Butiksside
Steam Deck
Alt Diskussioner Illustrationer Videoer Nyheder Guider Anmeldelser

Steam Deck

Butiksside
Steam Deck > Bug Reports > Trådoplysninger
Dr. Leon Sisk 2. juni 2022 kl. 15:48
The Steam Decks version Firefox is still outdated.
(This has been posted on the /r/SteamDeck subreddit and has been cleansed of links and names of users for the sake of posting it in the Bug Reports section here.)

I'll start this by saying that there have been 2 replies from Steam Support concerning this.

"Hello,

I am sorry to hear that you are having trouble with Steam Deck.

We are investigating this issue further. As soon as we have more information, we will update your ticket.

Steam Support Ivan"

___________

" Hello,

Thank you for the report. The Steam Deck development team is aware of the concerns/issue around this and are looking into it. Any new updates will be detailed here in our release notes.

Support Tony"

___________

The current version of Firefox is version 101.0 which is several versions ahead of the outdated un-updatable version that comes with the Steam Deck.


The horridly out of date version of Firefox that comes with the Steam Deck is still version

96.0.3 (64-bit)
Mozilla Firefox for Arch Linux
archlinux - 1.0

wrote it how it appears on the 'about firefox' section.

From my weak google-fu technique i have seen that pretty much almost nobody else has brought this up. There's still no way to update the darn thing by itself. If you install the version on Discovery (which ends up installing a SEPARATE/NEW installation of firefox meaning you'll need to login to everything all over again/sync bookmarks), using the icon on the taskbar still ends up opening the default outdated version which is the old installation.

Here are some quotes from the comments section on older post from /r/Steamdeck i made and someone from the /r/Firefox subreddit.

_____ a commenter from the firefox subreddit.

" That's... stupendously bad.

Firefox 96 is vulnerable to four critical security flaws (plus about a dozen other potentially exploitable defects), at least 2 of which are know to be in under attack in the wild:"

_____ one from a /r/SteamDeck commenter

" You can't (update firefox) unless you start fiddling with disabling read only mode etc.

It is not and Valve should really do something about it. Currently Firefox is part of the OS image and thus can and will only be updated when Valve pushes an OS update.

I think this is not good and they should move to the version in the Discover store, since that one will be kept up to date and also users can update it whenever they wish."

_____ another from a /r/Steamdeck commenter

"You have to wait for Valve to update it in a regular update. The apps you installed via Discover can be updated through the Discover app, but all of the pre-installed software is up to Valve to update as the regular Arch package manager (pacman) is disabled and not configured for the regular Arch mirrors."
< >
Viser 1-14 af 14 kommentarer
Neikius 4. juni 2022 kl. 7:59 
Firefox is from flatpak?
#1
RealCelticGamer 8. juni 2022 kl. 13:36 
It's not possible to remove the pre-installed version either.
#2
Jasiri 24. juni 2022 kl. 14:36 
+1 on this, noticed this weird behaviour re: getting two separate installs myself today.
#3
Dr. Leon Sisk 6. juli 2022 kl. 13:10 
A month forward, and it is still not updated. Firefox is now at version 102.0.1 as of today.
#4
RealCelticGamer 6. juli 2022 kl. 17:55 
Firefox should be a high priority to keep as up-to-date as possible.
Outside of hardware exploits, I would imagine future attacks on Steam Deck's will simply abuse functions of the browser.

I'm wondering why Valve would add Firefox to the immutable part of the OS image instead of just having it as a pre-installed flatpak. That would be easier to update instead of having to roll out a whole new system image just because Firefox needed to be updated.
#5
The Asgorian Bugsong 7. juli 2022 kl. 9:37 
Apparently peeps are saying they are removing the native version installed by default and are using the flatpak version instead on steamos "main"
Sidst redigeret af The Asgorian Bugsong; 7. juli 2022 kl. 9:38
#6
RealCelticGamer 7. juli 2022 kl. 10:00 
Oprindeligt skrevet af The Asgorian Bugsong:
Apparently peeps are saying they are removing the native version installed by default and are using the flatpak version instead on steamos "main"
That's not a recommended "fix" as you have to enable developer mode, then enable additional update channels.

They're hidden for a reason.
#7
jimmie.lin 7. juli 2022 kl. 10:05 
Please update the built-in Firefox - having packages built in SteamOS with severe security vulnerabilities, regardless of alternative Flatpak versions, is a huge security risk if the desktop mode is promoted as an option.
#8
The Asgorian Bugsong 7. juli 2022 kl. 10:07 
Oprindeligt skrevet af RealCelticGamer:
Oprindeligt skrevet af The Asgorian Bugsong:
Apparently peeps are saying they are removing the native version installed by default and are using the flatpak version instead on steamos "main"
That's not a recommended "fix" as you have to enable developer mode, then enable additional update channels.

They're hidden for a reason.
I'm not saying thats how you fix it, I'm only saying that I wouldn't be surprised if this made its way into the next steamos beta update on deck.
#9
RealCelticGamer 7. juli 2022 kl. 11:43 
Oprindeligt skrevet af The Asgorian Bugsong:
Oprindeligt skrevet af RealCelticGamer:
That's not a recommended "fix" as you have to enable developer mode, then enable additional update channels.

