511821 - Something claiming Firefox Update auto-installed even tho option set to "ask me first"

Status: VERIFIED INVALID

(Firefox :: Security, defect)

Description

[JRS]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2

I have my options on Firefox 3.5.2 set to "check for updates" but to "ask me first" when they are found instead of auto-installing. At approximately 6 PM EST today (Aug 20, 2009),I had Firefox open and suddenly a pop-up window appeared and said "downloading and installing update" a few seconds later it said "update will be finalized the next time you start Firefox" Neither window identified what was being downloaded. Not only was my Firefox already updated, but I have my options set to "ask me first" before installing *any* update -- this option isis set true for all my software, including Firefox, Thunderbird AND any Windows updates.

Was this a genuine update or something else? Either way, why did was my instruction to "ask me first" ignored? I also have current updated versions of AVG anti-virus and Spybot programs running and received no warnings from them when this happened.

Reproducible: Didn't try

Steps to Reproduce:
1. not an event I can attempt to reproduce
2.
3.


Expected Results:  
According to the setting in options, Firefox should have "asked me first" if I wanted to install updates instead of proceeding automatically to download and install whatever it was.

I have been running Firefox for the past year and this is the first time by option to "ask me first" has been bypassed. NOTE: Same thing happened with my Thunderbird installation about 6 hours later.

Comment 1

[Daniel Veditz [:dveditz]]

Saw your Thunderbird bug first, and that didn't worry me too much because we did release Thunderbird today. But my guess there won't fly with Firefox since we released 3.5.2 almost three weeks ago.

Were you connected from home or from a possibly compromised network like a cafe or airport?

Would you mind spot-checking the digital signatures on firefox.exe and a handful of component .dlls to make sure they really are the ones we released?

Could it have been an addon update dialog?

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

IIRC the preferences for updates to addons are separate from the preferences
for updates to firefox (or thunderbird) itself, but when the updates occur
(either to the addons or to the base product) they look very similar.  
So, it could be an add-on update that occurred, that looked confusingly like
a base product update.  

Also note that these preferences are in each individual profile, so if you
have multiple profiles, and updates are disabled in one but enabled in 
another, then updates will occur when you use the profile in which they are
enabled.

Comment 3

[JRS]

Dan,

Thanks for the quick reply. I checked the digital signature on both Thunderbird.exe and Firebird.exe and both appear to be as you described they should be.

To answer the other questions asked on this, I was at my home computer, the only one I use and I was in my primary profile (also the one I almost always use). Previously any add-on updates have always "asked me first" before proceeding. If it was an add-on update, the dialog box didn't say so, but as described in the following paragraph I don't think it was an add-on. It is peculiar that the dialog box which flew by did NOT say anything about what it was an update for... just something about "update has been downloaded and being installed..." and then a second box that came popped up immediately after the first that said "update will finish the next time you start Firefox..." Well, I thought it said "next time you start Firefox" but it happened so fast it may have said "next time you start Thunderbird". It definitely said "next time you start" something, then vanished.

I think you've nailed what happened. I was in Firefox when the dialog box popped up and I was typing/mouse clicking at that second. What probably appeared was not a dialog box about a Firefox update, but a dialog box about the Thunderbird update. Since I was in the process of typing/clicking when the box popped up that may have inadvertently caused the "ask me first" check to think I had clicked "OK" and so gone ahead with the installation. The popup didn't seem to look like the same dialog box I'm used to seeing for an update notification, but it all happened so fast I didn't get a good look.

Since the 2.0.0.23 update was issued yesterday and that's what my "About Thunderbird" box displays as the version I am now running, it's almost certain that it was the official 2.0.0.23 software update which flew past my screen and got installed. That's good news and eases my mind that it might have been "something else" that slipped in past my defenses.

Still, it might be a good idea for someone with expertise at this sort of thing to check and make sure nothing has happened to cause the "ask me first" function, in either Thunderbird or Firefox, from performing as it should (or maybe a second "Yes I'm sure" confirmation step should be added to the first "OK" step so that someone has to click confirmation a second time before the install proceeds, which would probably prevent what just happened with me in the same circumstances in the future?

Comment 4

[Brandon Sterne (:bsterne)]

This doesn't need to remain hidden.  Can probably be RESOLVED INVALID given comment 3.