Rapid releases and security

Several people have asked me whether Mozilla's move to rapid releases has helped or hurt Firefox's security.

I think the new cadence has helped security overall, but it is interesting to look at both the ways it has helped and the ways it has hurt.

Security of new features

With release trains every 6 weeks, developers feel less pressure to rush half-baked features in just before each freeze.

Combined with Curtis's leadership, the rapid release cycle has made it possible for security reviews to happen earlier and more consistently. When we need in-depth reviews or meetings, we aren't overwhelmed by needing twenty in one month.

The rapid release process also necessitated new types of coordination, such as the use of team roadmaps and feature pages. The security team is able to take advantage of the new planning process to track which features might need review, even if the developers don't come to the security team and ask.

Security reviews are also more effective now. When we feel a new feature should be held back until a security concern is fixed, we create less controversy when the delay is only 6 weeks.

Security improvements and backports

Many security improvements require architectural changes that are difficult to backport to old versions. For example:

  • Firefox 3.6 added frame poisoning, making it impossible to exploit many crashes in layout code. Before frame poisoning, the layout module was one of the largest sources of security holes.
  • Firefox 4 fixed the long-standing :visited privacy hole. Mozilla was the first to create a patch, but due to Firefox's long development cycle, several other browsers shipped fixes first.
  • Firefox 6 introduced WeakMap, making it possible for extensions to store document-specific data without leaking memory and without allowing sites to see or corrupt the information. Extension authors might not be comfortable using WeakMap until most users are on Firefox 6 or higher.

Contrary to the hopes of some Linux distros and IT departments, it is no longer possible to backport "security fixes only" and have a browser that is safe, stable, and compatible.

We're constantly adding security features and mitigations for memory safety bugs. We're constantly reducing Firefox's attack surface by rewriting components from C++ into JavaScript (and soon Rust).

Disclosure windows

One area where rapid releases may hurt is the secrecy of security patches.

We keep security bug reports private until we've shipped a fix, but we check security patches into a public repository. Checking in patches allows us to test the fixes well, but opens the possibility of an attacker reverse-engineering the bug.

We check security patches into a public repository for two reasons:

  • We cannot rely entirely on in-house testing. Because of the variety of websites and extensions, our experience is that some regressions introduced by security patches are only found by volunteer testers.
  • We cannot ship public binaries, even just for testing, based on private security patches. This would violate both the spirit and letter of some open-source licenses. It also wouldn't be effective for secrecy: attackers have been using binary patch analysis to attack unpatched Microsoft software. (And that's without access to the to the old source!)

But we can shorten and combine the windows between patch disclosure and release. Instead of landing security patches on mozilla-central and letting them reach users in the normal 12-18 weeks, we can:

  • Land security fixes to all active branches at once. This may be safer now that the oldest active branch is at most 18 weeks old compared to mozilla-central. (In contrast, the Firefox 3.6.x series is based on a branch cut 2009-08-13, making it 24 months old.) But even 18 weeks is enough to create some regression risk, and it is not clear which audiences would test fixes on each branch.
  • Accelerate the channel flow for security bugs. For example, hold security fixes in a private repository until 3 weeks before each release. Then, give them a week on nightly, a week on aurora, and a week on beta. The same channel audiences that make rapid release possible would test security fixes, just for a shorter period of time. Something like this already happens on an ad-hoc basis in many bugs; formalizing the process could make it smoother.

There are significant security wins with rapid releases, and a few new challenges. Overall, it's a much better place to be than where we were a year ago.

(I posted followups about add-on compatibility and intranet compatibility.)

5 Responses to “Rapid releases and security”

  1. sup Says:

    Check https://metrics.mozilla.com/stats/firefox_updates.csv.

    Assuming the data is correct, and i got it right:
    7.0 has 0.74%
    6.0 has 39.15%
    5.0 has 16.17%
    4.0 has 6.8%
    3.6 has 30.41%
    3.5 has 2.63%
    3.0 has 3.25%
    2.0 has 0.74%
    1.5 has 0%

    37% +/- are using 3.6 or earlier.
    43.8% +/- 4 or earlier,
    60% +/- 5 or earlier.

    60% of Firefox users are using an old version, and 23% of those are using the unsupported 4 and 5 versions. 29.6% is we include versions 3.5, 3 and 2.


    [Comment edited for readability -Jesse]

  2. sup Says:

    Just to add another perspective, 63% (+/-) users are using version 4 or later.
    Of those, 62% are current (version 6), or 63.5% if we include 7.
    25.7% on 5.
    10.8% on 4.
    So of those on the rapid release versions, 36.5% are not using the current version, which means vulnerable.

  3. Screwtape Says:

    “We’re constantly reducing Firefox’s attack surface by rewriting components from C++ into JavaScript (and soon Rust).”

    Soon? How soon? I thought Rust was still in the “not useful for people who aren’t interested in working on the compiler” stage.

  4. Jesse Ruderman Says:

    Screwtape: Rust now has a self-hosted compiler and fuzzer, and it sounds like a stable release of Rust is coming by “early winter”. It is quire possible that my horizon for “soon” is slightly off, especially compared to Firefox’s release cycle ;)

  5. Matt Brubeck Says:

    “23% of those are using the unsupported 4 and 5 versions”

    To put this in context, we are currently in the phase where we’ve just published an update and a lot of users are still upgrading. The percentage of users on 4 and 5 is decreasing by about 1.4 per day. It was down to 21.6% yesterday.

    Update of new security releases has always taken a couple weeks to reach a reasonably high level. This is not new with rapid release, although rapid release may have slowed uptake by a bit.