Mozilla is working on Firefox background updates on Windows
This week, Mozilla enabled a new feature in the Nightly version of the organization's Firefox web browser designed to improve the updating functionality of the browser on Windows. The new functionality enables background updates for Firefox on Windows, even if the browser is not running at the time.
Mozilla plans to introduce the new updating functionality in Beta and Stable versions of the web browser when these hit version 89. Firefox 89 Stable will be released on June 1, 2021 according to the official release schedule.
The change improves the updating behavior of the Firefox web browser. Firefox users may use policies to block the new behavior.
Mozilla engineer Nick Alexander explains the inner workings of the new updating mechanism on the Firefox Dev Google Groups forum.
the default Firefox profile (for each OS-level user) will schedule OS-level tasks that run periodically . These tasks invoke Firefox in a stripped-down headless â€œbackground task modeâ€  that pumps the update cycle before exiting. These tasks have been designed to not process updates when other Firefox instances are running, so they should not force restarts of running instances; and they access (lock) the default profile for only a very short period of time so they should not prevent starting Firefox for regular browsing. If you need to disable this functionality, about:preferences should show a checkbox in the â€œUpdatesâ€ section for you to disable, or you can set the BackgroundAppUpdate Firefox policy to false.ps forum.
In other words: Firefox will use a scheduled task on the system level to run update checks, download updates and install the downloaded updates. The task is configured to run every 7 hours, but only if Firefox is not running.
The task, named Firefox Nightly Background Update followed by hex code in the Nightly version, is automatically installed by Nightly and will be reinstalled automatically as well if deleted. The name will be adjusted for Beta and Stable versions of Firefox.
Firefox users who want to disable the task need to use the Enterprise policy BackgroundAppUpdate to do so. If the policy is set to False, Firefox does not try to install updates when the application is not running. The policy affects the Firefox preference app.update.background.enabled, but just setting the preference does not have any effect at the time of writing.
If the scheduled task is deleted, it is reinstated regardless of the state of the preference. Disabling the task in the Task Scheduler on the other hand does not seem to enable it again, at least not during the same session. More data is needed to find out if Nightly updates make changes to the task's state.
Interested users can follow the development on [email protected].
No thanks. Blocking this service will be another “first things must do”, along with other craps FF tries to force down my throat.
Nice. I don’t mind starting Firefox, and going to About to trigger an update when released, but it will be good to just be able to start Firefox, and have it already updated.
I dont understand, you can already do this.
Options, -> General tab -> Firefox Updates
Automatically install updates
It’s not the same. If Firefox is not running, it won’t check for updates until the next time it does run. The current update system allows for the installation of new versions after Firefox was run, and the new version downloaded in the background. This new method will allow new versions to be downloaded, and installed, even if Firefox hasn’t been run in a while. That way the next time it is run, it will already be updated.
This is great for grandparents pc :)
I thought that checking enable background update services will do this but seems it was only when browser is running.
that is worse
So, Fix it = do it like chromium does it?
I find it interesting how they talk like if they came with this idea when they are just copying it, I mean, maybe they are doing it in a way that ignorant people will say “oh yeah they care about us” or “this is why I use Firefox because Chrome/Chromium blabla”
Interesting how they are copying Chromium when still some people in 2021 say X Chromium browser isn’t good enough because automatic background updates which supposedly doesn’t equal to *privacy* or whatever, even if automatic updates are easy to disabled.
> So, Fix it = do it like chromium does it?
No, “fix it” means “do it correctly”. Of course, if engineers have identical requirements and constraints, they tend to arrive to similar solutions.
Unsurprisingly from this company given its history, Mozilla Corporation’s previous (and still active I think) use of background tasks involved more spying on the users for business reasons even when the browser was not running, and not even warning the users in the update notes about the change:
A good reason to not trust Mozilla again to run code that talks to them every 7 hours even when their malware browser is not running. And as usual the excuse for that new intrusion is not really proportioned.
Apparently these bastards made this impossible to block even using the already normal-user-unfriendly, untrustworthy and not always even available about:config page. This time I will have to learn about “Enterprise policies” just to be able to defend myself against them, and from experience, that’s knowing that even then I will never be able to trust that “setting and forgetting it” will be enough for it to remain disabled.
> Apparently these bastards made this impossible to block
Did you even read your own link? You link quotes the Mozilla press release
> Weâ€™ll respect user configured telemetry opt-out settings by looking at the most recently used Firefox profile.
> Did you even read your own link?
People never do when their sole purpose is to rant.
Another unnecessary ‘feature’, thanks Mozilla.
“designed to improve the updating functionality of the browser”
After the first encounter with Windows 10, in these days Firefox is the second source of stress. Everything works fine, the browser is up to date (it also confirm me this on ‘About Firefox’), no issue if I check manually for update but sometimes appears a f… alert “Firefox can’t update to the latest version” in the middle of browsing.
Group Policies settings? User.js? Default Browser Agent disabled? DNS hosts file?
It seems like I don’t get along with ‘Updates’ in general. Nowadays I feel like all these programs doesn’t like a user intervention and they do everything to give you a hard time.
PS: I begin to hate all the PC meanings related to the word ‘background’.
agree about win10 and will not install it on my own machine.
win10 is great as customers are willing to pay and pay again to get win10 fixed.
[then win10 updates and I get paid again] sad for those customers.
I will continue to run the old win7 pro as it works and only changes “when” allowed to do so.
as for FF browser?
I might update it “IF” they fix it correctly.
If it is not correct?
uninstall FF as it has not been good in a long time.
[stop updates] user control = correct
A few things come directly to the mind and because there not mentioned in this article they are worrying me.
Will there be commercially orientated updates pictures-wise, or which percentage will be commercial?
Will, there be a possibility available so I can save the pictures that I like so I can create my own slideshow in the Firefox browser?
Can I choose specific kinds of pictures like nature, ocean, beaches, galactic pictures, etc?
Maybe combine specific pictures from different subjecs?
