Browser plugins are a constant source of security vulnerabilities and,
because the browser is one of the most commonly used network applications,
those vulnerabilities tend to affect a lot of users. But users are often
oblivious to the fact that their plugins are not up-to-date. In order to
help combat that problem, Mozilla has
created a Plugin
Check that will test the installed browser plugins and report on those
that are out of date.
The site was originally launched
last October, but was only set up for Firefox at that time. In May,
Mozilla's director of Firefox development, Johnathan Nightingale, announced
that Plugin Check had added support for the Safari, Chrome, and Opera
browsers. There is also support for Internet Explorer, but only for the
most popular plugins, as each plugin requires custom code due to a lack of
idea is that the page gathers up information about the installed
plugins, including metadata like version numbers, and then checks with a
plugin directory to get the status of each. Mozilla is working with plugin
vendors to keep an updated list of plugins and versions so that it can
report outdated and, importantly, security vulnerable plugins. Mozilla
plans to incorporate this technique into Firefox 3.6, so that users will
get information on updated plugins without having to visit a special page.
While one could easily claim that it isn't Mozilla's—or any other
browser developer's—responsibility to help ensure that these
third-party plugins are current, it is a very nice public service. As
Nightingale points out, "plugin safety is an issue for the web as a
whole". One need only consider the security track record of the
most common plugin—Adobe's Flash—to recognize that there have
been some fairly nasty, and exploitable, plugin holes over the years.
Undoubtedly there will be more in Flash, as well as other plugins, down the
For Firefox users, the Plugin Check will eventually be moot. One would
hope that other browser developers would also consider adding this
should be able to use the same plugin database that Mozilla has, as the
project is open.
Until that time, though, users need to find out about, and visit, the
Plugin Check page.
There are a variety of
Plugin Check web badges available to help inform users about the
service. In addition, the page has useful
information about plugins and why it is important to keep them updated.
That text is, as it should be, geared toward those who may not even realize
their browser has any plugins installed, or even that there is some
difference between a browser and a plugin. After all, those are the folks
who are most likely to be browsing with outdated plugins—perhaps as
many as 80%
of web users.
User education is an important part of keeping systems secure. While Linux
users have, in general, not been targeted by most of the
malware—plugin-based or not—out there, that's no good reason to
be cavalier about keeping one's software updated. In addition, most Linux
users know, perhaps live with, one or more users of other operating systems and
browsers. Regularly visiting the Plugin Check page (at least until browsers
automatically do that checking), as well as recommending it to others,
could go a long way toward reducing the threat from plugin vulnerabilities.
to post comments)