Mozilla Security Blog
Categories: Security Security Updates

Plugin Updating Project: Follow up

Johnathan Nightingale

14 responses

I wrote last week about a new project we’ve started, informing our users when they’re running out of date versions of popular plugins. We focused our initial efforts on the Adobe Flash Player and now, a week after launch, Mozilla’s Numerator, Ken Kovash, has a blog post up looking at the results.

Those results have been nothing short of awesome. In the first week that the project has been live, we’ve seen 10 million people click through from our page to Adobe’s update site. As Ken points out, this is not just a huge number, it’s also about 5x higher click through than that page typically sees.

We’re continuing to look for ways to help our users stay safe and up to date. We’re working to roll other plugins into our web-based checking, and the Firefox team is also building an integrated check that will let you know whenever a site you visit is trying to use an outdated plugin (more on that soon). This is just the beginning.

Johnathan Nightingale
Human Shield

14 comments on “Plugin Updating Project: Follow up”

  1. Lee Petty wrote on

    I just read about BetterPrivacy, a Firefox plugin to enable deletion of Flash cookies. Where do I find it?

  2. Daniel Veditz wrote on

    Add-ons can be found at addons.mozilla.org

    BetterPrivacy is at https://addons.mozilla.org/en-US/firefox/addon/6623

  3. Mele20 wrote on

    All I can say is that Mozilla is taking considerable flack at Security forums over their invasion of user’s privacy. Users are asking how can they turn off this checking and then phoning home that Fx is now doing. I, for one, will never upgrade Fx 3.0 if you cannot tell me how to turn this checking off. My privacy is foremost for me, plus, I resent that you feel I am so stupid that I can’t be bothered to keep my plugins updated….assuming I want them updated. It is MY decision and Mozilla has no business butting into how I use my computer.

    I want a browser. I don’t want a net nanny. I don’t use Flash Player and you already told me in an earlier post (that I got no further reply to after I wrote a long reply) that Fx will not check on me if I don’t have Flash Player installed. But what about for other plugins? How do I stop this VERY UNWANTED invasion of my privacy if I were to decide to upgrade to 3.5?

  4. Daniel Veditz wrote on

    How is this an invasion of privacy? I’m seriously offended at the suggestion because we go out of our way to make sure we’re not collecting personal information in everything we do. Everything!

    We’re not doing this because we want to know anything about anyone, we’re doing this because Firefox users–like all browser users–are being infected left and right through plugin infections. Malware infections are at epidemic levels, and as IE loses its dominant marketshare the criminals are turning to vectors that work across browsers like Flash and Java and that can be easily spread to popular sites through advertising networks. A few years back if you avoided the sketchy “back alleys” of the internet like warez and porn sites you didn’t have much to worry about; no more.

    I guess that means I have to cop to the charge of “Nanny”, but when as much as 80% of internet users are at risk clearly millions of people are unaware of the danger. This effort is not directed at the clueful like yourself who keep things up to date and disable services they don’t need.

  5. cubefox wrote on

    I absolutely agree with you, Daniel. Mozilla has by far the best plugin support compared with oder browsers. But I hope that the old Plugin Finder Service will get improved, too. There are still many Problems. Currently, PFS recognizes very few Plugins (not even Java and Silverlight). In Bugzilla, new add-me requests to PFS get ignored. A webinterface on AMO is needed. Also, there are many other PFS bugs (problems with the PFS-“manual install”, the object-tag, mime-type handling, and so on).

    Anyway! The planned security (updating) improvments are great. Hopefully, other Browsers will follow.

    @ Mele20: The is no new privacy impact. Any website at all can already ask which plugins are installed by using JS. Example:
    http://de.selfhtml.org/javascript/objekte/anzeige/plugins_allgemeines.htm

  6. Lewis wrote on

    I agree with Daniel; If you are worried about your privacy, support efforts by developers to keep everyone’s PC’s up to date, thereby potentially reducing the size of botnets.

  7. Mele20 wrote on

    Cubefox, don’t you use NoScript? That takes care of websites being nosy and stops the horrible Ajax that Google search is inflicting on Fx3 users in the USA. I can’t use Google search currently in Vista Ultimate on Fx3 because Ajax is being used. NoScript works fine on XP with the Proxomitron but there is a horrible conflict between the two on Vista. Why is Mozilla allowing Google to experiment on Fx3 users? It is one reason I still use Fx 1.5 on XP as Google doesn’t care about experimenting with it.

    Daniel, I use an older version of Java on Fx3 on Vista and on my XP computer. Java is only slightly less hated by me than is Flash Player. I have it only so I can do Java speed tests on MySpeed from Visualware an application that I own. Java upgrades are a major headache and frequently don’t work properly. So, I stay with a version that actually works. I don’t want Fx complaining about it. I’ll have to remove the plugin from Fx and just do my speed tests on Opera or IE. I only have two plugins for Fx “Hdview” that is disabled and Java. I rarely allow plugins on browsers.