With this move, Mozilla has crossed the line. I will remove their programs from my computer and begin searching for alternatives. I REFUSE to allow ANY program to automatically update in the background. And no, I don’t use W10 either.
Not really, Microsoft allows the uer to completely disable the updater. Mozilla removed this functionality with the release of Firefox v63, leaving the users forced to leave it enabled.
https://i.imgur.com/KPLFVZD.png <- this option exists and is fully operational in the upcoming 21h1 as well.
What mozilla is doint now is just giving the updater autonomy to update firefox while the program is closed. Same thing they do with the telemetry. Shows you their priorities.
> Same thing they do with the telemetry
Yulia’s disinformation and bullshitting rears it ugly head again.
99.99999999999999999999999999% of telemetry information, is controlled by a single UI checkbox. It takes twice as much work to disable it in Brave, for example. We better all SHIT on BRAVE then as well.
As for the rest: a single big SCARY coverage ping, designed to estimate telemetry usage (which is why it isn’t part of the master switch), you can use a pref in about:config
example of what the SCARY coverage ping sends
You have no control over what “default-browser-agent.exe” does. It’s an external component.
> You have no control over what â€œdefault-browser-agent.exeâ€ does
Yes you do. It’s controlled by the master telemetry checkbox, and you’ve been told this before. Instead you continue to LIE. Or you can use Enterprise Policies
Learn to read: https://blog.mozilla.org/data/2020/03/16/understanding-default-browser-trends/
> Weâ€™ll respect user configured telemetry opt-out settings by looking at the most recently used Firefox profile.
> Weâ€™ll respect custom Enterprise telemetry related policy settings if they exist. Weâ€™ll also respect policy to specifically disable this task.
PS: How are your anecdotal unscientific perf tests going?
Where is the global/machine config file/registry for “default-browser-agent.exe”? I’m curious how can I write my own config for that component.
In GPedit? Can you point to the exact path?
“ In GPedit? Can you point to the exact path? “
The answer to that is simple to find.
Not that I had high expectations from a mozillian.
> *cricket noises*
If you bother to use Firefox, then I’m sure you can look it up, or just look at all the information the barn owl has already posted in this article’s comments
> It takes twice as much work to disable it in Brave, for example.
Le bullshit. Brave has to checkboxes under brave://settings/privacy, which, if unchecked, turn off all telemetry(!) in the browser. These also cover the crash reporter. Whereas in Firefox:
toolkit.telemetry.enabled –> false
toolkit.telemetry.coverage.opt-out –> true (hidden pref, you have to create it first – LOL)
Plus, the scheduled telemetry task which operates independently of a running FF instance.
However, this does not yet cover the following piles of dung:
– Pocket + Pocket Stories
– FF Experiments / Normandy
– Sponsored Tiles on the NTP
– Feature and extension recommendations
– Crash reporter
– SSL error reporter
– Add-on recommendations in the add-ons manager
> We better all SHIT on BRAVE then as well.
Shitting on the best browser won’t save Deplatformingfox, you know.
Iron Heart can’t even keep his BULLSHIT consistent
quote Iron Heart: “In Brave, in order to 100% switch off telemetry, all I have to do is to toggle 2 (two) settings”
Now crash reporter is not part of telemetry? But wait, it is for Firefox – typical hypocrisy from our resident disinformation bullshitter
NEWS ALERT: crash reporter in Firefox is disabled by default. Iron Heart doesn’t know what he is talking about
How mature. Shows you can’t win an adult discussion. But I agree, shitting on Firefox doesn’t serve any purpose
> Iron Heart canâ€™t even keep his BULLSHIT consistent
In fact, I am consistent with myself. :D
It takes two settings in Brave to turn off all telemetry + crash reporter in Brave, whereas in Firefox:
toolkit.telemetry.enabled â€“> false
toolkit.telemetry.coverage.opt-out â€“> true
Then the scheduled telemetry task outside of Firefox. If you want to include the crash reporter, also:
browser.tabs.crashReporting.sendReport –> false
That’s clearly more than Brave, but OK.
> crash reporter in Firefox is disabled by default. Iron Heart doesnâ€™t know what he is talking about
Unfortunately for you, Iron Heart knows what he is talking about. The crash reporter isn’t disabled by default in FF. That doesn’t even make sense, why would Mozilla disable the crash reporter? Might as well remove the code at this stage.
> How mature.
This blog post will come back to bite you, and you know it. Mozilla’s PR disaster of 2021.
It is disabled by default.
I installed it in windows pc of my grandparents last week and enabled it because i wanted to help them so i am certain that it was disabled by default.
I also had enabled automatic update background service in installation setup but after opening Firefox, crash reporter was disabled by default.
Please don’t spread fud and test first before posting.
“I REFUSE” @John C , calm down, use your inside voice … you can just uncheck the option in preferences
I use win7 pro
Let me know your results with another browser. :)
IE is slow
chrome is ok,but user privacy and function are not so good.
Well it’s slightly better than all the extra services and processes of Chrome (not saying much) but very few programs are allowed in my OS’s backend, let alone browsers. Firefox already has its own builtin updater and there are other ways of automating updates that don’t use the Task Scheduler.
I don’t like to have the OS (Windows 10) and application programs updating in the background. This is because the tasks (background updates) always “consume resources” by telemetry when the system is running, and even if the consumption is small at the individual program level, there are more than dozens of programs in the system, and when they are added up, it is not a small resource.
For this reason, I block “background updates” for all programs and use an update manager such as “PatchMyPC” to apply updates.
Of course, I plan to block them in Firefox as well.
However, it has been found that the average end user for home use prefers “background updates” which are hassle-free. Hence, Mozilla’s policy will be welcomed. If there is a suitable option for users who don’t like this task (background updates), then it is not reprehensible in any way.
According to BackgroundAppUpdate in the official Mozilla “README.md”
Prerequisites, Compatibility: Firefox 89
If set to false, the application will not try to install updates when the application is not running.