They're hidden for a reason.
I'm not saying thats how you fix it, I'm only saying that I wouldn't be surprised if this made its way into the next steamos beta update on deck.
Valve have issued a statement ~ https://www.gamingonlinux.com/2022/07/you-should-avoid-the-stock-firefox-install-on-steam-deck-as-its-badly-outdated/
#10
Cypherous 7. juli 2022 kl. 13:36 
Oprindeligt skrevet af jimmie.lin:
Please update the built-in Firefox - having packages built in SteamOS with severe security vulnerabilities, regardless of alternative Flatpak versions, is a huge security risk if the desktop mode is promoted as an option.

Probably not as big a deal as you think though, the overwhleming majority of malware you might encounter literally won't run on the deck due to it being linux based, the same with viruses, there is also the added benefit that the steam decks OS files are ready only so malware has no way to modify them anyway

Sure it should be updated but its not as big of a deal as you think it might be, the issue with making it flatpak is that it means you could actualyl end up in situations where the browser ends up being even more out of date as time goes by as it won't get automatically updated when a steamOS update is released, its a bit of a catch 22
#11
Sekoku 7. juli 2022 kl. 19:36 
Oprindeligt skrevet af Cypherous:
Probably not as big a deal as you think though, the overwhleming majority of malware you might encounter literally won't run on the deck due to it being linux based, the same with viruses, there is also the added benefit that the steam decks OS files are ready only so malware has no way to modify them anyway

Sure it should be updated but its not as big of a deal as you think it might be, the issue with making it flatpak is that it means you could actualyl end up in situations where the browser ends up being even more out of date as time goes by as it won't get automatically updated when a steamOS update is released, its a bit of a catch 22

It doesn't matter "how big a deal" it is. The fact remains: Valve is the one managing their Fork of Arch therefore all the Repo/software updates fall under their purview. This means: Any security risks on the deck are Valve's issue/problem. If Firefox is severely outdated with RCE or other security risks, it's on Valve if the deck gets exploited, not the users. The users can't fix it without doing advanced administration because Valve is lazy (to not use that word excessively) to fix the issue/repos.

This is step-one of maintaining a Linux Distro. They didn't do it with the Debian fork, they're not doing it with Arch. It leaves a huge sour taste in my mouth that their major consumer project has a laissez-faire attitude toward maintaining an OS that a lot of casual PC users do not have the experience to administrate themselves for the security risk.
Sidst redigeret af Sekoku; 7. juli 2022 kl. 19:37
#12
RealCelticGamer 7. juli 2022 kl. 20:22 
Oprindeligt skrevet af Sek2.22: You Can (Not) Advance(d:
Oprindeligt skrevet af Cypherous:
Probably not as big a deal as you think though, the overwhleming majority of malware you might encounter literally won't run on the deck due to it being linux based, the same with viruses, there is also the added benefit that the steam decks OS files are ready only so malware has no way to modify them anyway

Sure it should be updated but its not as big of a deal as you think it might be, the issue with making it flatpak is that it means you could actualyl end up in situations where the browser ends up being even more out of date as time goes by as it won't get automatically updated when a steamOS update is released, its a bit of a catch 22

It doesn't matter "how big a deal" it is. The fact remains: Valve is the one managing their Fork of Arch therefore all the Repo/software updates fall under their purview. This means: Any security risks on the deck are Valve's issue/problem. If Firefox is severely outdated with RCE or other security risks, it's on Valve if the deck gets exploited, not the users. The users can't fix it without doing advanced administration because Valve is lazy (to not use that word excessively) to fix the issue/repos.

This is step-one of maintaining a Linux Distro. They didn't do it with the Debian fork, they're not doing it with Arch. It leaves a huge sour taste in my mouth that their major consumer project has a laissez-faire attitude toward maintaining an OS that a lot of casual PC users do not have the experience to administrate themselves for the security risk.
Exactly.
It's imperative that Valve step up and fix the vulnerabilities before they're exploited.

Mozilla posted the exploits back in January I think, so it's not like Valve haven't been aware of the issues.

Arch was absolutely the wrong choice to base SteamOS 3.0 on, Fedora Kinoite would have been much wiser.
#13
Cypherous 8. juli 2022 kl. 16:30 
Oprindeligt skrevet af Sek2.22: You Can (Not) Advance(d:
Oprindeligt skrevet af Cypherous:
Probably not as big a deal as you think though, the overwhleming majority of malware you might encounter literally won't run on the deck due to it being linux based, the same with viruses, there is also the added benefit that the steam decks OS files are ready only so malware has no way to modify them anyway

Sure it should be updated but its not as big of a deal as you think it might be, the issue with making it flatpak is that it means you could actualyl end up in situations where the browser ends up being even more out of date as time goes by as it won't get automatically updated when a steamOS update is released, its a bit of a catch 22

It doesn't matter "how big a deal" it is. The fact remains: Valve is the one managing their Fork of Arch therefore all the Repo/software updates fall under their purview. This means: Any security risks on the deck are Valve's issue/problem. If Firefox is severely outdated with RCE or other security risks, it's on Valve if the deck gets exploited, not the users. The users can't fix it without doing advanced administration because Valve is lazy (to not use that word excessively) to fix the issue/repos.

This is step-one of maintaining a Linux Distro. They didn't do it with the Debian fork, they're not doing it with Arch. It leaves a huge sour taste in my mouth that their major consumer project has a laissez-faire attitude toward maintaining an OS that a lot of casual PC users do not have the experience to administrate themselves for the security risk.

Cool so now its down to the end user to update the browser to fix those security holes, good luck with that :P
#14
< >
Viser 1-14 af 14 kommentarer
Per side: 1530 50

Steam Deck > Bug Reports > Trådoplysninger
Dato opslået: 2. juni 2022 kl. 15:48
Indlæg: 14

Diskussionsregler og retningslinjer