Lieberman Software president warns on silent update feature being developed for Firefox 10

The silent update mechanism, however, has not been welcomed in all quarters, with Philip Lieberman, president of Lieberman Software, warning about the security implications.

Silent updates are not to be confused with on-the-fly updates such as those seen on, for example, Microsoft's Windows Patch Tuesday updates, as these generally require a reboot of the software - or operating system - to take full effect, Infosecurity notes.

The silent update will, says Mozilla, update elements of the Firefox code, but without requiring a reboot of the browser. This is similar to the way some browser operate on the Android platform, although a code reboot is still required to complete the update process.

Philip Lieberman says that many IT security systems will have to be reconfigured to allow background updates to Firefox - which is not a good thing in the first place - there is danger that hackers could subvert the update system to allow them backdoor access to the users' computer.

"Auto-updating can be a welcome feature for many computer users, but the feature does need to let the user know what is happening. Having your software quietly update in the background - presumably on a modular code basis - is not something that all IT security professionals will welcome", he said.

"If, as I think appears quite likely, hackers start reverse engineering the Firefox background updating system - and remember we are talking about open source software here - then it is only a matter of time before they subvert this auto-updating mechanism to inject malware", he added.

Lieberman - whose firm supplies IT security software - went on to say that, at the MalCon security conference taking place in Mumbai later this week, well-known code cracker Peter Kleissner - who developed the Stoned bootkit back in 2008 - is scheduled to reveal the first Windows 8 bootkit.

This Stoned Lite bootkit, he explained, will reportedly allow code loaded from the Master Boot Record on the PC's hard disk to remain in place all the way through the Windows 8 boot-up and loading purpose.

It is coding technology like this, says Lieberman, which could allow the Firefox background updating system to be subverted, as he notes that we are talking about ultra low-level code that actually sits under the Windows 8 operating system itself.

"It doesn't take a programming genius to figure out that - against the backdrop of a Windows 8 bootkit - it shouldn't be difficult to subvert a background updater for a piece of open source software like Firefox 10", he said.

"Having a Windows 8 bootkit that exists is bad enough, but at least IT security professionals can set up their system controls to only allow access to the update processes when a suitable admin account logs in. This is the principle of admin accounts - which need to be protected using privileged account management technology - that ensures an extra layer of security on corporate systems", he added.

What’s hot on Infosecurity Magazine?