If you have disabled updates via DisableAppUpdate or disabled automatic updates via AppUpdateAuto, this policy (AppUpdateAuto) has no effect.
In Boolean, change “true” to “false”.
It is also possible to disable “AppUpdateAuto” at the system level.
Software\Policies\Mozilla\Firefox\BackgroundAppUpdate = 0x1 | 0x0
“BackgroundAppUpdate”: true | false
According to BackgroundAppUpdate in the official Mozilla â€œREADME.mdâ€
Prerequisites, Compatibility: Firefox 89
If set to false, the application will not try to install updates when the application is not running.
If you have disabled updates via DisableAppUpdate or disabled automatic updates via AppUpdateAuto, this policy (BackgroundAppUpdate) has no effect.
In Boolean, change â€œtrueâ€ to â€œfalseâ€.
It is also possible to disable â€œAppUpdateAutoâ€ at the system level.
Please refer to â€œREADME.mdâ€ for specific instructions.
I don’t believe that it’s so much “that the average end user for home use prefers ‘background updates’ which are hassle-free” as that the average end user for home simply doesn’t want to deal with background updates, or even that they simply are too technologically inept to even understand what it means in the long run for them. Of course, their blindly “drinking the Kool-Aid” will be interpreted by Mozilla as being a wildly enthusiastic welcoming of automatic updates in the background.
I completely misunderstood the “Firefox Nightly Background Update” in our article.
After doing some research using the links provided in the article, I understood that “Background updates introduced by Mozilla do not use any telemetry or resources at all, but simply use the OS task scheduler to check for updates. I understood that.
In other words, the task scheduler was to take over (automate) the manual “update checking” that is normally done by the user.
I apologize for posting thoughtless and erroneous opinions, and would like to add the following.
I have a value system that proactively and promptly applies “updates” for security and bug handling. If update management does not consume unnecessary resources for telemetry, etc., then I will enable this new feature.
– – – – – – – – – –
Firefox Nightly on Windows will now try to update even when it is not running | Nick Alexander (:nalexander), for the I/U team
Since misunderstandings, evil guesses and conspiracy theories tend to be Comments, I have reprinted the full text below:
Apr 12, 2021, 7:56:30 PM
to Firefox Dev, install-update
Late yesterday the Install/Update team enabled updates in the background, when Firefox is not running for browsing, for our Windows Nightly population. These changes should be making their way to a Nightly near you shortly. Please be on the lookout for update-related wonkiness and unexpected CPU and I/O spikes, and file regressions against Bug 1703909 . This functionality will ride the trains and will have a staged rollout during both the Beta 89 cycle and the Release 89 cycle.
Updates when Firefox is not running work as follows: the default Firefox profile (for each OS-level user) will schedule OS-level tasks that run periodically . These tasks invoke Firefox in a stripped-down headless â€œbackground task modeâ€  that pumps the update cycle before exiting. These tasks have been designed to not process updates when other Firefox instances are running, so they should not force restarts of running instances; and they access (lock) the default profile for only a very short period of time so they should not prevent starting Firefox for regular browsing. If you need to disable this functionality, about:preferences should show a checkbox in the â€œUpdatesâ€ section for you to disable, or you can set the BackgroundAppUpdate Firefox policy to false.
If you live inside Firefox Nightly (on Windows), these changes should not impact you very much, since the tasks will start, recognize there is an existing instance, and essentially never do any work. But if you are an intermittent Firefox Nightly user, you should find yourself up-to-date a little more often.
A number of fine folks contributed to this project, including Kirk Steuber (:bytesized), Adam Gashlin (:agashlin), Rachel Tublitz (:rtublitz), Molly Howell (:mhowell), and Dave Townsend (:Mossop). The preparatory work stretches back years! As always, thanks to our amazing QA team and the many reviewers along the path. The meta ticket for this milestone is Bug 1689520 .
Questions and comments are best on Matrix in #install-update .
Nick Alexander (:nalexander), for the I/U team
 https://bugzilla.mozilla.org/show_bug.cgi?id=1703909, first appears in build ID 20210412213434.
 Right now, every 7 hours: https://searchfox.org/mozilla-central/search?q=app.update.background.interval&path=
 Meta ticket is https://bugzilla.mozilla.org/show_bug.cgi?id=1689520
You received this message because you are subscribed to the Google Groups “firef…@mozilla.org” group.
To unsubscribe from this group and stop receiving emails from it, send an email to firefox-dev…@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/firefox-dev/CAMnWBR3NJBDSXxxNS44DPBRgu3ttaS-ctSFdTStyLJY24d%3Df%2BA%40mail.gmail.com.
Forget Mozilla. This is kind of attitude is spreading like a disease and all in the name of security. And, in one hand, there is true to that giving some people don’t patch for years or months. Now, with that excuse, on the other hand, we have this. And this, for responsable, aware people, it is like slap in the face and a finger in the orifice. So, yes, we have the option to stop it and I will. My question is what will happen when some APT or criminal gang find a way to exploit this method? Another SolarWinds? Another Codecov? Another Passwordstate? And what companies do when that happens. They just say we are sorry. They just say your privacy is our number 1 priority. However, all the problems are only coming to you, with identity theft, personal information exposed, etc. While you think about all this, in the background imagine Louis Armstrong singing What a wonderful world.
The masochism of this comment section is insane. Mozilla does what it wants (which is usually not what the user wants), and instead of showing them the door, you guys fiddle with the config (even Windows’ config), without realizing that they can easily re-enable the task or even re-install it once you update Firefox. Haha, I guess they have to hit the browser with malware again via the FF Experiments backdoor, as they did with Cliqz some years ago, for you to learn your lesson once and for all.
I’ve just download and reinstalled (update) the latest version of firefox and:
– no Mozilla Group Policies settings are changed
– Firefox Default Browser Agent in Task Manager is still disabled
At the moment only Win 10 reset my settings (dmwappushservice) or does what he likes with updates even if I set “2” in Group Policy for notification and download (KB4601554).
