Firefox lends security hand to rival browsers
Mozilla launches delayed plug-in checking service for IE, Chrome, Safari and Opera
Computerworld - Mozilla yesterday launched a tool that lets users of rival browsers, including Internet Explorer (IE), Chrome, Safari and Opera, determine whether important add-ons may be vulnerable to attack.
The Web-based tool -- an extension of plug-in checking that Mozilla began adding to Firefox 3 last year -- was originally slated for a late March debut, but Mozilla delayed its release in order to beef up the list of plug-ins the service scans.
The "Plugin Check" tool lets users of Apple's Safari 4, Google's Chrome 4 and Opera Software's Opera 10.5 scan their browsers for outdated plug-ins such as Apple's QuickTime or Adobe's Flash and Reader that are frequently targeted by hackers.
Support for Microsoft's browser is limited to IE7 and IE8, and the tool checks a smaller number of plug-ins for IE than it does for other browsers. "Since IE requires specific code to be written for each plug-in, it will take us a little longer to get to full coverage," said Johnathan Nightingale, director of Firefox development, in a post to Mozilla's security blog.
The tool detected Microsoft's own Silverlight and Adobe's Flash plug-ins in a test of IE8 by Computerworld, but failed to spot the Adobe Reader plug-in.
When Mozilla's tool senses outdated plug-ins, it tags them with an "Update" label to mark them as potentially vulnerable, while others are marked as "Up to Date," or if their status can't be determined -- perhaps because they're not yet on Mozilla's list of known add-ons -- with a "Research" tag.
Last year, Mozilla kicked off the checker by verifying only Adobe Flash, citing that add-on's popularity and propensity for being exploited by attackers. Later, Mozilla added other Firefox plug-ins to the list, and integrated the tool into Firefox 3.6, the version that debuted last January.
The idea behind the checker is to show users which plug-ins may be vulnerable to attack because they have not been patched. "We believe that plug-in safety is an issue for the Web as a whole," said Nightingale of Mozilla's work to expand the service to rival browsers.
According to some estimates, attacks against browser plug-ins, particularly Adobe's Reader, the most popular PDF plug-in on the planet, are quickly climbing. In the first quarter of 2010, antivirus vendor McAfee said last month, PDF exploits accounted for 28% of all malware-bearing attack code.
Nightingale claimed that the plug-in tool is already keeping Firefox users more secure. "These days, over 60% of the users we see on the plug-in check page with Adobe's Flash plug-in installed are running the most recent version," he said. "That's much higher than the Web as a whole."
Mozilla's tool works by pinging the company's servers, which compare the plug-in versions found on the machine with the newest edition numbers. Links for those marked "Update" lead to the appropriate vendor's plug-in download page, where users can manually acquire the current version.
The company also made a plea for help from plug-in makers. "If you're a plug-in vendor, we need your help!" said Nightingale. "The directory is currently in alpha stages, and we need vendors to let us know as new versions come out, and old versions become dangerous."
Firefox 3.6 sports features which aren't included in the Web tool, including a warning when users surf to a page that tries to load an outdated plug-in. Mozilla has also said it will integrate a plug-in update service, similar to what it offers for the browser's extensions, into Firefox at some point. At the moment, the newest edition, a beta of the soon-to-ship Firefox 3.6.4, still leads users to the plug-in check Web page when the "Find Update" button is clicked in the "Plugins" section of the "Add-ons" tool.
The plug-in page can be found on Mozilla's Web site.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
- Workarounds to purge search bar from Firefox's new tab page are available
- Mozilla ships Firefox 31, adds search to new tab page
- Microsoft's IE steps back from the brink of irrelevance
- Firefox falters, falls to record low in overall browser share
- Firefox risks user backlash by adding search box to new tab page
- Google unseats Microsoft as the U.S. browser powerhouse
- Safari, Chrome push to mask URLs
- Chrome on Windows champs at the 64-bit
- Google pulls trigger, cripples some Chrome add-ons
- Microsoft shoots to shorten Internet Explorer's long tail
Read more about Desktop Apps in Computerworld's Desktop Apps Topic Center.
- The Business Value of Continuous Delivery Download this whitepaper to learn more about the business value of Continuous Delivery and see why it could be a game changer for...
- Ten Factors Shaping the Future of Application Delivery Download this research report conducted by Enterprise Management Associates (EMA) to learn how those that are seeking to accelerate application delivery are leveraging...
- HTTP Status Code Cheat Sheet Look at the Graph, Find the Code and Boom - You're Solving Problems. Identifying and understanding common HTTP status codes can go a...
- Architects lead the next generation of data-driven applications Read this whitepaper to find out how application architects can quickly and confidently deliver long-lasting applications that minimize cost, complexity, and risk while...
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily...
- On Demand: Mastering the Art of Mobile Content Management Mobile device usage in the enterprise has skyrocketed, and it continues to escalate. IT must answer to users who demand access to their... All Desktop Apps White Papers | Webcasts