Firefox extensions have been broken for many users since Friday 3 May after Mozilla failed to renew a security certificate.
Yesterday, Mozilla announced via Twitter that it had issued a temporary fix. “We rolled out a hotfix that re-enables affected add-ons,” it said. “The fix will be automatically applied in the background within the next few hours.”
In order to be able to provide the temporary fix at short notice on a weekend, Mozilla is using the “studies” system – an unusual mechanism that you may have disabled.
You can check if you have studies enabled by going to Firefox Preferences -> Privacy & Security -> Allow Firefox to install and run studies.
Mozilla says it is now working on a general fix that doesn’t need to rely on this mechanism.
Not all users
But the temporary fix doesn’t work for all Firefox users: for example those that use Android, the Tor browser, or the Extended Support Release of Firefox. At the same time, the fix can take up to six hours to work on your browser.
Early this morning (5 May), Mozilla’s Kev Needham updated his blog, admitting that some users are reporting that they do not have the “hotfix-update-xpi-signing-intermediate-bug-1548973” study active in “about:studies”.
He advises against using workarounds – and not to delete and reinstall add-ons to try and fix the issue: “Rather than using work-arounds, which can lead to issues later on, we strongly recommend that you continue to wait.
“If it’s possible for you to receive the hotfix, you should get it by 6am EDT, 24 hours after it was first released. For everyone else, we are working to ship a more permanent solution. (May 5, 00:54 EDT).”
What to do
Mozilla is advising not to use workarounds: these could leave you open to a number of security issues.
For those using the Tor browser who have no other option, there is a workaround. However, this presents a security risk, Troy Mursch, security researcher at Bad Packets told me.
He advises using this “only if using another browser is not an option for the user”, adding: “It's an acceptable risk for the short-term if the user remembers to reenable the ‘xpinstall.signatures.required’ setting once the permanent fix is in place. If they don't, it leaves the door open for malicious/untrusted add-ons to be installed.”
Taking this into account, Mursch strongly advises against workarounds: “I'd rather keep my data safe versus the risk of losing it while attempting workarounds,” he says.
Ideally, you should try another browser. I hear Google Chrome is working fine.
Updated 6 May 01:54 EDT
Firefox has released a new update covering version 66.0.4 on Desktop and Android, and version 60.6.2 for ESR. It does not however, cover older versions. “There are remaining issues that we are actively working to resolve, but we wanted to get this fix out before Monday to lessen the impact of disabled add-ons before the start of the week,” Needham says.