Let me guess? Brave? No. I’m not strictly interested about using Firefox but I got use to its extensions. Well… I can also install Waterfox or Pale Moon like the past but I’m tired to have a collection of browsers on my PC.
Linux? Depends on the needs of users
Windows LTSB? Maybe I’ll give it a shot the next fresh install with all due respect to my genuine licence of Win 10 Pro
Anyway we may be masochist (definitely a little bit) but there is also a boundary for paranoia.
The best versions of FF on Android are Iceraven and Fennec F-Droid, these builds try to shield you from Mozilla’s nonsense as best as possible. On the desktop probably Waterfox, there are people whining about the System1 ownership of the project, but the only thing related to System1 in the Waterfox browser itself is the StartPage search engine option (which is not even the default, and can be removed). Other than Waterfox, the best would be Firefox ESR (doesn’t get hit with BS changes that often, by definition) + user.js file.
Personally, I see no reason to deal with FF (and by extension, Mozilla’s intentions) when browsers like Ungoogled Chromium, Vivaldi, Bromite, or Brave exist.
As for operating systems, probably anything is better than Windows 10 Pro (or god forbid, Home). Windows 10 LTSC is OK because you can apply stricter policies there, Linux would be the clear winner for privacy pretty much always.
All IMHO, of course.
They are all Chromium based browser, as I wrote I selected over the years and got used to Firefox add-ons. Until I can disable scheduled tasks, features, block some domains or I have suggestions like user.js for some privacy and security settings I don’t see any particular complains to use Firefox.
Obviously Mozilla is not a monopoly without alternatives like Microsoft and it is better not to ‘make’ outside of the pot too much. This time I was in the mood to start with Firefox instead of Waterfox (and I solved the lack of FlashGot also related to JD), maybe in the future I will change again. Slowly. When I’ll get rid of some issue and after recovered years of complaints about Windows 10 I will think about it.
Oh! I problably solved the ‘alert’ above: its due to 0.0.0.0 aus.mozilla.org
Not at all happy with something that might introduce browser bugs running without my knowledge – irrespective of the additional risk of the process becoming spyware.
Question – if I were to sandbox Firefox would this prevent silent updates? Working on the basis that Mozilla might one day remove all options to stop auto updates.
@Iron H: The main point here is not Mozilla, even when the article is about them. The issue at hand is how all the companies are stealing choices from us and making our lives overcomplicated. Luckily in this particular case there is a way to fix the culprit. Before you bring it, if you for a moment think Brave will be forever free of this kind of bs, think again. I know you can jump to another ship (browser) but at the price of reducing your choices, like I said. We as a community of users (and regardless of the browser each one uses) need to start thinking about the bigger picture. A good example is the reaction to FLoC.
Some might actually want this, probably most won’t though and will disable it.
But if there is going to be FF bashing here then at least be fair about it and list other browsers
>> probably most wonâ€™t though and will disable it
Clueless comment. Most users will have NO clue about this change and will continue simply clicking the familiar “orange icon” to browse the interwebs.
Hah, I don’t even let Firefox check for extension updates automatically (and I trust the uBlock Origin dev more than 99% of the internet), so no way will I allow the entire browser to do background shit.
Thankfully I’m on Linux, and use the FF from the official repos, so this kind of behaviour will not be possible anyway,
I don’t allow auto-updates, preferring to check them first in a sandbox. I thought of changing to Edge, but that has auto-updates although they are easy to disable via Task Scheduler.
So, I’ll wait and see, and so long as it’s easy to disable via a config setting, I can live with that.
You can turn off automatic updates in Vivaldi, and Ungoogled Chromium never had them to begin with.
You can disable it in the UI
> If you need to disable this functionality, about:preferences should show a checkbox in the â€œUpdatesâ€ section for you to disable, or you can set the BackgroundAppUpdate Firefox policy to false
> You can disable it in the UI
Hehe, you can’t, ever since FF 63.0 (2018):
One needs an enterprise policy to stop Firefox updates (stop = without nagging). Well, either that or block the update URL at the network level…
I thought hg was referring to the background aspect. As for actual updates, this is true: it can still be disabled, so no need to “OMG FREAK OUT FIREFOX DID SOMETHING”
Comme pour Google Chrome, mise Ã jour automatique de Firefox 89+ dans Windows quand Firefox n’est pas lancÃ©, au moyen d’une tÃ¢che systÃ¨me. PossibilitÃ© de dÃ©sactiver la tÃ¢che, soit au Planificateur de tÃ¢ches, soit en changeant “app.update.background.enabled” de “true” Ã “false” dans about:config. Pas clair si Firefox prÃ©servera forcÃ©ment la dÃ©sactivation aprÃ¨s de futures mises Ã jour.
Enfin, c’est ce que j’ai cru comprendre. Un autre lecteur Ghacks, Tom Hawack, est francophone de souche et sait beaucoup plus sur Firefox que moi. Il pourra sans doute mieux expliquer la chose.
I find it really funny that people(especially Firefox hating ones) get mad when Mozilla changes a thing. Seriously I don’t know maybe they don’t know things or don’t want to know but in Firefox browser there are switches to turn the damn thing off if one don’t like it, same goes for updates in background or update checks.
Things change with time and its same for everything in life but hey we’re going to complain about Firefox no matter what.
Plus if someone is really losing sleep because of these changes, download gHacks *cough* Arkenfox user.js file, give it an hour of your precious time, and then customise the browser depending on your needs. Of course start with main settings in menu and turn the switches off, most of preferences like telemetry, normandy, DRM, safebrowsing would be changed (without even changing a single about:config preference) through main settings and would be visible in Firefox v87 and later by checking show modified about:config preferences, and then change few settings from user.js.
Its frustrating sometimes when Mozilla changes a thing but most of the time there’s a way to reverse it.
I was clarifying the “mozilla is as bad as microsoft” situation. That is not the case, in reality mozilla is worse than Microsoft. Microsoft allows full control over updates, whereas mozilla took that away with v63 release.
