Mozilla's Plugin Check [LWN.net]

By Jake Edge
June 9, 2010

Browser plugins are a constant source of security vulnerabilities and, because the browser is one of the most commonly used network applications, those vulnerabilities tend to affect a lot of users. But users are often oblivious to the fact that their plugins are not up-to-date. In order to help combat that problem, Mozilla has created a Plugin Check that will test the installed browser plugins and report on those that are out of date.

The site was originally launched last October, but was only set up for Firefox at that time. In May, Mozilla's director of Firefox development, Johnathan Nightingale, announced that Plugin Check had added support for the Safari, Chrome, and Opera browsers. There is also support for Internet Explorer, but only for the most popular plugins, as each plugin requires custom code due to a lack of a JavaScript plugin object in IE.

The basic idea is that the page gathers up information about the installed plugins, including metadata like version numbers, and then checks with a plugin directory to get the status of each. Mozilla is working with plugin vendors to keep an updated list of plugins and versions so that it can report outdated and, importantly, security vulnerable plugins. Mozilla plans to incorporate this technique into Firefox 3.6, so that users will get information on updated plugins without having to visit a special page.

While one could easily claim that it isn't Mozilla's—or any other browser developer's—responsibility to help ensure that these third-party plugins are current, it is a very nice public service. As Nightingale points out, "plugin safety is an issue for the web as a whole". One need only consider the security track record of the most common plugin—Adobe's Flash—to recognize that there have been some fairly nasty, and exploitable, plugin holes over the years. Undoubtedly there will be more in Flash, as well as other plugins, down the road.

For Firefox users, the Plugin Check will eventually be moot. One would hope that other browser developers would also consider adding this feature—they should be able to use the same plugin database that Mozilla has, as the project is open. Until that time, though, users need to find out about, and visit, the Plugin Check page.

There are a variety of Plugin Check web badges available to help inform users about the service. In addition, the page has useful information about plugins and why it is important to keep them updated. That text is, as it should be, geared toward those who may not even realize their browser has any plugins installed, or even that there is some difference between a browser and a plugin. After all, those are the folks who are most likely to be browsing with outdated plugins—perhaps as many as 80% of web users.

User education is an important part of keeping systems secure. While Linux users have, in general, not been targeted by most of the malware—plugin-based or not—out there, that's no good reason to be cavalier about keeping one's software updated. In addition, most Linux users know, perhaps live with, one or more users of other operating systems and browsers. Regularly visiting the Plugin Check page (at least until browsers automatically do that checking), as well as recommending it to others, could go a long way toward reducing the threat from plugin vulnerabilities.

(Log in to post comments)

Mozilla's Plugin Check

Posted Jun 10, 2010 11:31 UTC (Thu) by cortana (subscriber, #24596) [Link]

Who can we mail to report this problem?

Mozilla's Plugin Check

Posted Jun 10, 2010 11:33 UTC (Thu) by cortana (subscriber, #24596) [Link]

Heh. The version number is also wrong. I have 10.0.45.2 installed (according to <http://www.adobe.com/software/flash/about/>), but the Plugin Check site says reports that I have version 10.0.45.0 installed.

Mozilla's Plugin Check

Posted Jun 10, 2010 12:29 UTC (Thu) by nix (subscriber, #2304) [Link]

... and a thumbs down to Acrobat Reader 9.3.1, which is the latest in the 9.x branch and is, as far as I know, still receiving security updates.

Mozilla's Plugin Check

Posted Jun 10, 2010 14:53 UTC (Thu) by ernest (subscriber, #2355) [Link]

As updates are checked when I start firefox up, and because there are so many updates, and because I use many plugins, I usually get a request to restart firefox seconds after I start firefox up. This is just as idiotic as what windows itself is doing for it own updates (Windows detected that you moved the mouse, you must reboot for this change to take effect).

Since firefox is regularly restarted anyway, why not simply download the new plugins (or ask) and then do nothing until the next firefox session is started either later the same day or even tomorrow? Firefox shouldn't even ask for it. Just let it happen by itself.

Doing it this way I would be at most a day behind in my updates. without this I am sometimes weeks behind.

Anyway, I switched automatic updates off.

I do check now and then if there are updates, but I admit, not very often.

Mozilla's Plugin Check

Posted Jun 14, 2010 12:15 UTC (Mon) by mdz@debian.org (subscriber, #14112) [Link]

User education is an important part of keeping systems secure.

I take a different view, that a security system which requires more than the most basic education of users is doomed to failure. Tasks like keeping software up to date are best left to software engineers and the automation software they create.

If a software task needs to be done consistently, repeatably and on time, it is best left to computers, rather than humans.