Mozilla, the company that makes Firefox, formalized a release schedule for handling their development. It is based on fixed windows (6 weeks) where builds cascade down a series of different channels (Nightly, Aurora, etc.), each time with more bug fixes and stability. This is transparent and a perfectly acceptable way to manage a software project (Chrome has a similar series of channels, although they move much faster and not on a fixed schedule.)
Mozilla releases Nightly builds every day (basically)
Aurora builds are released every 6 weeks
Beta builds are bug fix releases of Aurora, every 6 weeks
Release builds are final bug fix releases of Beta, every 6 weeks
Extended Support Release builds are Release builds with all the Critical and High security bugs patched, about every 6 weeks. To be clear - only Critical and High security bugs.
Chain a series of Medium / Low vulnerabilities together until they get the level of access they require, e.g. remote code execution. They have a permanent window of exposure.
Is it enough? I think we've gone beyond boundaries of this topic too far.
Yes, but again - Extended Support Release builds are Release builds with all the Critical and High security bugs patched, about every 6 weeks. Chain a series of Medium / Low vulnerabilities together and you could get RCE very easily for adversary with proper resources.
Do you understand the concept of threat modelling? Obviously not. We're talking about adversaries with proper resources (e.g. Nation States, APTs, Offensive Intelligence, Major hacker groups).
But usually cleverly crafted XSS (which is opportunistic kind of attack) works with Firefox ESR too. They are mainly blocked by Chrome at the same time.
Do I see like an adversary with proper resources? If yes, you should probably take a cold shower. If not, why do you ask me stupid question like this. Let's make a deal: Try to study main concepts of information security at your local university and then we can discuss it like two people with equivalent degree of knowledge and understanding in this field. Otherwise, please do not ask me another stupid questions. Thank you.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
?
You can't drop a sentence like this without an explanation, my dear Watson 🧐
Do you mean because Chromium has a bigger community and therefore more eyes on the code? Or are you referring to something in particular?
Mozilla, the company that makes Firefox, formalized a release schedule for handling their development. It is based on fixed windows (6 weeks) where builds cascade down a series of different channels (Nightly, Aurora, etc.), each time with more bug fixes and stability. This is transparent and a perfectly acceptable way to manage a software project (Chrome has a similar series of channels, although they move much faster and not on a fixed schedule.)
Mozilla releases Nightly builds every day (basically)
Aurora builds are released every 6 weeks
Beta builds are bug fix releases of Aurora, every 6 weeks
Release builds are final bug fix releases of Beta, every 6 weeks
Extended Support Release builds are Release builds with all the Critical and High security bugs patched, about every 6 weeks. To be clear - only Critical and High security bugs.
Here are some minor quirks, but in comparison to Firefox ESR's bug-fix scenario no big deal.
Case of threat modelling:
Chain a series of Medium / Low vulnerabilities together until they get the level of access they require, e.g. remote code execution. They have a permanent window of exposure.
Is it enough? I think we've gone beyond boundaries of this topic too far.
Ah, I almost forgot this nice little 'feature'.
You gotta remember that it just means that Firefox builds are thoroughly tested before release.
Yes, but again - Extended Support Release builds are Release builds with all the Critical and High security bugs patched, about every 6 weeks. Chain a series of Medium / Low vulnerabilities together and you could get RCE very easily for adversary with proper resources.
If it’s so easy, do it and I’ll talk to you when you’re done.
Do you understand the concept of threat modelling? Obviously not. We're talking about adversaries with proper resources (e.g. Nation States, APTs, Offensive Intelligence, Major hacker groups).
But usually cleverly crafted XSS (which is opportunistic kind of attack) works with Firefox ESR too. They are mainly blocked by Chrome at the same time.
Well you said that RCE was easy with the proper resources, so I'm asking you to obtain those resources and prove your point.
Do I see like an adversary with proper resources? If yes, you should probably take a cold shower. If not, why do you ask me stupid question like this. Let's make a deal: Try to study main concepts of information security at your local university and then we can discuss it like two people with equivalent degree of knowledge and understanding in this field. Otherwise, please do not ask me another stupid questions. Thank you.