* [Editor: removed]. Updates can be fully disabled via policies.
The whole comments section on this site (especially any browser related article) is filled with a bunch of liars busy pushing their agenda (read: other browsers).
Firefox is so insecure, it has to check for updates three to four times per day?
Maybe in Nightly it’s reasonable (but still a bit too much, 2 times per day should be enough there), but I agree that this is ridiculous in the stable channel.
> Firefox is so insecure, it has to check for updates three to four times per day?
Wow, how silly and short sighted your view is.
During an emergency incident, there will be unplanned “updates”. In order to deal with malicious and serious threats such as zero-day attacks, updates must be applied as soon as possible (to prevent computers from being hijacked by malicious criminals).
Firefox Release Calendar | wiki.mozilla.org
The “value” of the frequency of the update check is based on the assumption of such contingencies, but the value can even be adjusted by the end user in the GPO (Group Policy Objects).
Group Policy Objects | docs.microsoft.com
Firefox is insecure, though (however, this is unrelated to the frequency of arbitrarily times update checks):
@owl – ignore the Iron Heart spam and the mad guy (that madaidan guy even had a massive meltdown on 4chan and accused imaginary Mozillians of attacking him – it all harks back to a prior disagreement and his ranting at a Firefox dev at Tor Project, many years ago). Nothing to worry about (see stats below). Carry on with the superior Firefox
listen to an actual browser developer
Fission is at milestone 8 and already to ship. Will help in the 0.0000000000000000000001% of website traffic visits where it matters. Meanwhile, Firefox is secure enough for 99.999999999999999999%
Hehe, you were unable to refute any of the claims of madaidan, you just slight him (without giving any kind of source for your allegations), but you refuse to actually confront any of the points he raises.
The Firefox dev you kinked to confirmed madaidan, by the way: “It is true that, as of this writing, Chromium’s content process sandbox is more restrictive than Firefox’s sandbox (this is continually changing though as the Gecko hardening team continues to make improvements).”
Also, again from your link:
“On the other hand, Firefox contains significant amounts of code written in Rust. Those components are significantly less vulnerable to specific types of security bugs than if they were still written in C++.”
“Firefox does have some parts written in Rust, a memory safe language, but the majority of the browser is still written in memory unsafe languages and the parts that are memory safe do not include important attack surfaces so this isn’t anything substantial and Chromium is working on switching to memory safe languages too.”
Accept the facts and move on.
aNomNomNom, well said. As if major browsers like Safari, Chrome, and Firefox aren’t already highly vetted and very secure. That Iron Heart just has something against Mozilla. Ignore him
What you said doesn’t mean that all browsers are equally secure, ignorant. If there was no issue here, Mozilla wouldn’t try to frankenstein Project Fission onto their codebase.
Firefox background updates to force their unwanted useless changes? I will just move to Edge. Good bye Firedfox!
Firefox Nightly 90.0a1 (2021-04-29) has a new “Nightly Experiments” section in the “Settings” page.
â¬œ about:home startup cache
A cache for the initial about:home document that is loaded by default at startup. The purpose of the cache is to improve startup performance.
â¬œ Address Bar: show results during IME composition
An IME (Input Method Editor) is a tool that allows you to enter complex symbols, such as those used in East Asian or Indic written languages, using a standard keyboard. Enabling this experiment will keep the address bar panel open, showing search results and suggestions, while using IME to input text. Note that the IME might display a panel that covers the address bar results, therefore this preference is only suggested for IME not using this type of panel.
â¬œ Cookies: SameSite=Lax by default
Treat cookies as â€œSameSite=Laxâ€ by default if no â€œSameSiteâ€ attribute is specified. Developers must opt-in to the current status quo of unrestricted use by explicitly asserting â€œSameSite=Noneâ€.
â¬œ Cookies: SameSite=None requires secure attribute
Cookies with â€œSameSite=Noneâ€ attribute require the secure attribute. This feature requires â€œCookies: SameSite=Lax by defaultâ€.
â¬œ Cookies: Schemeful SameSite
Treat cookies from the same domain, but with different schemes (e.g. http://example.com and https://example.com) as cross-site instead of same-site. Improves security, but potentially introduces breakage.
â¬œ CSS: Constructable Stylesheets
The addition of a constructor to the CSSStyleSheet interface as well as a variety of related changes makes it possible to directly create new stylesheets without having to add the sheet to the HTML. This makes it much easier to create reusable stylesheets for use with Shadow DOM. See bug 1520690 for more details.
â¬œ CSS: Masonry Layout
Enables support for the experimental CSS Masonry Layout feature. See the explainer for a high level description of the feature. To provide feedback, please comment in this GitHub issue or this bug.
â¬œ Developer Tools: Color Scheme Simulation
Adds an option to simulate different color schemes allowing you to test @prefers-color-scheme media queries. Using this media query lets your stylesheet respond to whether the user prefers a light or dark user interface. This feature lets you test your code without having to change settings in your browser (or operating system, if the browser follows a system-wide color scheme setting). See bug 1550804 and bug 1137699 for more details.
â¬œ Developer Tools: Compatibility Panel
A side panel for the Page Inspector that shows you information detailing your appâ€™s cross-browser compatibility status. See bug 1584464 for more details.
â¬œ Developer Tools: Execution Context Selector
This feature displays a button on the consoleâ€™s command line that lets you change the context in which the expression you enter will be executed. See bug 1605154 and bug 1605153 for more details.
â¬œ Developer Tools: Service Worker debugging
Enables experimental support for Service Workers in the Debugger panel. This feature may slow the Developer Tools down and increase memory consumption.
â¬œ Fission (Site Isolation)
Fission (site isolation) is an experimental feature in Nightly to provide an additional layer of defense against security bugs. By isolating each site into a separate process, Fission makes it harder for malicious websites to get access to information from other pages you are visiting. This is a major architectural change in Nightly and we appreciate you testing and reporting any issues you might encounter. For more details, see the wiki.
