Responding to the Adobe advisory: Plugin Checker in action

Brandon Sterne

11

Adobe recently released a security advisory for Flash Player,  Adobe Reader and Acrobat. The advisory stated a critical vulnerability existed in all versions of Flash prior to and including 10.0.45.2.

Late last week, Adobe released an updated version of Flash that does not contain the security vulnerability; version 10.1.53.64. After considering the importance of updating our users as fast as possible Mozilla has taken the following steps:

  • Updated our Plugin Checker to notify users with vulnerable versions of Flash to update to the latest version
  • Added Flash version detection to our What’s New pages when users update Firefox. Users with out-of-date versions of Flash will receive a prominent message to update.
  • Added messaging to our First Run pages prompting users to check that their plugins are up-to-date, linking them to the Plugin Checker.

Keeping your software up to date is one of the most important things you can do to stay safe online, and Mozilla will continue to look for ways to make that process as easy as possible for our users.

Brandon Sterne
Man-in-the-middle

11 responses

  1. Bill Gianopoulos wrote on ::

    Well I give partial credit on this. Unless this was a Firefox only issue, the fact that plugincheck failed to alert IE browser users might indicate we still need to strive to do better here.

  2. Daniel Veditz wrote on :

    The focus in this post is on Firefox users. The 0th item on Brandon’s list (update the plugin check page) goes without saying and isn’t worth blogging about, the salient points are what our upgrading users are going to see later this week and next.

    As Johnathan said in Plugin Check for Everyone we know there’s work to be done on the IE support.

  3. Larry Seltzer wrote on ::

    I have noticed that the Plugin Checker page fails to detect versions of many plugins, but Tools-Addons-Plugins can display them. Is this just a weakness of NPAPI? I understand there is some replacement interface on the way.

  4. Daniel Veditz wrote on :

    Tools-Addons-Plugins displays what the client can figure out from privileged code, the Plugin Checker page can only display what a web page can find out from the ancient netscape.plugins array.

    We did expose a version property recently so you’ll see different results in Firefox 3.6 compared to 3.5 and earlier. But exposing more information raises tensions between being helpful on a well-intentioned page like the Plugin Checker versus giving ammunition to creepy cases like Panopticlick or worse.

    Ultimately if we move the plugin check functionality into the browser we’ll have the best of both worlds.

  5. emarell wrote on :

    FYI I have always encountered an issue with Plugin Checker: it consistently tells me I have an outdated version of ‘Shockwave for Director.’ Yet I have the latest version, as far as I can determine.

    This has happened every time I have had occasion to visit the Plugin Checker, repeating across a ‘Shockwave for Director’ version or two. After I see that, I go through all kinds of frenzy trying to track down the discrepancy. And fail.

    I have simply stopped caring… and will be using whatever version of ‘Shockwave for Director’ (the need for which I have yet to see any explanation I could understand, being a non-developer and non-gameplayer) I already have on board.

    On the other hand, you wizards at Mozilla might want to improve the Plugin Checker, or come up with something simpler/better around Adobe with its alarming messes and its unfathomable installers.

  6. glandium wrote on ::

    The plugin checker should tell something specific (remove?) if used on x86-64 linux, as Adobe is not releasing a fixed version for that platform.

  7. emv x person wrote on ::

    I hope Adobe are paying Mozilla to cover theri weaknesses… it could become a full time occupation!

  8. David Tenser wrote on ::

    Actually that warning page is a bit conflicting: it starts off by saying “we recommend downloading the latest and greatest version” (implying that the user isn’t currently running that version), and then later on it says “Firefox is up to date.”

    If I were just starting Firefox 3.6, I’d be a bit confused.

  9. Nickolay Ponomarev wrote on :

    This is great, but unfortunately, most people will only see the warning when they update Firefox. I certainly didn’t see it yet, and I can’t even find a bug about integrating plugin updates check with Firefox more closely.

  10. Ken Saunders wrote on ::

    I’d like an opt-in option that allows Mozilla to show me (aggressive) notices when plugins are vulnerable as soon as they learn about them and, disables them automatically (with of course the option to enable them).
    Heck, make it an Fx add-on developed by Mozilla.

    I understand about Mozilla’s blocklist and all, but I also know that things don’t make it to that list without a good enough reason to automatically block a user from using what they want.
    It’s too invasive for some, but I count on Mozilla to stick to security as their top priority so go ahead and block away.
    When it pertains to browser security, y’all know a lot more about it than I and have more eyes on it too.

    Do I have to be a vendor to submit a plugin for (possible) inclusion in the Plugin Checker?
    I’d like to see the OpenOffice.org Plug-in and VLC Multimedia Plug-in checked automatically. Currently, “Unable to Detect Plugin Version” is all that I get with a link to a Google search for a solution.
    I probably don’t even need the VLC one any longer, I installed it prior to support for open media formats in Firefox but, it’s there so it would be nice if the Plugin Checker checked it.

    Also, I totally agree with David Tenser and the warning box could use a redo. It kind of looks like an ad and the average user may not know what Adobe Flash Player is (perhaps someone else installed Firefox, setup their system etc) let alone a plugin (some confuse plugins with Extensions), and Mozilla/Firefox should more clearly distance itself from the plugin (whatever it may be) so that it doesn’t appear to be a Firefox issue.

    Maybe use something like,
    “The built in Plugin Checker in Firefox (or Firefox’s built in Plugin Checker) has detected that you are using an outdated and unsafe version of Adobe Flash Player that will cause you to fall violently ill and develop boils if you don’t update it now!!!”

    Ok, maybe just the first part.

  11. htv wrote on :

    well yeah unfortunately the plugin doesn’t appear in the tools->extras->plugins and it doesn’t work properly. everytime i fullscreen the screen turns white only the sounds works.