Mozilla retires Firefox 4 from security support

Upgrade to Firefox 5 to get patches, says company, but add-on compatibility issues may make some users hesitate

Unnoticed in the Tuesday release of Firefox 5 was Mozilla's decision to retire Firefox 4, the browser it shipped just three months ago.

As part of Tuesday's Firefox 5 release , Mozilla spelled out vulnerabilities it had patched in that edition and in 2010's Firefox 3.6, but it made no mention of any bugs fixed in Firefox 4.

That's because Firefox 4 has reached what Mozilla calls EOL, for "end of life," for vulnerability patches.

Although the move may have caught users by surprise, the decision to stop supporting Firefox 4 with security updates has been discussed by Mozilla's developers and managers for weeks.

A mozilla.dev.planning mailing list thread that started May 17 evolved into a back-and-forth about the rapid-release schedule and its impact on Firefox 4.

Christian Legnitto, the Firefox release manager, put it most succinctly in a May 25 message. "Firefox 5 will be the security update for Firefox 4," Legnitto said.

As Mozilla had said earlier, that means Firefox 4.0.1 -- shipped in late April to fix eight flaws -- was the one and only security update for Firefox 4.

Mozilla is essentially taking another page from Google Chrome's playbook. Google only outlines the patches it has applied to the current "stable" build, the most polished form of Chrome that is analogous to Mozilla's final releases. Google does not patch the flaws in earlier editions, primarily because it automatically updates the browser in the background, ensuing that virtually all users are running the most secure version.

Mozilla doesn't yet conduct automatic updates, but it has changed how upgrades to a new version are offered to Firefox users.

"[For earlier major upgrades] we popped up a window asking people to opt in (major update offer)," said Legnitto in another message on the same thread. "For 4.0.1, users will need to opt out (minor update offer, like point/security releases)."

Mozilla expects the opt-out approach will get more users onto the newest edition faster.

On Tuesday, Firefox 4 users started seeing the upgrade offer for Firefox 5 when a pop-up appeared reading: "A security and stability update for Firefox is available. It is strongly suggested that you apply this update for Firefox as soon as possible."

In the offer, the default action was "Update Firefox." Only by clicking the "Ask Later" button or by closing the pop-up can users decline the upgrade.

But some Firefox 4 users may want to opt out of the upgrade, even though that leaves them at risk to exploits of already patched bugs.

One traditional area of concern is add-on compatibility, a pain point known to longtime Firefox users when they've moved from one version number to the next.

Mozilla has retired Firefox 4 from security support, and is prompting users to upgrade to the new Firefox 5.

"The add-ons often aren't upgraded as fast as the browser itself," Computerworld reader Phillip Campbell wrote in a Tuesday e-mail after hearing about Firefox 5. "This leaves the users of Firefox often sitting and waiting for the extensions to catch up with the version before upgrading."

While Mozilla claims that 84% of the most widely used add-ons in its own download library are compatible with Firefox 5, it has acknowledged that others may not run on the newest version.

"Risk: LOW for AMO add-ons. HIGH for non-AMO add-ons," a note from a June 16 meeting said, referring to risks associated with launching Firefox 5 on schedule.

AMO, better known as Mozilla's Add-Ons , is the company's official download site for add-ons and browser themes. AMO is not the sole source of Firefox add-ons: Developers can market add-ons outside of the site. In that regard AMO is more like Google's Android Market than, for example, Apple 's App Store.

Another reason why users may hesitate to upgrade to Firefox 5 is because they're running it in a business environment, where IT staff must usually test an updated application to ensure any changes have not created compatibility problems with other software.

Michael Kaply, a consultant who specializes in customizing Firefox and helping clients deploy the open-source browser, objected to the rapid-release schedule on corporate workload grounds.

"Companies simply can't turn around major browser updates in six weeks," said Kaply in a blog post Tuesday. "With security releases, there was a reasonable expectation that Web applications wouldn't break as a result of changes. With these releases, there is no such expectation. So a full test cycle needs to be run with every release."

By the time a company has tested Firefox 5, the next version -- now slated to ship in early August -- would be out, Kaply complained.

The corporate problem also came up in the Mozilla discussion thread.

"While I agree that longer [release] intervals would be better for corporate deployments ... I'm not at all certain it's the best thing for the Web or for Mozilla," said Mike Beltzner, a former director of Firefox who still contributes to the project. "We don't have the resources -- as a community -- to focus on their problems and on moving the Web forward."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com .

Read more about browsers in Computerworld's Browsers Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags open sourceapplicationsNetworkingbrowserssoftwareinternetmozilla

More about AppleGoogleMicrosoftMozillaTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    Business Innovation Through Collaboration

    Effective collaboration and mobility to help employees tap into entirely new ways of working.

    Play Video

  • 150x50

    CSO Breakfast in partnership with ESET - 1st December, Hilton Sydney

    The CSO Breakfast features keynote international speaker: Juraj Malcho, Chief Research Officer, ESET. Juraj brought his knowledge on the major trends in security that his team are seeing with a focus on antivirus, how the nature and severity of the threat in Australia compares with the situation in other countries as well as the threat of cyberattacks and malware. Juraj shared online attack reports and highlight the key priorities in security for 2016. Attendees also participated in peer-to-peer roundtables with industry leaders, who then spoke on a panel about the key takeaways from the roundtables.

    Play Video

  • 150x50

    A Fireside Chat with Ron Gula

    An interview with Ron Gula, CEO and CTO of Tenable Network Security conducted by David Braue, CSO Australia.

    Play Video

  • 150x50

    CSO CXO Series Interview Part I - Mark Jones, Director, RMSec

    CSO interviews CSO moderators on key takeaways from the CSO CXO Series event sponsored by Trend Micro in Melbourne 31st July 2015. Interview conducted by David Braue, CSO Moderator.

    Play Video

  • 150x50

    The Future Ready IT Series

    Computerworld Exchange talks to David Siroky, Director Dell Enterprise Solution & Alliances Team about the next generation Data Centre

    Play Video

More videos

Blog Posts

Market Place