â¬œ HTTP/3 protocol
Experimental support for the HTTP/3 protocol.
â¬œ Media: AVIF
With this feature enabled, Nightly supports the AV1 Image File (AVIF) format. This is a still image file format that leverages the capabilities of the AV1 video compression algorithms to reduce image size. See bug 1443863 for more details.
â¬œ Multiple Picture-in-Picture Support
Experimental support for allowing multiple Picture-in-Picture windows to be open at the same time.
â¬œ Web API: inputmode
Our implementation of the inputmode global attribute has been updated as per the WHATWG specification, but we still need to make other changes too, like making it available on contenteditable content. See bug 1205133 for more details.
â¬œ Web API: WebGPU
This new API provides low-level support for performing computation and graphics rendering using the Graphics Processing Unit (GPU) of the userâ€™s device or computer. The specification is still a work-in-progress. See bug 1602129 for more details.
â¬œ WebRTC Global Mute Toggles
Add controls to the WebRTC global sharing indicator that allow users to globally mute their microphone and camera feeds.
â¬œ Win32k Lockdown
Disable use of Win32k APIs in browser tabs. Provides an increase in security but may currently be unstable or glitchy. (Windows only)
– – – – – – – –
Users of the Nightly build can now easily enable/disable experimental features in the Nightly build in the “Nightly Experiments” section.
I think because so many users don’t even know to check for updates this will help insure FF is up to date on all those machines. Most users I know don’t have a clue about the need to keep their software updated and eventually their systems become slowed to a crawl or inoperable due to spyware and such. It’s my belief that anything that helps keep the average user up to date with security patches and other software features is not a bad thing. So although I’m in favor of pushing updates out, I know some of you don’t like it. I still recommend FF with specific add-ons as the safest and most secure browser to my friends.
Well said, semce. Thanks for the rare sane view amidst all the paranoiad, madness and lies.
Does Windows have a way of viewing all background update tasks by all programs with clear labels of which program is which and how often they run on a single screen? Perhaps with checkboxes or toggles to enable or disable them?
Basically, I’m thinking of “right click on an empty space on the taskbar>taskmanager>startup”, but not just for startup programs, for any recurring task that programs set up.
Ideally, this would be built in to Windows (and perhaps is), but if it isn’t, a third-party program from a very trusted source (Given the level of system access it would likely require), might suffice.
The idea of looking up every program ever installed on my PC and then rechecking every time it’s updated to try to find a specific registry empty down a long obscure path that is different by program and not clearly labeled, deciding whether to delete, and then having it pop up again if I do and having to repeat the process the next update seems too exhausting to contemplate as a serious option (I doubt Firefox is the only program doing this sort of thing).
Something like task manager’s startup menu, but for recurring processes, would be totally something I’d use, though.
I might even approve some of them. Some of the startup tasks programs have tried to create for themselves have remained enabled on my PC and others haven’t. I look at them all one by one and make individual decisions.
@John: I don’t know whether this your best bet, but here goes:
â€¢ Autoruns is a portable program by Sysinternals, which has an excellent reputation and was acquired and taken in-house by Microsoft quite some time ago.
â€¢ Download it from here: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
â€¢ It’s a portable program, so unzip it in a subfolder in the folder where you usually keep your portable programs. (I keep my copy in C:\Program Files (portable)\Sysinternals Suite, along with the rest of my Sysinternals utilities, where it is available to all users. If you want to keep it to yourself, put it somewhere in your own user folder.)
â€¢ If you’re running 64-bit Windows, use Autoruns64.exe; if you’re running 32-bit Windows, use Autoruns.exe. You might want to make a shortcut for it to put in your User or All Users Start Menu Programs folder (or somewhere else).
â€¢ To see all of the tasks you might be looking for, you have to run Autoruns as an administrator. If you don’t want to have to remember to do this each time, open Autoruns64.exe/Autoruns.exe’s Properties, click on the Compatibility tab, enable the “Run this program as an administrator” option toward the bottom, and click OK.
â€¢ After you launch Autoruns and it has finished populating, click on the Scheduled Tasks tab.
â€¢ Then, in the Filter box up toward the top left, type “update” (without the quotes). “update” seems to return all of the relevant tasks on my machine. “check”, “new”, “version”, and “release” don’t return anything relevant, but there may be the odd program out there that sets up a task to “check for a new version” or “check for a new release” without mentioning the word “update” anywhere.
â€¢ To the left of each listed task is a checkbox. Unchecking the box disables the task. It’s not necessary to “save” in order for the disabling to take effect. Saving just saves the current configuration for possible future import (or for undoing a screwup!).
I think that’s it.
NirSoft Utilities also offers its portable TaskSchedulerView in both 32-bit and 64-bit versions (here: https://www.nirsoft.net/utils/task_scheduler_view.html), but filtering and disabling/enabling in it are a little less intuitive, and it uses text entries instead of checkboxes to display which tasks are Disabled and which are Ready (enabled). On the other hand, it’s easy to sort tasks by status (Disabled vs. Ready), which makes it easy to focus on the enabled ones you might want to disable. And going back to the first hand, Autoruns groups and clearly identifies Microsoft/Windows-created tasks by default, which makes it easy to focus on just the *other* (third-party) tasks. In NirSoft, you’d probably want to do View > Choose Columns and move Author up to the top in order to easily do that.
There’s no reason you can’t try both and use the one you prefer. Pretty much everything I wrote about setting up Autoruns applies to TaskSchedulerView, except that NirSoft’s 32-bit and 64-bit utilities have exactly the same name. If you want to have both copies on hand, you have to keep them in separate folders (e.g., â€¦\NirSoft Utilities and â€¦\NirSoft Utilities\x64). Oh, and by the way, NirSoft has an excellent reputation, too, but some of its utilities get flagged by antivirus programs because they could be bad news *if used on your computer by a malicious actor*. That *used* to be the case for a couple/few Sysinternals utilities, but the false flags magically disappeared after Sysinternals was acquired by Microsoft. It helps to have an 800-pound gorilla in your corner. ;-)
Good suggestions, @Peterc. Autoruns is by far the most comprehensive, because MS knows every nook and cranny where startup tasks and apps register themselves.
