PluginUpdating: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
 
(25 intermediate revisions by 4 users not shown)
Line 3: Line 3:


= Proposal =
= Proposal =
Add scripts on common landing pages to check for vulnerable plug-ins and assist the user in updating them.
Create a service anybody can use on any site to increase plugin awareness for their users.
 
== Components ==
== Components ==
* Script and alert on landing pages
Tracker bug: {{bug|465898}}
* Page that checks all the common plug-ins and assists in the update
 
* Create database to store plugin information {{bug|465888}}
* Plugins service to serve plugin metadata via XML or JSON {{bug|465891}}
* Create javascript library for embedding {{bug|465891}}
 
mozilla.com areas of influence:
* Firstrun page
* What's new page
* Upyourplug page


= Landing pages =
= Landing pages =
== First Run ==
== First Run ==
[[Image:FIRST RUN p2ALT MAC.jpg|thumb]]
Add an alert that checks the first time a user opens Firefox:
Add an alert that checks the first time a user opens Firefox:


'''Message:''' ''We detected that some of your media plug-ins are vulnerable, click here for more info.''
'''Message:''' ''We detected that some of your media plug-ins are vulnerable, click here for more info.''


This is non-evasive, as we do not want to have the user have trouble getting started with Firefox.
This is non-invasive, as we do not want to have the user have trouble getting started with Firefox.
 
This will lead the user to the [[#UpYourPlug page|plug-in check page]].


One possible way to do this is to utilize the same sort of alert bar used to notify you that a pop-up has been blocked. We should consider using a different background color to differentiate them, though. Here is a very rough mockup of how it might look (note that this isn't really the first run page):
'''comment''' [morgamic] -- please eliminate the "click here".  A "more info" that is a hyperlink should be sufficient. "click here" is bad wording for a hyperlink because it's non-descriptive.  When I was messing with it, "Update your plug-ins." seemed even better -- but just pick something besides "click here".  :)


[[Image:Plug-in-screenshot.jpg]]
'''comment''' [[User:Clouserw|clouserw]] -- "vulnerable" is a pretty strong word. Are we actually detecting that they are using versions that are vulnerable, or just that they are using outdated versions?


This will lead the user to the [[#UpYourPlug page|plug-in check page]].
'''comment ''' [[User:Polvi|polvi]] -- The goal is to detect vulnerable plug-ins, not outdated ones (although, they often go hand in hand). Regarding "click here", I agree, but we are trying to structure the language such that it avoids demanding something of the user.


== Updated ==
== Updated ==
Line 47: Line 60:


== Implementation ==
== Implementation ==
Some of the plug-ins, such as Flash, provide an API for checking for security updates. Therefore, the check could easily be implemented in the language of the plug-in if it provides such API. Otherwise, it will need to be done in JavaScript.
The actual checks need to be implemented in javascript. The following use cases should be handled accordingly:


Some pseudo code:
* '''Plugin installed and up to date''': An green "OK" box displayed linked to vendor
if plug-in flash is installed
* '''Plugin installed and out of date''': A red "need update" box displayed linked to vendor
  display flash based flash security update check
* '''Plugin not installed''': A gray "not installed" box displayed.
if plug-in java is installed
  run javascript based java security update check
...


Or..
=== Java on the Mac ===
Since only the java embedding plugin gives version information to javascript, we cannot check for this case without a java applet. In this case, display a gray "check with vendor" box that links to Sun's java plugin page.


Pure javascript implementation, seemingly ready to roll, [https://bugzilla.mozilla.org/attachment.cgi?id=215422 here].
=== Non-Firefox Browsers ===
 
If a non Firefox browser hits this page, we need to display a notice with the rest of the copy on the page: "This page is only supported when using Firefox". Then all the checks should be a gray "check with vendor" box that link accordingly.


== Determining the latest secure version ==
== Determining the latest secure version ==
Line 71: Line 84:
=== Flash ===
=== Flash ===
[http://www.adobe.com/shockwave/welcome/ Adobe provides an update check]. The user will be offered to navigate to this page for the update.
[http://www.adobe.com/shockwave/welcome/ Adobe provides an update check]. The user will be offered to navigate to this page for the update.
= Schedule =
A rough timeline...
# First run revamp launch ~ August 24th
# Finish UpYourPlug page ~ August 24th
# Launch page and add detection to first run page - August 31th
# Add detection to updated page - September 7th
= QA Matrix =
All platforms for Firefox  < 2.0.0.7
{| class="fullwidth-table"
! Flash version
! Quicktime
! Java
!
! firstrun notice
! Flash
! Quicktime
! Java
|-
| >= 9.0r47 (win,mac)
| >= 7.2.0
| >= 1.5.0_07
|
| no
| green
| green
| green
|-
| >= 9.0r48 (lin)
| >= 7.2.0
| >= 1.5.0_07
|
| no
| green
| green
| green
|-
| < 9.0r47 (win,mac)
| >= 7.2.0
| >= 1.5.0_07
|
| yes
| red
| green
| green
|-
| < 9.0r48 (lin)
| >= 7.2.0
| >= 1.5.0_07
|
| yes
| red
| green
| green
|-
| >= 9.0r47
| < 7.2.0
| < 1.5.0_07 (all)
|
| yes
| green
| red
| green
|-
| >= 9.0r47
| >= 7.2.0
| < 1.5.0_07 (all)
|
| yes
| green
| green
| red
|}


