Resolving a critical Firefox vulnerability using Fleet's new automation features

When Mozilla announced a critical vulnerability in Firefox (CVE-2024-115), organizations were faced with the urgent need to update to version 132.0 to protect against arbitrary code execution. At Fleet, we were able to respond to this threat quickly and effectively using some of our latest features. Here’s how we leveraged Fleet’s new policy-based software installation and GitOps integration to resolve the issue across our macOS fleet seamlessly and without disruption.

Understanding the threat

The vulnerability, as detailed in a CISecurity advisory, could allow attackers to execute arbitrary code on devices running an outdated version of Firefox. Addressing this swiftly was essential to maintain security and compliance across all endpoints.

Automating the response with Fleet

Fleet recently introduced a feature that allows users to automatically install or upgrade software on policy failure. This capability, outlined in our guide on automatic software installation, became the basis of our solution.

Using this feature, we defined a policy to detect outdated versions of Firefox and automatically install the latest secure version. The policy was managed and deployed using Fleet’s GitOps feature, which integrates with source control to maintain versioned infrastructure as code.

Implementing the fix

Here is the original policy:

- name: macOS - Upgrade Firefox
  query: SELECT 1 FROM apps WHERE name = 'Firefox.app' AND version_compare(bundle_short_version, '130.0.0') >= 0;
  critical: true
  description: The host may have an outdated version of Firefox, potentially risking security vulnerabilities or compatibility issues.
  resolution: Upgrade Firefox to the latest version.
  platform: darwin

We updated the policy to enforce the installation of version 132.0:

- name: macOS - Upgrade Firefox
  query: SELECT 1 FROM apps WHERE name = 'Firefox.app' AND version_compare(bundle_short_version, '132.0.0') >= 0;
  critical: false
  description: The host may have an outdated or non-existent version of Firefox, potentially risking security vulnerabilities or compatibility issues.
  resolution: Firefox will automatically be updated to the latest version.
  platform: darwin
  install_software:
    - url: https://download-installer.cdn.mozilla.net/pub/firefox/releases/132.0/mac/en-US/Firefox%20132.0.pkg
    self_service: true

With this policy in place, Fleet automatically identified devices running an outdated version of Firefox and initiated the update process to version 132.0.

Results

Before deploying the policy, we identified over a dozen devices running vulnerable versions of Firefox. After merging the policy changes, Fleet’s automation took over. By the next morning, every affected device had been seamlessly updated to the secure version 132.0—all without any manual intervention or disruption to end users.

Why This matters

This experience underscores the power and agility of Fleet’s new automation features:

• Rapid response: We were able to address a critical vulnerability within hours.
• Efficiency: Automation eliminated the need for manual updates, saving time and reducing errors.
• User experience: Updates occurred in the background, ensuring users could continue working uninterrupted.

Try it yourself

If you’re already using Fleet, check out our guide on automatic software installation to see how you can leverage these features in your own organization. To learn more about GitOps in Fleet, check our guide on integrating GitOps with Fleet.

By combining powerful policy definitions with automation, Fleet enables organizations to stay ahead of threats and ensure compliance with minimal effort.