The current stats we have on plugins are discouraging. Upwards of 60-70% of users have one or more vulnerable plugins active on their machines. Many of these versions are being actively targeted and exploited. This is not an acceptable situation for our users or for the web in general.
While in Firefox 3 we implemented support for blocklisting plugins, and have used it in some limited cases, the user experience surrounding that feature is not obvious/easy enough to throw the big switch, yet. The main goal of all of this is to get users onto more secure versions.
Attacking the problem from multiple angles gives us the best chance of success, and allows us to find the right solution for Firefox 3.1 while still taking action in a way that will have an immediate effect on these numbers. Even though major update from Fx2 to Fx3 is live, we still should look to address Fx2 users with some of our messaging.
- Create a KB article to explain the risk of older plugin versions, explaining how to check (plugin version checker page would be an obvious link)
- Outreach on why secure and aggressive auto-update is important
- Outreach to major Flash/Java-using sites, see if they can do things to encourage users to upgrade
- Create start page snippets to link to plugin checker.
- Update blocklist format to have a severity value (say, 1-3)
- 1: Can cause crashes/hangs in some case, not security-sensitive (likely to be rarely used, if ever)
- 2: Known to be vulnerable, should be updated
- 3: High severity block, causes crashes in all cases.
- Change plugin blocklist pref to be an int pref, block on blocklist entries with an equal or higher severity
- 3.0.x default should be 3, and existing blocklist entries should be set as 3 so they are still blocked, lower level entries will trigger a warning page (open in a tab on startup, probably open directly to the plugin checker)
- Admins can set to 1/2 as desired
- Consider preventing clickthrough on malware pages if there are vulnerable plugins active.
- This is as close to a "please own my box" button as we'll ever have in the browser.
- Implement new plugin install flow
- No wizard
- Want a non-spoofable notification that links to AMO/PFS
- Need a way of forcing a plugin refresh that external installers can trigger
- Commandline option? -refreshPlugins?
- DDE? some sort of system notification?
- Finish patch to provide placeholders for blocklisted plugins
- Change default of new pref from 3.0.x to 2.
- Implement new PFS web content (db-backed, smart service URL, new content with AMO's look and feel).
- Multiple plugins for mimetypes should be supported (probably as Recommended plus alternatives)
- Update blocklist format to support severities on blocklisted items
- Pick up Polvi's plugin checker and finish it (in-page plugin version scanner)