Oh and BTW, the false flags didn’t “magically disappear”. It was obvious to the anti-malware apps that they should whitelist apps signed by MS itself.
@Jack: I think it’s more likely that antivirus companies pay attention and accede to false-flag claims from Microsoft than those from a one-man operation. pskill.exe and pskill64.exe didn’t become any less capable of killing a process willy nilly when Sysinternals became part of Microsoft.
“I think itâ€™s more likely that antivirus companies pay attention and accede to false-flag claims from Microsoft than those from a one-man operation.”
Of course that’s true @Peterc, but I don’t think you understood my point, which was that MS would rarely if ever even need to make false positive claims in the first place. Once Sysinternals became part of MS the EXEs were all sure to be digitally signed by MS itself, and no AV would flag such files in the first place.
Use Windows Search or something similar to search for Task Scheduler.
The “Task Scheduler” should show you the tasks you want to check.
The native Windows “Task Scheduler” program has the program name “taskschd.msc”, and the path is C:\ Windows\System32\taskschd.msc
The task scheduler enables you to control when certain operations or processes (in other words tasks) are run. Basically, a task is a codeunit or report that is scheduled to run at a specific data and time. Tasks run in a background session between the Dynamics 365 Business Central service instance and database. Behind the scenes, the task scheduler is used by the job queue to process job queue entries that are created and managed from the clients.
For more information, please refer to the following:
Task Scheduler | docs.microsoft.com
About the Task Scheduler
The Task Scheduler enables you to automatically perform routine tasks on a chosen computer. Task Scheduler does this by monitoring whatever criteria you choose (referred to as triggers) and then executing the tasks when those criteria are met.
You can use the Task Scheduler to execute tasks such as starting an application, sending an email message, or showing a message box. Tasks can be scheduled to execute in response to these events, or triggers.
â— When a specific system event occurs.
â— At a specific time.
â— At a specific time on a daily schedule.
â— At a specific time on a weekly schedule.
â— At a specific time on a monthly schedule.
â— At a specific time on a monthly day-of-week schedule.
â— When the computer enters an idle state.
â— When the task is registered.
â— When the system is booted.
â— When a user logs on.
â— When a Terminal Server session changes state.
John wanted to focus on third-party updating tasks. In Task Scheduler’s native interface, I didn’t see a way to sort by author/publisher; not all authors/publishers have their own subfolder; and I didn’t see a way to filter by keyword (e.g., “update”). I find that Autoruns and TaskSchedulerView offer a more comprehensive flat listing and are easier to use. On the other hand, I haven’t spent a lot of time “mastering” Task Scheduler’s interface. But back to the first hand, I haven’t *had* to spend much time mastering Autoruns’ and TaskScheduler’s interfaces â€¦ which is another way of saying they are easier to use!
Full Disclosure: I have a software package (Garmin Express) for my Garmin GPS that I use to install map updates in the GPS maybe twice a year. Every time I update Garmin Express, it creates a task to check for updates for itself once a day. (I use SUMo a couple times a day to check for updates for *all* of my apps, so automatic update-checking in background is kind of redundant for me.) By now, I know *exactly* what task to disable for Garmin Express, and doing it in Task Scheduler is actually quicker than using the other two utilities. (Garmin Express itself also wants to run in background all the time, and that’s *another* thing I have to disable every time I update it.)
I agree with @Peterc’s reply to @John.
In fact, I was going to post the same view as your reply, but I thought I should explain the native Windows “Task Scheduler” program first, so I started posting it in stages.
At the time of my posting (I am Japanese and on Japan time, so there is a 9-hour time difference with ghacks in Germany, and it was midnight German time), @Peterc’s reply had not been reflected (it was pending moderation by ghacks).
I work for a company, but I am oriented towards a digital detox lifestyle at home. As a result, my time to engage with ghacks is limited.
That are why the replies have been choppy.
The best way to reply to @John is to “Reply to @Peterc”.
My post is only intended for The native Windows “Task Scheduler” program.
Thank you for your sincere Comments and replies.
@owl: No worries, and apologies on my end. I’ve had comments “cross in the mail” before because of composition and review/posting lags and really should have thought of that this time. (And it is in fact important to know how to use native Windows tools like Task Scheduler, if only to be capable of helping someone else who can’t or won’t install easier third-party utilities.) ç§ã‚’è¨±ã—ã¦ãã ã•ã„ï¼;-)
How to Enable or Disable Scheduled Task in Windows 10 | tenforums.com
The Task Scheduler enables you to automatically perform routine tasks on a chosen computer. With this service, you can schedule any program to run at a convenient time for you or when a specific event occurs. Task Scheduler does this by monitoring whatever criteria you choose (referred to as triggers) and then executing the tasks when those criteria are met.
Sometimes you may need to enable and disable scheduled tasks on demand as needed.
When a task is enabled, it will show its current status as Ready or Running.
When a task is disabled, it will show its current status as Disabled.
This tutorial will show you how to enable or disable one or more scheduled tasks from Task Scheduler in Windows 7, Windows 8, and Windows 10.
â— Option One: Enable or Disable Scheduled Task(s) in Task Scheduler
â— Option Two: Enable or Disable Specific Scheduled Task in Command Prompt
â— Option Three: Enable or Disable Specific Scheduled Task in PowerShell
â— Option Four: Enable or Disable All Scheduled Tasks in a Folder in PowerShell
They made it easy to disable, which is good, but it’s still annoying. Sad they are wasting developer resources on this. I mean, do we really want every app creating scheduled tasks to update themselves?
More developers need to realize people don’t just use their computer for the one application they happened to help develop. I think Trump’s horrible narcissism must have been contagious, as parts of the world seems to be plagued with narcissism in the last few years.
