PluginUpdating

From MozillaWiki
Jump to navigation Jump to search

Problem Statement

Our users often get hacked via vulnerable third party plug-ins.

Proposal

Add scripts on common landing pages to check for vulnerable plug-ins and assist the user in updating them.

Components

  • Script and alert on landing pages
  • Page that checks all the common plug-ins and assists in the update

Landing pages

First Run

Add an alert that checks the first time a user opens Firefox:

Message: We detected that some of your media plug-ins are vulnerable, click here for more info.

This is non-evasive, as we do not want to have the user have trouble getting started with Firefox.

This will lead the user to the plug-in check page.

Updated

Add similar alert to the "you've been updated" page which leads to the plug-in check page.

Implementation

It will be easiest to check the basic functionality in Javascript. Bug 282258 has a script that should work for flash and java.

UpYourPlug page

This page will do a check on common plug-ins and see if they are vulnerable or not. An example implementation can be found here.

Plug-ins to check:

  • Java (system update)
  • Flash (provides API, system update)

Future plug-ins to check:

  • Windows media player (system update)
  • Real player (system update)
  • Quicktime (system update)


Mock-up

Here is a cheesy mock-up of the idea for the plug-in update check page.

UpYourPlug.png

Implementation

Some of the plug-ins, such as Flash, provide an API for checking for security updates. Therefore, the check could easily be implemented in the language of the plug-in if it provides such API. Otherwise, it will need to be done in JavaScript.

Some pseudo code: 

if plug-in flash is installed
 display flash based flash security update check
if plug-in java is installed
 run javascript based java security update check
...

Or..

Pure javascript implementation, seemingly ready to roll, here.

Determining the latest secure version

Ideally we would talk to the upstream provider and get the latest secure version. However, initially we can just maintain a file that includes the latest versions of the plug-ins.

We found an insecure plug-in, now what?

After we detect that a plug-in is out of date, we should open the vendor page in a new tab.

One major concern is that each plug-in update needs a browser restart.

Java

Sun provides an update check. Linking here should provide a sufficient starting point for getting java up to date.

Flash

Adobe provides an update check. The user will be offered to navigate to this page for the update.

References

Retrieved from "https://wiki.allizom.org/index.php?title=PluginUpdating&oldid=64746"