PluginUpdating: Difference between revisions
| Line 52: | Line 52: | ||
== Determining the latest secure version == | == Determining the latest secure version == | ||
Ideally we would talk to the upstream provider and get the latest secure version. | Ideally we would talk to the upstream provider and get the latest secure version. However, initially we can just maintain a file that includes the latest versions of the plug-ins. | ||
= References = | = References = | ||
Revision as of 18:04, 6 August 2007
Problem Statement
Our users often get hacked via vulnerable third party plug-ins.
Proposal
Add scripts on common landing pages to check for vulnerable plug-ins and assist the user in updating them.
Components
- Script and alert on landing pages
- Page that checks all the common plug-ins and assists in the update
Landing pages
First Run
Add an alert that checks the first time a user opens Firefox:
Message: We detected that some of your media plug-ins are vulnerable, click here for more info.
This is non-evasive, as we do not want to have the user have trouble getting started with Firefox.
stick mock-up and plans for how it will look here
This will lead the user to the plug-in check page.
Updated
Add similar alert to the "you've been updated" page which leads to the plug-in check page.
Implementation
It will be easiest to check the basic functionality in Javascript. Bug 282258 has some script for checking if Java is up to date.
UpYourPlug page
This page will do a check on common plug-ins and see if they are vulnerable or not. An example implementation can be found here.
The plug-ins:
- Java (system update)
- Flash (provides API, system update)
- Windows media player (no idea)
- Quicktime (system update)
- Real player (system update)
Mock-up
Here is a cheesy mock-up of the idea for the plug-in update check page.
Implementation
Some of the plug-ins, such as Flash, provide an API for checking for security updates. Therefore, the check could easily be implemented in the language of the plug-in if it provides such API. Otherwise, it will need to be done in JavaScript.
Some pseudo code:
if plug-in flash is installed display flash based flash security update check if plug-in java is installed run javascript based java security update check ...
Determining the latest secure version
Ideally we would talk to the upstream provider and get the latest secure version. However, initially we can just maintain a file that includes the latest versions of the plug-ins.