- 1 Problem Statement
- 2 Proposal
- 3 Landing pages
- 4 UpYourPlug page
- 5 Schedule
- 6 QA Matrix
- 7 References
- 8 Postmortem
Our users often get hacked via vulnerable third party plug-ins.
Create a service anybody can use on any site to increase plugin awareness for their users.
Tracker bug: bug 465898
- Create database to store plugin information bug 465888
- Plugins service to serve plugin metadata via XML or JSON bug 465891
mozilla.com areas of influence:
- Firstrun page
- What's new page
- Upyourplug page
Add an alert that checks the first time a user opens Firefox:
Message: We detected that some of your media plug-ins are vulnerable, click here for more info.
This is non-invasive, as we do not want to have the user have trouble getting started with Firefox.
This will lead the user to the plug-in check page.
comment [morgamic] -- please eliminate the "click here". A "more info" that is a hyperlink should be sufficient. "click here" is bad wording for a hyperlink because it's non-descriptive. When I was messing with it, "Update your plug-ins." seemed even better -- but just pick something besides "click here". :)
comment clouserw -- "vulnerable" is a pretty strong word. Are we actually detecting that they are using versions that are vulnerable, or just that they are using outdated versions?
comment polvi -- The goal is to detect vulnerable plug-ins, not outdated ones (although, they often go hand in hand). Regarding "click here", I agree, but we are trying to structure the language such that it avoids demanding something of the user.
Add similar alert to the "you've been updated" page which leads to the plug-in check page.
This page will do a check on common plug-ins and see if they are vulnerable or not. An example implementation can be found here.
Plug-ins to check:
Future plug-ins to check:
- Windows media player (system update)
- Real player (system update)
- Quicktime (system update)
Here is a cheesy mock-up of the idea for the plug-in update check page.
- Plugin installed and up to date: An green "OK" box displayed linked to vendor
- Plugin installed and out of date: A red "need update" box displayed linked to vendor
- Plugin not installed: A gray "not installed" box displayed.
Java on the Mac
If a non Firefox browser hits this page, we need to display a notice with the rest of the copy on the page: "This page is only supported when using Firefox". Then all the checks should be a gray "check with vendor" box that link accordingly.
Determining the latest secure version
Ideally we would talk to the upstream provider and get the latest secure version. However, initially we can just maintain a file that includes the latest versions of the plug-ins.
We found an insecure plug-in, now what?
After we detect that a plug-in is out of date, we should open the vendor page in a new tab.
One major concern is that each plug-in update needs a browser restart.
Sun provides an update check. Linking here should provide a sufficient starting point for getting java up to date.
Adobe provides an update check. The user will be offered to navigate to this page for the update.
A rough timeline...
- First run revamp launch ~ August 24th
- Finish UpYourPlug page ~ August 24th
- Launch page and add detection to first run page - August 31th
- Add detection to updated page - September 7th
All platforms for Firefox < 188.8.131.52
|Flash version||Quicktime||Java||firstrun notice||Flash||Quicktime||Java|
|>= 9.0r47 (win,mac)||>= 7.2.0||>= 1.5.0_07||no||green||green||green|
|>= 9.0r48 (lin)||>= 7.2.0||>= 1.5.0_07||no||green||green||green|
|< 9.0r47 (win,mac)||>= 7.2.0||>= 1.5.0_07||yes||red||green||green|
|< 9.0r48 (lin)||>= 7.2.0||>= 1.5.0_07||yes||red||green||green|
|>= 9.0r47||< 7.2.0||< 1.5.0_07 (all)||yes||green||red||green|
|>= 9.0r47||>= 7.2.0||< 1.5.0_07 (all)||yes||green||green||red|
- Possible Flash API for determining an update
- Adobe's flash checker
- scripting work bug
- be more specific about
copywording and mock-up layout
- note when the alerts should display
- think of edge cases ahead of time if possible
- talk about projects like this at start of quarters to get a better response