From MozillaWiki
Jump to: navigation, search



Over the last many years the Mozilla Project has worked hard at trying to find and fix security bugs in the Mozilla code before attackers have been able to develop exploits. The Security Bug Bounty Program ( ) , Frequent Security Updates we do for Firefox users ( ) , and the aggressive updating of Firefox Users have been the cornerstones of this effort.

Currently it appears the greatest security risk to Firefox users is via exploitation of plugins the user has installed. A number of studies have documented this

  • They are increasing a highly leveraged cross platform vector for attackers
    • (or 45.2%) Internet users at risk worldwide due to not running the latest most secure browser version. -- But Firefox actually leads the way with agressive updating of its users, while still providing choice and user control over the updates.
    • Meanwhile, hidden below the surface, the iceberg extends further encompassing users that rely on outdated vulnerable browser plug-ins. Due to an inability to passively enumerate the versions of any plug-ins hosts have installed.

critical version update for those soon.

A specific example

see bug 506419 and

They show Firefox users under attack from a zero day for Adobe Flash and Reader.

The common response to bugs like these is that "it's not our problem." That is true to some extent, but here are some concrete things we could do.

While we are waiting from a patch from adobe

  • find new rogue .dll's in our crash reporting data and raise visibility to anti-virus companies.
  • Even after the patch is out keep up the information campaign to encourage users to update. Update rates remain very slow.

Nine days after the release of a zero day fix version (July 30, 2009). only around 7% of flash users have been updated.

The following shows distribution of flash versions hitting on Aug. 8, 2009. flash-upgrades-20090808.png

Adobe is working on some fixes to this, but information campaigns will be needed until those fixes are in-place.

What to do?

short term

  1. grass roots campaign and PR to get users' plugins upgraded - up your plugin
  2. maybe something that would engage the 8 million download day participants to update their plugins, and help friends and familly to update too.
  3. create a catalog of all high visibility pages on sumo, google start page snippets and see if we get some basic content about the issue and recommendations for users.

mid term: end of 09q3?

  1. make progress on morgamic's plan to build some better backend infrastructure for tracking required plugin versions, and syndicating plugin updating content. See: and
  1. pressure plugin vendors to upgrade users faster. Help reduce bandwidth costs for plugin vendors to do more agressive updating of their users, or help to host the updates. meeting with adobe on 8/11 to talk about his among other securty related topics.

longer term

  1. active plugin blocking for old versions? this strategy hasn't worked so far and many users seem to be resistant. see long discussion in : starting around comment 72 -
  1. fix our plugin migration code for a better upgrade experience - fx 3.6/7?
  2. study user experience problems and improve pop-up blocking again
  3. gather data from sumo and other sources to watch trends
  4. develop a community of malware investigators to understand more about what is happening and figure out solutions
  5. figure out how to help users that get into trouble

Work to help users understand plugins that are out of date, and accelerate udpates.