Introduction/Goals

The current stats we have on plugins are discouraging. Upwards of 60-70% of users have one or more vulnerable plugins active on their machines. Many of these versions are being actively targeted and exploited. This is not an acceptable situation for our users or for the web in general.

While in Firefox 3 we implemented support for blocklisting plugins, and have used it in some limited cases, the user experience surrounding that feature is not obvious/easy enough to throw the big switch, yet. The main goal of all of this is to get users onto more secure versions.

Attacking the problem from multiple angles gives us the best chance of success, and allows us to find the right solution for Firefox 3.1 while still taking action in a way that will have an immediate effect on these numbers. Even though major update from Fx2 to Fx3 is live, we still should look to address Fx2 users with some of our messaging.

Plans

Support Team

• Create a KB article to explain the risk of older plugin versions, explaining how to check (plugin version checker page would be an obvious link)

Evangelism Team

• Outreach on why secure and aggressive auto-update is important
• Outreach to major Flash/Java-using sites, see if they can do things to encourage users to upgrade
• Create start page snippets to link to plugin checker.

Someone's Team

• Pick up Polvi's plugin checker and finish it (in-page plugin version scanner)

Firefox Team

3.0.x

• Update blocklist format to have a severity value (say, 1-3)
  • 1: Can cause crashes/hangs in some case, not security-sensitive (likely to be rarely used, if ever)
  • 2: Known to be vulnerable, should be updated
  • 3: High severity block, causes crashes in all cases.

• Change plugin blocklist pref to be an int pref, block on blocklist entries with an equal or higher severity
  • 3.0.x default should be 3, and existing blocklist entries should be set as 3