    I guess what really bothers me is that Fx back in Phoenix days and early Sunbird was a heady experience for those of us looking for a browser for geeks. It stayed that way (and we did a lot of the work in the building of it with all the testing we did) until after 1.0 final. Then it gradually changed and has become a browser for the masses. That is good for Mozilla but not for those of us wanting a sophisticated brower for knowledgeable users. At the same time, the superior (yes I always felt Mozilla was the better browser) Mozilla browser died for awhile and then very gradually has come back as SeaMonkey but it now is almost no different from Fx except that it has a mail client.

    Unfortunately, having Fx alert is not going to educate users who don’t want to be educated. I understand your motivation but there should be a way to turn that off for those of us who don’t want or need it. I use the Proxomitron which is a local proxy that is the most important piece of software I have. It blocks all ads, web bugs, malicious Iframes, gives me a toggle switch for Flash if I had Flash installed, etc. It enables me to see the web as I wish to see it. I would not surf the web without it. I also use ProcessGuard on XP which is not going to allow driver installs, or any malware to get a foothold on my computer. The two applications together make my computer almost totally immune to malware…almost because I could make a mistake when tired or distracted and when PG pops up and wants to know if I want to allow some piece of malware to install a driver that I might say yes. But that is extremely unlikely. I take the PG popups very seriously and always pay attention before making a decision and if in doubt I do not allow and then I go research the item that wanted to install a driver or create a global mouse hook, etc.

    I don’t like IE8 because I have to turn off all the junk that Microsoft thinks is security protection. If Fx gets like IE…UGH. On Vista, PG will not run so I use ZAPro which has a pretty good classic HIPS but I am searching for a better classic HIPS that is similar to ProcessGuard which does not have registry or file protection but is plenty powerful to stop installation of malware without excessive popups. Sure, the average user has no idea what applications like these do and doesn’t want to know. If Mozilla wants to play net nanny with them, ok…but don’t force it on knowledgeable users is all I am saying. Allow us to turn stuff like this off…remember we geeks are the reason why Fx exists today but we have been forgotten since Fx got fat and sassy.

    Most Mozilla sites have been blocked in my Hosts file ever since I read the debate in the Firefox mozilla.governance NG about how Mozilla was going to track all users to various Mozilla sites ….with Overture, mozillastats, getfirefox.com, etc. Uh huh…I put all of the sites in the hosts file and so did everyone I know at security sites I post at.

  8. Iang wrote on

    Jonathon, I agree this is good stuff.

    I am concerned about the taking of responsibility for this from users and from the supplier of the plugin. In an ideal world, we should be providing tools that make it easier for those responsible to do the updates.

    And, if we take on the responsibility, this can have unfriendly consequences.

    But we don’t live in an ideal world. So I all for the experimentation … let’s kick those tires.

  9. JJ wrote on

    Security is everything on the internet, thanks for your concern.

  10. liz wrote on

    lI was looking for something on the internet today for my Smartboard and now every time I go to open Firefox the crash reporter comes up. It will open to the front page of firefox but if I enter any address the crash reporter keeps coming up.

  11. Daniel Veditz wrote on

    If you suddenly start getting crashes and you’re not aware of anything that has updated then you might have picked up a malware infection (if something did update then I’d suspect that first).

    If you’re lucky maybe you can load about:crashes as your first page and get the crash ids — those will be instrumental in figuring out where or why you’re crashing. Don’t paste them here in this thread, though, since it’s pretty off-topic. You’ll get the most help from http://support.mozilla.com forums

  12. VanillaMozilla wrote on

    @Mele,
    About “this checking and then phoning home”, I assume you are referring to phishing protection? By default it downloads a list of bad sites. This has NO privacy implication. The only time it sends information back to Google is if you attempt to visit a site that is on the list. Then it double checks the url. If even that is too worrisome for you, you can turn the off with a single mouse click. You can find this option easily just by looking at the menus, but you can find more information here: http://www.mozilla.com/en-US/firefox/phishing-protection/ .

    Can I make a suggestion? I have been following some of your posts, and I have to say, most or all of the issues you raised have easy answers. In most cases the problem–if there actually is one–can be dealt with by a few mouse clicks or an about:config option.

    I think you need to calm down a little. I see that you read some of the security forums, and I have to tell you that many of the posts there are by people who have not done their homework and don’t necessarily understand the issues as well as they think they do. Dare I say they have a tendency to be alarmist?

    For further support you really should contact the support forums, and they can help you sort through the security issues and make changes if needed. Finally, this probably does not apply to you, but if you are in an area where you are seiously endangered, you can always use The Onion Route to anonymize your Web browsing.

  13. sikiş wrote on

    I absolutely agree with you, Daniel. Mozilla has by far the best plugin support compared with oder browsers. But I hope that the old Plugin Finder Service will get improved, too. There are still many Problems. Currently, PFS recognizes very few Plugins (not even Java and Silverlight). In Bugzilla, new add-me requests to PFS get ignored. A webinterface on AMO is needed. Also, there are many other PFS bugs (problems with the PFS-”manual install”, the object-tag, mime-type handling, and so on).

    Anyway! The planned security (updating) improvments are great. Hopefully, other Browsers will follow.

  14. video izle wrote on

    I agree with Daniel; If you are worried about your privacy, support efforts by developers to keep everyone’s PC’s up to date, thereby potentially reducing the size of botnets.