If you installed Kee in Firefox in the past couple of days, you have been given an old version of the extension by Mozilla (the makers of Firefox and managers of the Firefox add-ons marketplace / website).
Existing installations won’t be affected.
Check that you are running a recent version - 2.5 is the latest, but 2.4 is fine too (it just means that the automatic update to 2.5 hasn’t happened - it won’t be long so just check again in a few days if you want). If you are running a version older than 2.4, you should be automatically updated to a working version within a couple of days but I’d recommend asking Firefox to “check for updates” in the Add-ons manager tab to force this update to occur more quickly.
Mozilla are publishing version 2.5 right now - it usually takes less than an hour. Google Chrome users will be updated to v2.5 at least a few days later, just to keep the version numbers the same.
With over 100 “commits” (multiple related changes to the add-on code) over more than a year since the 220.127.116.11 version that Mozilla have distributed in recent days, there are clearly a large number of bugs, missing features and performance problems when compared to the latest version 2.4 released last month.
While there are no known security problems, installing out of date software is always a risk, especially so with security software like Kee. If someone had the inclination, developing an attack against a version over a year old is easier than doing so against the latest version.
It is concerning that this has happened and I have raised my concerns with Mozilla. I am unsure whether the discussion with them will continue and lead to any constructive future changes but I will give that a chance. In the mean time, I feel I need to be upfront with all Kee users about what has happened so that this can alleviate any concerns that would arise from the unusual recent activity.
The simplified facts of the matter are that:
- Changes to Mozilla’s add-on review policies in the last year or so have meant that they may require modifications to the structure of an add-on’s source code.
- Kee, unknown to me, was no longer in compliance with one of these changed policies that aims to help Mozilla to efficiently review the large amount of code in the large amount of addons for Firefox.
- Mozilla notified me of this and I sought the policy clarifications required to allow me to develop the changes they requested in a timely manner.
- Mozilla provided this clarification but only after they had already disabled all versions of the add-on since 18.104.22.168.
- My requests for this to be reversed have so far received no response.
- To ensure that new Kee users are not delivered a compromised experience, I have today issued an emergency update to version 2.5.
The changes in v2.5 are broadly insignificant to anyone other than a Mozilla reviewer so I am hopeful that bypassing the usual beta testing and language translation period will cause no problems. Do let me know if you find something that does break though.
I am confident that Mozilla and those working in the add-on review team are acting with all Firefox users’ best interests at the fore - it is scary to think of how many malicious add-ons they must come across every day and just one slip-up could lead to disastrous consequences for users and themselves.
In my opinion, this particular situation could have been handled in a way that showed a greater respect for the users of Kee and those that spend their spare time developing extensions to improve Firefox (e.g. me), and I am hopeful that some minor adjustments to the Mozilla review process will prevent this from happening to Kee or other Firefox add-ons in future.