A collage of four icons for Waterfox, Pale Moon, Cliqz, and Tor Browser. 🅭

How quickly do Firefox derived browsers receive security updates

Mozilla released two security updates to their open-source Firefox web browser just two days apart. This provided an excellent stress test and case study for how quickly Firefox derived web browsers ship security updates.

The two security vulnerabilities in question, CVE-2019-11707 (MFSA-2019-18) and CVE-2019-11708 (MFSA-2019-19), were both zero-day critical security vulnerabilities that were known to be actively exploited on the web. Mozilla released Firefox 67.0.3 and 67.0.4 two days apart to address each of these issues.

I’ll use the same Firefox derivatives I’ve featured before: Tor Browser, Cliqz, Waterfox, and Pale Moon.

The below table shows how many hours it took after Mozilla Firefox had released an update before downstream projects released an update to address the problem:

Downstream project hours to release after Firefox upstream release
Browser Release delay
Firefox 67.0.3 Firefox 67.0.4
Tor Browser 31 hours 10 hours
Cliqz 72 hours 200 hours
Waterfox 29 hours unpatched
Pale Moon Not vulnerable

The above table is sorted by the estimated number of active users for each web browser. The most popular browsers unsurprisingly has the most resources to track upstream releases more closely.

Cliqz and Waterfox ship the latest version of Firefox, and the Tor Browser ships the slightly older Extended Support Release (ESR) version. Both the current and EST versions of Firefox were vulnerable to the zero-day security issues. Pale Moon is a true project fork from Firefox and no longer shares the vulnerable components that were affected by the recent security issues.

The Tor Browser was quick to release an update for both issues. The Tor Project caters to people who need strong security and privacy, and it’s good to see them keeping up with the latest developments.

Cliqz was slower, and took three days to release the first update, and then didn’t release the second update until I prompted them about it a week later for this article. Their project commit log shows that a developer had done the work required to update their codebase on Monday, but it still took them until Friday to push out the update.

Waterfox is mostly a one-man project, but managed to deliver the first security update in a timely manner. They appear to have dropped the ball on the second security update, however. I reached out to the project’s account on Twitter (no other point of contact was provided on the project’s website), but haven’t heard back.

I’m not trying to convince you not to explore different web browsers. However, you should be aware that alternate web browsers will be lagging behind the original projects when it comes to security updates. You need to decide for yourself what is an isn’t an acceptable security risk for you. Please also keep in mind that most of these smaller web browser projects are volunteer efforts by small teams with lives and families of their own.