Mozilla on Tuesday released Firefox 68 for Windows, macOS and Linux, packing more insights into the browser’s add-ons and adding a slew of new group policies that enterprise IT administrators can use to better manage the browser.
Mozilla’s security engineers also patched 21 vulnerabilities, two labeled “Critical” and four marked “High,” the organization’s top two threat ratings. “We presume that with enough effort that some of these could be exploited to run arbitrary code,” Mozilla reported in one advisory.
Firefox 68 can be downloaded from Mozilla’s site. Because it updates in the background, most users need only relaunch the browser to get the latest version. To manually update, pull up the menu under the three horizontal bars at the upper right, then click the help icon (the question mark within a circle). Choose “About Firefox.” The resulting page shows that the browser is either up to date or explains the refresh process.
Mozilla updates Firefox every six to eight weeks; the last time it upgraded the browser was May 21.
Mozilla now recommends add-ons
Among the few noticeable changes to Firefox as of version 68, Mozilla trumpeted those affecting the browser’s add-ons – “extensions” in its terminology – that historically were one of its biggest weapons.
“We curated a list of recommended extensions that have been thoroughly reviewed for security, usability and usefulness,” wrote Marissa Wood, vice president of product at Mozilla, in a post to the firm’s blog.
Earlier this year, Mozilla announced it would try to make add-ons more secure, saying it was launching an effort to “secure the extension ecosystem to better fulfill our brand promise of security and privacy for Firefox users.”
There’s no reason to doubt Mozilla’s sincerity, but the outfit must also be wondering how to restore Firefox’s reputation related to add-ons. When it shifted technologies, and demanded extension developers rewrite their work, that reputation suffered as some add-ons vanished. It didn’t help that Chrome continued to gain not only user share by leaps and bounds, but also grew the count of its browser extensions.
Banging the drum with recommendations is one way to again trumpet Firefox through add-ons.
Recommended add-ons are tagged with a special badge in the official add-on mart and are posted below the already-installed extensions in Firefox’s add-on manager. “Some of these recommendations are personalized,” claimed a note in the manager after upgrading to version 68. “They are based on other extensions you’ve installed, profile preferences, and usage statistics.”
Mozilla knows the above from the telemetry Firefox transmits from users to the company’s servers.
In documentation about the feature, Mozilla made clear that there’s no pay-for-play involved in the add-on recommendations. “Extension developers cannot pay for placement in the recommendation program, and Firefox does not receive any compensation as a result of this process,” Mozilla stated.
Also new to add-ons in Firefox 68: a way to report suspiciously malicious extensions, those that alter settings without permission or fly a false flag by claiming to be something they aren’t. In the add-on manager, users can now select “Report” from the same menu where they’ve long found “Disable” and “Remove.”
More enterprise policies
Another area of Firefox 68 that Mozilla emphasized involves group policies for IT managers. Enhancements to policies – and thus the browser’s suitability to enterprise use – were linked to the simultaneous release of Firefox ESR (Extended Support Release) 68, the version which stresses stability over sexy new features.
Unlike the standard Firefox, ESR receives only security updates during its tenure. (Prior to this week, the current ESR was based on Firefox 60, which debuted in early May 2018.) Every 14 months, Mozilla replaces the existing ESR with the then-current Firefox, then maintains both the old and new ESR versions during a multi-month overlap. Firefox ESR 60’s support overlap with ESR 68 began July 9, when the latter launched, and will end Oct. 22, when that date’s security patches will not be provided for the former.
“Today we’re adding a number of new enterprise policies for IT leads who want to customize Firefox for their employees,” said Mozilla’s Wood.
Among the new policies are ones that will allow administrators to remove the new tab page (NewTabPage) – perhaps to replace it with the business’s own intranet – and set and lock the downloads destination (DownloadDirectory) to comply with company guidelines of depositing files in the cloud, say.
A list of all policies supported by Firefox is available here, on GitHub; searches using 68 will find those new to this ESR. (The Firefox ESR 68-only policies are also listed at the top of this GitHub page.)
The next version of the browser, Firefox 69, should release Sept. 3.