= References =
= References =
Line 77: Line 165:
* [http://gemal.dk/browserspy/ Javascript library providing some plug-in detection functionality]
* [http://gemal.dk/browserspy/ Javascript library providing some plug-in detection functionality]
* [http://www.adobe.com/shockwave/welcome/ Adobe's flash checker]
* [http://www.adobe.com/shockwave/welcome/ Adobe's flash checker]
* [https://bugzilla.mozilla.org/show_bug.cgi?id=391433 scripting work bug]
= Postmortem =
* be more specific about <strike>copy</strike> wording and mock-up layout
* note when the alerts should display
* s/sans/without/
* think of edge cases ahead of time if possible
* talk about projects like this at start of quarters to get a better response

Latest revision as of 18:30, 23 January 2009

Problem Statement

Our users often get hacked via vulnerable third party plug-ins.

Proposal

Create a service anybody can use on any site to increase plugin awareness for their users.

Components

Tracker bug: bug 465898

  • Create database to store plugin information bug 465888
  • Plugins service to serve plugin metadata via XML or JSON bug 465891
  • Create javascript library for embedding bug 465891

mozilla.com areas of influence:

  • Firstrun page
  • What's new page
  • Upyourplug page

Landing pages

First Run

FIRST RUN p2ALT MAC.jpg

Add an alert that checks the first time a user opens Firefox:

Message: We detected that some of your media plug-ins are vulnerable, click here for more info.

This is non-invasive, as we do not want to have the user have trouble getting started with Firefox.

This will lead the user to the plug-in check page.

comment [morgamic] -- please eliminate the "click here". A "more info" that is a hyperlink should be sufficient. "click here" is bad wording for a hyperlink because it's non-descriptive. When I was messing with it, "Update your plug-ins." seemed even better -- but just pick something besides "click here".  :)

comment clouserw -- "vulnerable" is a pretty strong word. Are we actually detecting that they are using versions that are vulnerable, or just that they are using outdated versions?

comment polvi -- The goal is to detect vulnerable plug-ins, not outdated ones (although, they often go hand in hand). Regarding "click here", I agree, but we are trying to structure the language such that it avoids demanding something of the user.

Updated

Add similar alert to the "you've been updated" page which leads to the plug-in check page.

Implementation

It will be easiest to check the basic functionality in Javascript. Bug 282258 has a script that should work for flash and java.

UpYourPlug page

This page will do a check on common plug-ins and see if they are vulnerable or not. An example implementation can be found here.

Plug-ins to check:

  • Java (system update)
  • Flash (provides API, system update)

Future plug-ins to check:

  • Windows media player (system update)
  • Real player (system update)
  • Quicktime (system update)


Mock-up

Here is a cheesy mock-up of the idea for the plug-in update check page.

UpYourPlug.png

Implementation

The actual checks need to be implemented in javascript. The following use cases should be handled accordingly:

  • Plugin installed and up to date: An green "OK" box displayed linked to vendor
  • Plugin installed and out of date: A red "need update" box displayed linked to vendor
  • Plugin not installed: A gray "not installed" box displayed.

Java on the Mac

Since only the java embedding plugin gives version information to javascript, we cannot check for this case without a java applet. In this case, display a gray "check with vendor" box that links to Sun's java plugin page.

Non-Firefox Browsers

If a non Firefox browser hits this page, we need to display a notice with the rest of the copy on the page: "This page is only supported when using Firefox". Then all the checks should be a gray "check with vendor" box that link accordingly.

Determining the latest secure version

Ideally we would talk to the upstream provider and get the latest secure version. However, initially we can just maintain a file that includes the latest versions of the plug-ins.

We found an insecure plug-in, now what?

After we detect that a plug-in is out of date, we should open the vendor page in a new tab.

One major concern is that each plug-in update needs a browser restart.

Java

Sun provides an update check. Linking here should provide a sufficient starting point for getting java up to date.

Flash

Adobe provides an update check. The user will be offered to navigate to this page for the update.

Schedule

A rough timeline...

  1. First run revamp launch ~ August 24th
  2. Finish UpYourPlug page ~ August 24th
  3. Launch page and add detection to first run page - August 31th
  4. Add detection to updated page - September 7th

QA Matrix

All platforms for Firefox < 2.0.0.7

Flash version Quicktime Java firstrun notice Flash Quicktime Java
>= 9.0r47 (win,mac) >= 7.2.0 >= 1.5.0_07 no green green green
>= 9.0r48 (lin) >= 7.2.0 >= 1.5.0_07 no green green green
< 9.0r47 (win,mac) >= 7.2.0 >= 1.5.0_07 yes red green green
< 9.0r48 (lin) >= 7.2.0 >= 1.5.0_07 yes red green green
>= 9.0r47 < 7.2.0 < 1.5.0_07 (all) yes green red green
>= 9.0r47 >= 7.2.0 < 1.5.0_07 (all) yes green green red

References

Postmortem

  • be more specific about copy wording and mock-up layout
  • note when the alerts should display
  • s/sans/without/
  • think of edge cases ahead of time if possible
  • talk about projects like this at start of quarters to get a better response
Retrieved from "https://wiki.allizom.org/index.php?title=PluginUpdating&oldid=125192"