Firefox To Enterprises: We're Not Friends

   How long after software is retired should the developer continue to patch {Chapter 3 Security+ 3ed} it by fixing security vulnerabilities?  Microsoft, for example, provides security support for at least 10 years after their software is retired or replaced with a newer version.  Yet a decision by Mozilla this week to drop support for its just-retired Firefox 4 has many enterprise users upset.  And Mozilla says that's just too bad.

   Mozilla is releasing new editions of Firefox about every six weeks.  The latest version, Firefox 5, was released on Tuesday (Jun 21 2011).  Yet Mozilla is dropping any security updates to the previous version Firefox 4 (which has only been out for 3 months) effective immediately.  For home users it can be an inconvenience to update that often.  Yet for enterprises it can result in much more serious problems.  IBM, for example, adopted Firefox as its default browser one year ago and currently has half a million users on Firefox 3.6.  They have just completed testing Firefox 4 with thousands of IBM applications for deployment later this summer.  Yet now IBM is faced with a delimma: go back to Firefox 3 (which also won't receive any security patches but at least will work with the IBM applications), deploy Firefox 4 (which won't have any more security updates), or go to Firefox 5 (which will have security updates but may not work with all IBM applications).  And Firefox 6 is right around the corner (to be released Aug 16), as is Firefox 7 (Sep 27), Firefox 8 (Nov 8), Firefox 9 (Dec 20), and so on.

   And what does Mozilla have to say about this?  The Director of Firefox is quoted as saying, "I don't care about making Firefox enterprise-friendly". 

   Stay secure!

http://www.cengage.com/community/infosec