When Mozilla announced a critical vulnerability in Firefox (CVE-2024-115), organizations were faced with the urgent need to update to version 132.0 to protect against arbitrary code execution. At Fleet, we were able to respond to this threat quickly and effectively using some of our latest features. Here’s how we leveraged Fleet’s new policy-based software installation and GitOps integration to resolve the issue across our macOS fleet seamlessly and without disruption.
The vulnerability, as detailed in a CISecurity advisory, could allow attackers to execute arbitrary code on devices running an outdated version of Firefox. Addressing this swiftly was essential to maintain security and compliance across all endpoints.
Fleet recently introduced a feature that allows users to automatically install or upgrade software on policy failure. This capability, outlined in our guide on automatic software installation, became the basis of our solution.
Using this feature, we defined a policy to detect outdated versions of Firefox and automatically install the latest secure version. The policy was managed and deployed using Fleet’s GitOps feature, which integrates with source control to maintain versioned infrastructure as code.
Here is the original policy:
- name: macOS - Upgrade Firefox
query: SELECT 1 FROM apps WHERE name = 'Firefox.app' AND version_compare(bundle_short_version, '130.0.0') >= 0;
critical: true
description: The host may have an outdated version of Firefox, potentially risking security vulnerabilities or compatibility issues.
resolution: Upgrade Firefox to the latest version.
platform: darwin
We updated the policy to enforce the installation of version 132.0:
- name: macOS - Upgrade Firefox
query: SELECT 1 FROM apps WHERE name = 'Firefox.app' AND version_compare(bundle_short_version, '132.0.0') >= 0;
critical: false
description: The host may have an outdated or non-existent version of Firefox, potentially risking security vulnerabilities or compatibility issues.
resolution: Firefox will automatically be updated to the latest version.
platform: darwin
install_software:
- url: https://download-installer.cdn.mozilla.net/pub/firefox/releases/132.0/mac/en-US/Firefox%20132.0.pkg
self_service: true
With this policy in place, Fleet automatically identified devices running an outdated version of Firefox and initiated the update process to version 132.0.
Before deploying the policy, we identified over a dozen devices running vulnerable versions of Firefox. After merging the policy changes, Fleet’s automation took over. By the next morning, every affected device had been seamlessly updated to the secure version 132.0—all without any manual intervention or disruption to end users.
This experience underscores the power and agility of Fleet’s new automation features:
- Rapid response: We were able to address a critical vulnerability within hours.
- Efficiency: Automation eliminated the need for manual updates, saving time and reducing errors.
- User experience: Updates occurred in the background, ensuring users could continue working uninterrupted.
If you’re already using Fleet, check out our guide on automatic software installation to see how you can leverage these features in your own organization. To learn more about GitOps in Fleet, check our guide on integrating GitOps with Fleet.