When Mozilla launched Firefox 5 yesterday, there were no mentions of security updates for Firefox 4. And for good reason: Mozilla is treating Firefox 5 as 4’s final security update.
Now that Mozilla has put itself on a rapid release development cycle, similar to what Google does with Chrome, old numbered versions of the product will no longer get security updates. Users that don’t update will likely be exposed to vulnerabilities as they are discovered.
A mozilla.dev.planning mailing list indicates that Mozilla views Firefox as “end of life” for security patches. The last update to Firefox 4 was 4.0.1 on April 28, which fixed eight vulnerabilities.
Chrome has solved the problem of lagging security updates by having the browser automatically update, which means users almost always run the latest and most secure version. Unfortunately, Mozilla does not have automatic updating in place. Instead, a pop-up window shows up on screen to let the user know about the latest major update.
I’ve used both Firefox and Chrome extensively, and I much prefer the Chrome approach. When you see a pop-up telling you to upgrade, you’ll likely only upgrade if you’re not busy doing something else. Automatically upgrading to the latest version forces the user to be safe rather than letting him or her sit there as a hacker takes advantage of a security hole in an old version of the browser.
The only reason users may choose not to update to the new version is to keep their add-ons working if the latest version does not support them. But those users need to ask themselves if a certain add-on or two not working in a new version is worth added security risks.
If you’re a Firefox user and haven’t updated to 5, I’d recommend doing so immediately. If you’re using Chrome, well, let it ride.