Firefox3.6/Plugin Update Awareness Security Review
Overview
Automatically detect when an installed plugin is concidered out of date, and alert the user - directing them to the Plugin Check page on mozilla.com.
- Background links
Security and Privacy
- Is this feature a security feature? If it is, what security issues is it intended to resolve?
Yes - Outdated plugins are often vulnerable and unstable. They are also very common, as users had to manually check each plugin version and find the newest version to install. This feature automatically detects outdated versions and offers an upgrade path.
- What potential security issues in your feature have you already considered and addressed?
To show the notification bar, the browser (chrome) listens for certain events coming from content - potentially allowing content to generate an event that would trigger a chrome notification bar. Events that are not trusted events are ignored.
- Is system or subsystem security compromised in any way if your project's configuration files / prefs are corrupt or missing?
No.
- Include a thorough description of the security assumptions, capabilities and any potential risks (possible attack points) being introduced by your project.
This uses (and integrated into) the architecture provided by the Blocklist functionality - any weakness in the blocklist code may be present in this feature.
- How are transitions in/out of Private Browsing mode handled?
Private Browsing mode is not relevant to this feature.
Exported APIs
- Please provide a table of exported interfaces (APIs, ABIs, protocols, UI, etc.)
Adds function: nsIPluginHost.getPluginTagForInstance() - only available to C++ XPCOM
Adds constant: nsIBlocklistService.STATE_OUTDATED
- Does it interoperate with a web service? How will it do so?
Yes - it uses the data from the blocklist.xml file, generated by the Plugin-finder service on addons.mozilla.com
- Explain the significant file formats, names, syntax, and semantics.
No schema change to blocklist.xml. A '0' value of the severity attribute is now interpreted as marking the plugin as outdated.
- Are the externally visible interfaces documented clearly enough for a non-Mozilla developer to use them successfully?
Yes - comments in the .idl files.
- Does it change any existing interfaces?
Yes - nsIPluginHost and nsIBlocklistService.
Module interactions
- What other modules are used (REQUIRES in the makefile, interfaces)?
No additional interactions that weren't already in the existing blocklist functionality.
Data
- What data is read or parsed by this feature?
The severity attribute in blocklist.xml - all other parsing and reading comes from the blocklist functionality.
- What is the output of this feature?
No output.
- What storage formats are used?
blocklist.xml (stored in the profile directory) was handled already by the existing blocklist code.
Reliability
- What failure modes or decision points are presented to the user?
When an outdated plugin is loaded in content, the user is warned and given the choice of visiting the Plugin Check page, or ignoring the warning.
- Can its files be corrupted by failures? Does it clean up any locks/files after crashes?
N/A
Configuration
- Can the end user configure settings, via a UI or about:config? Hidden prefs? Environment variables?
The URL of the Plugin Check page is stored in the pref plugins.update.url. A pending warning on restart is stored in the pref plugins.update.notifyUser and set/reset automatically. Neither pref has a UI.
- Are there build options for developers? [#ifdefs, ac_add_options, etc.]
No.
- What ranges for the tunable are appropriate? How are they determined?
N/A
- What are its on-going maintenance requirements (e.g. Web links, perishable data files)?
The database backing the Plugin-finder webservice (that generates the blocklist.xml file) needs to be kept up to date with what versions of common plugins are considered outdated.
Relationships to other projects
- Are there related projects in the community?
No.
Review comments
- concern that some plugin installers include foistware.
- how many lists of plugins/versions do we have, between PFS and the plugincheck website and the blocklist?
- do we show the infobar for both "just outdated" and "outdated and has security holes"?
- We're constrained to "outdated", "softblock", and "hard block" :( So it's hard to block an old version while also letting users know there's a newer version available.
- Almost want multiple dimensions replacing "levels": does this outdated version have security vulnerabilities; does mozilla think it should be blocked; is there a new version available.
 
- is there a pref for "automatically disable outdated plugins" for our more paranoid users?
- There's a threshold pref, extensions.blocklist.level. Setting it to 0 should make "outdated" plugins get disabled.
 
- is the blocklist transferred to users in a way that's authenticated, or it is vulnerable to MITM?
- The default plugins.update.url is on https://www.mozilla.com/, but who knows what Ubuntu's is
 
- since the warning is an infobar, can users tell the difference between our feature (sending them to adobe.com) and a malicious advertisement (sending them elsewhere)?
- Clicking "there is a newer, safer version available" actually takes you to mozilla.com plugincheck page, which as of 3.6, has access to full version number information.