false and the MMS will still update your machine. Instead go to:

Tools>Options>Update

There is a new checkbox here saying "Install using background service". Uncheck it.

This description is misleading, because even if you have "Check for updates, but let me choose when to install them" checked, the MMS will simply silently install the updates. As long as that box is checked, the MMS will download and run files when Firefox runs.

2) Remove It

To my great irritation, it does not come with an uninstaller, or create a desktop or startup shortcut. Worse, it is not uninstalled when Mozilla is removed. I uninstalled Firefox twice and the service remained on the PC until manually removed.

Depending on your OS, the procedure varies. Here are three links to how to remove a program on common versions of Windows

Windows XP: http://support.microsoft.com/kb/307895

Windows 7/Vista: http://windows.microsoft.com/en-us/windows7/Uninstall-or-change-a-program

Windows 8:  http://windows.microsoft.com/en-us/windows-8/uninstall-change-program

You will need to look for the Mozilla Maintenance Service on the list. It is normally right below Mozilla Firefox.

A good anti-virus

avast! Free Antivirus 2014 [Download]

avast! Free Antivirus 2014 - World's most-trusted antivirus, in over 40 languages avast! Free Antivirus 2014 continues our legacy as the most-trusted security provider in the wo...

View on Amazon

Did you know about the Mozilla Maintenance Service?

If you use Firefox, did you know about the service?
  Display results
I certainly didn't - until my browser started crashing repeatedly.

In conclusion

I hope this has been an informative article, and helped you get an idea of why silent auto-updates can be considered a security problem. Rather than saying that people should remove it, I simply want to make sure that people know they can, and how to do it. It's not what you choose - it's about knowing you have a choice.

Updated: 09/05/2014, tirial
 
Thank you! Would you like to post a comment now?
2

Comments

Only logged-in users are allowed to comment. Login
tirial on 09/04/2014

I tend to use Opera as my second Windows browser, since it is one of the most similar to Firefox. I think it may be taking over as my primary browser soon.

frankbeswick on 09/04/2014

I also had some minor problems with Mozilla, Emma. There was a program that my job as an examiner makes me use which could not be accessed on Mozilla, but it could be on Internet Explorer. I do not use it now.


You might also like

Your choice of Browser matters

Hopping on the World Wide Web these days has never been so easy nor so access...

There is a Google alternative? Really?

When doing a research, don't rely on Google only. To stand out from the crowd...


Disclosure: This page generates income for authors based on affiliate relationships with our partners, including Amazon, Google and others.
Loading ...
Error!