Personally owned systems (PC, Mobile) are personal, but when they are online and connected to the web, they become public terminals. As long as it is a public terminal, it should not have any security holes. A little leak will sink a great ship. In the case of COVID-19 (novel coronavirus), which is shaking the world, personal carelessness is the source of the threat (detonator).
Web users should not lack the perspective of “public and public interest.
Therefore, at the very least, “updates” to address security holes should be applied without delay, and the “Background Update” will introduced by Mozilla makes sense.
Most people just want to rant about things without actually taking positives into account, and yep Background Updates makes sense, its one less thing to worry about and the best part is it can be turned off for those whose prefer a different approach.
@owl I agree that security holes should be patched immediately. Firefox already has multiple mechanisms for that without needing to run scheduled tasks outside of the browser.
I have over 20 applications installed… should they all be running tasks whenever they want to update themselves when each one independently thinks its best? No.
@owl: Pro tip, just post the links. There’s no need to also copy-paste entire pages from other sites in the comments section here. Respect the copyright of those other sites too.
> just post the links. Thereâ€™s no need to also copy-paste entire pages from other sites in the comments section here. Respect the copyright of those other sites too.
Your point is correct.
Unfortunately, however, the trolling doesn’t stop because “the majority of subscribers don’t check the links”. Many commentators even comment on the “subject line” of ghacks without reading the “article” properly.
That’s why I believe that at least anything related to “what you need to know” or “the truth” should be “quoted” so as not to cause misunderstanding.
Copyright is naturally taken into consideration, and we do not cite “no reproduction” material.
In addition, comments are moderated by ghacks, and inappropriate comments are removed or corrected.
Your point is not beyond concern.
Bad Idea! especially if it is no able to be disabled in the same way Vivaldi allows.
As far as I am aware Brave is a top offender when it comes to forced updates with a constantly running process in the background and its annoying as heck.
I went to great lengths to disable it however I had to jump through so many hoops that I haven’t bothered to update Brave since because disabling the updater was such a pain that not even I am sure I remember or would like to go through that effort again.
Unless I have missed something here in this regard Brave is the absolute worst!
There are enough methods of being made aware of updates than having a zombie process wasting resources. I have enough already and am always looking to slim down that beyond what is necessary.
This all or nothing approach from the likes of companies like Brave is annoying. You would think that the public backlash against Microsoft would be enough for anyone to absolutely take notice and not go down that path but nope it seems not.
Maybe they should have two version of browsers these days. The baby version where all the stupid little hold your hand features are added for the bone headed, lazy users that were not brought up on the the internet that merely stumbled into it, the very same people that use TikTok and act as if they know better.
Maybe even an option at installation to enable baby mode at the very start of installing a browser would be great so then those same idiots can blissfully keep dancing on the minefields of the internet whilst acting like a fool.
The rest of us can just manually check for updates ourselves and you know visit ghacks and enjoy our life be feeling empowered to control our own fate and understanding things by learning.
God forbid anyone learn anything or be open to it, in saying that I would love to learn if there is a simple way to disable forced update from brave and stop the background process from running by simple option within Brave.
Ahhh. Very bad idea. I’ve been browser searching. My Firefox is having trouble displaying video content and it’s not Windows.
Other issues are I don’t want an all in one virus, malware, checker browser. I freaking hate chrome or any software that makes computers easier for retards to use as it makes it irritating for me to use. I’m an advanced user and now I have to use the same user interface that makes it easier for them but takes me longer to sue.
I’ve been using WaterFox which is opensource version of Firefox and it using all the same extensions and even imported all my sync data, bookmark, etc. Still even it is having issues with playing videos on most websites.
I just dont want another piece of software randomly updating my computer. It’s already a PINA that Microsoft is forcing updates on us and they always update the computer at the worst times, mainly when you really need to use them, even with setting up the updates to applied on weekends some still will update during the weekdays when i need to sue the computer.
I just can’t understand why the powers to be at Mozilla would want to impliment this. I can see it now background update for firefox then no internet access for it. With no idea what happened.
If there’s a setting to stop this I will surely turn it off.
In order to protect computer systems from external attacks, the basic rule is to apply patches released by vendors and developers immediately after they are released, but in the case of “zero-day attacks,” such measures cannot prevent the attacks because they are carried out before the countermeasures are released.
Information about the discovered vulnerability is circulated in the malicious community, and there have been cases of attack tools being sold.
Anyway, the delay in patching has become a critical problem.
Currently, Firefox updates are based on a system of applying “updates” after Firefox is run (the same is true for other browsers).
However, the new “background updates” will apply the updates before Firefox is run, which is expected to be effective against “zero-day attacks.
The damage from a zero-day attack is more serious than the concern of “I don’t want automatic updates to cause problems in my browser”. Glitches can be fixed, but if you allow ransomware to get in, you’re screwed. We need to determine what we consider to be a risk and the severity of that risk.
The importance of applying updates depends on what kind of application program is the target (entry point) of a zero-day attack. Don’t equate web browsers with other trivial applications.
â€œBackground updates” will introduced by Mozilla do not use any telemetry or resources at all, but simply use the OS task scheduler to check for updates.
Firefox update schedule and “Background updates setting values”:
Explain the native Windows â€œTask Schedulerâ€ program:
I own my computer. I own my data. I decide what hapens with them. Not some nanny. I am an adult and don’t need one. “Protecting people” and concerns for people’s security are traditional excuses used by surveillance regimes and totalitarian dictators. Yes: web browsers are far more sensible programs than calculators etc. And if a browser doesn’t allow me to be in control – there are alternatives.
Ah, it’s people like you that we strongly feel “need a nanny”!
If people who are ignorant of the web situation use the web browser, they will cause a great deal of trouble for the world. You should immediately stop using the Web and find another toy. It’s not for your own sake, but for the sake of the sensible world.
Stopped updating Firefox at 88.0.1 last version to support ftp.
Fed up with goglish-like cr#p.