You may want to configure your browser to check for extension updates more often than once per day if you’re using security-critical browser extensions like the popular LastPass password manager.
This week, three vulnerabilities were discovered and quickly fixed in various versions of the LastPass extension that allowed an attacking website to execute arbitrary code or steal a complete copy of the user’s password keychain. This highlights how important it’s to keep your browser extensions up to date with the latest security patches.
Google Chrome checks for updates every five hours by default, which seems like a reasonable default. On the other hand, Firefox only checks for updates once per day. When I checked on six systems where I’ve LastPass installed in Firefox, only one of the systems had received and install the updated LastPass extension. The extension had been released some nine hours earlier. That is an unacceptable long time window to leave such critical issues unpatched.
Firefox allows its users great control over most functionality, including the auto-update system for extensions and add-ons. The following steps will show you how to increase the update frequency from once to six times per day:
- Type in about:config in Firefox’s address field, and press Enter.
- Accept the warning, and search for “extensions.update.interval” in the list of options.
- Double-click on the entry and change the value from “86400” (24 hours in seconds) to “14400” (4 hours in seconds.)
The new setting won’t come in effect until after Firefox next checks for updates (up to 24 hours.) You can force it to take effect immediately by going to the extensions manager in Firefox, clicking the settings/gear icon, and then click on Check for updates.
There’s probably very little point in checking too often, but you can make up your mind about how often you want your browser to poll for updates to your extensions. As I mentioned at the start, it might be a good idea to check more frequently if you rely on any security related extensions.
Chrome’s default of checking for updates every 5 hours can’t be changed in permanent configuration. However, it can still be done using the --extensions-update-frequency=14400 runtime flag. You can append this flag to the shortcut file you use to launch Chrome. This still won’t ensure that the flag is always used as the system may launch Chrome directly, bypassing the flag you’ve added to the shortcut file.
Please consider switching to Firefox if you want a browser that gives you more control.
This runtime flag may also work on other Chromium based browsers including Vivaldi and Opera. The more diverged/unique the alternate distribution is from upstream Chromium, the less likely it’s that the flag will have any effect. Ask your browser vendor for specific details.
Avid readers of my blog may recall that I mentioned that I’m not entirely comfortable with the auto-update mechanism used by browser extensions — and maybe that I don’t trust LastPass either. Despite my reservations, I’ve since moved all my password over to LastPass. Thus, I was also affected by LastPass’ latest security vulnerabilities.
LastPass for Firefox uses their own servers to deliver auto-updates rather than using the Firefox Add-ons Catalog hosted by the Mozilla Foundation. This means LastPass doesn’t have any external checks or balances in place for the updates they deliver.
They could, potentially, deliver targeted attacks to certain users through their auto-update system. I’m obviously of two minds regarding auto-updating of extensions. However, at the end of the day I much prefer receiving critical security updates than not to.