Firefox lends security hand to rival browsers
Mozilla launches delayed plug-in checking service for IE, Chrome, Safari and Opera
Computerworld - Mozilla yesterday launched a tool that lets users of rival browsers, including Internet Explorer (IE), Chrome, Safari and Opera, determine whether important add-ons may be vulnerable to attack.
The Web-based tool -- an extension of plug-in checking that Mozilla began adding to Firefox 3 last year -- was originally slated for a late March debut, but Mozilla delayed its release in order to beef up the list of plug-ins the service scans.
The "Plugin Check" tool lets users of Apple's Safari 4, Google's Chrome 4 and Opera Software's Opera 10.5 scan their browsers for outdated plug-ins such as Apple's QuickTime or Adobe's Flash and Reader that are frequently targeted by hackers.
Support for Microsoft's browser is limited to IE7 and IE8, and the tool checks a smaller number of plug-ins for IE than it does for other browsers. "Since IE requires specific code to be written for each plug-in, it will take us a little longer to get to full coverage," said Johnathan Nightingale, director of Firefox development, in a post to Mozilla's security blog.
The tool detected Microsoft's own Silverlight and Adobe's Flash plug-ins in a test of IE8 by Computerworld, but failed to spot the Adobe Reader plug-in.
When Mozilla's tool senses outdated plug-ins, it tags them with an "Update" label to mark them as potentially vulnerable, while others are marked as "Up to Date," or if their status can't be determined -- perhaps because they're not yet on Mozilla's list of known add-ons -- with a "Research" tag.
Last year, Mozilla kicked off the checker by verifying only Adobe Flash, citing that add-on's popularity and propensity for being exploited by attackers. Later, Mozilla added other Firefox plug-ins to the list, and integrated the tool into Firefox 3.6, the version that debuted last January.
The idea behind the checker is to show users which plug-ins may be vulnerable to attack because they have not been patched. "We believe that plug-in safety is an issue for the Web as a whole," said Nightingale of Mozilla's work to expand the service to rival browsers.
According to some estimates, attacks against browser plug-ins, particularly Adobe's Reader, the most popular PDF plug-in on the planet, are quickly climbing. In the first quarter of 2010, antivirus vendor McAfee said last month, PDF exploits accounted for 28% of all malware-bearing attack code.
Nightingale claimed that the plug-in tool is already keeping Firefox users more secure. "These days, over 60% of the users we see on the plug-in check page with Adobe's Flash plug-in installed are running the most recent version," he said. "That's much higher than the Web as a whole."
Mozilla's tool works by pinging the company's servers, which compare the plug-in versions found on the machine with the newest edition numbers. Links for those marked "Update" lead to the appropriate vendor's plug-in download page, where users can manually acquire the current version.
The company also made a plea for help from plug-in makers. "If you're a plug-in vendor, we need your help!" said Nightingale. "The directory is currently in alpha stages, and we need vendors to let us know as new versions come out, and old versions become dangerous."
Firefox 3.6 sports features which aren't included in the Web tool, including a warning when users surf to a page that tries to load an outdated plug-in. Mozilla has also said it will integrate a plug-in update service, similar to what it offers for the browser's extensions, into Firefox at some point. At the moment, the newest edition, a beta of the soon-to-ship Firefox 3.6.4, still leads users to the plug-in check Web page when the "Find Update" button is clicked in the "Plugins" section of the "Add-ons" tool.
The plug-in page can be found on Mozilla's Web site.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- Chrome users won't give up, keep pressing Google to restore old-style new tab page
- Google quashes 31 vulnerabilities, restores Metro mode 'steppers' with Chrome 34
- Firefox's UI face-lift on track for April debut
- Ex-Mozilla engineer blames Microsoft's rules for Metro Firefox's death
- Mozilla patches 20 Firefox flaws, plugs Pwn2Own holes
- Google reverses field, promises to restore Chrome's scrollbar arrows
- Update: Google ships Chrome 33, patches 28 bugs
- Mozilla's top exec defends in-Firefox ads, revenue search
- Mozilla taps in-Firefox ads as it searches for more revenue
- Mozilla ships Metro Firefox beta for Windows 8
Read more about Desktop Apps in Computerworld's Desktop Apps Topic Center.
- Gartner Magic Quadrant for Client Management Tools The client management tool market is maturing and evolving to adapt to consumerization, desktop virtualization, and an ongoing need to improve efficiency.
- Why Projects Fail CIOs are expected to deliver more projects that transform business, and do so on time, on budget and with limited resources.
- The New Business Case for Video Conferencing: 7 Real-World Benefits Beyond Cost-Savings This whitepaper provides insight into the value of video conferencing in today's business environment, and how organizations are using visual collaboration to find...
- Audit Ready and Asset Optimized: The Solid Promise of an Intelligent Software Asset Management Solution In this paper Frost & Sullivan examines the benefits of enterprise-grade Software Asset Management solutions, and how these solutions serve as the convergence...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Desktop Apps White Papers | Webcasts