Firefox lends security hand to rival browsers

Mozilla launches delayed plug-in checking service for IE, Chrome, Safari and Opera

Mozilla yesterday launched a tool that lets users of rival browsers, including Internet Explorer (IE), Chrome, Safari and Opera, determine whether important add-ons may be vulnerable to attack.

The Web-based tool -- an extension of plug-in checking that Mozilla began adding to Firefox 3 last year -- was originally slated for a late March debut, but Mozilla delayed its release in order to beef up the list of plug-ins the service scans.

The "Plugin Check" tool lets users of Apple's Safari 4, Google's Chrome 4 and Opera Software's Opera 10.5 scan their browsers for outdated plug-ins such as Apple's QuickTime or Adobe's Flash and Reader that are frequently targeted by hackers.

Support for Microsoft's browser is limited to IE7 and IE8, and the tool checks a smaller number of plug-ins for IE than it does for other browsers. "Since IE requires specific code to be written for each plug-in, it will take us a little longer to get to full coverage," said Johnathan Nightingale, director of Firefox development, in a post to Mozilla's security blog.

The tool detected Microsoft's own Silverlight and Adobe's Flash plug-ins in a test of IE8 by Computerworld, but failed to spot the Adobe Reader plug-in.

When Mozilla's tool senses outdated plug-ins, it tags them with an "Update" label to mark them as potentially vulnerable, while others are marked as "Up to Date," or if their status can't be determined -- perhaps because they're not yet on Mozilla's list of known add-ons -- with a "Research" tag.

Last year, Mozilla kicked off the checker by verifying only Adobe Flash, citing that add-on's popularity and propensity for being exploited by attackers. Later, Mozilla added other Firefox plug-ins to the list, and integrated the tool into Firefox 3.6, the version that debuted last January.

The idea behind the checker is to show users which plug-ins may be vulnerable to attack because they have not been patched. "We believe that plug-in safety is an issue for the Web as a whole," said Nightingale of Mozilla's work to expand the service to rival browsers.

According to some estimates, attacks against browser plug-ins, particularly Adobe's Reader, the most popular PDF plug-in on the planet, are quickly climbing. In the first quarter of 2010, antivirus vendor McAfee said last month, PDF exploits accounted for 28% of all malware-bearing attack code.

Nightingale claimed that the plug-in tool is already keeping Firefox users more secure. "These days, over 60% of the users we see on the plug-in check page with Adobe's Flash plug-in installed are running the most recent version," he said. "That's much higher than the Web as a whole."

Mozilla's tool works by pinging the company's servers, which compare the plug-in versions found on the machine with the newest edition numbers. Links for those marked "Update" lead to the appropriate vendor's plug-in download page, where users can manually acquire the current version.

The company also made a plea for help from plug-in makers. "If you're a plug-in vendor, we need your help!" said Nightingale. "The directory is currently in alpha stages, and we need vendors to let us know as new versions come out, and old versions become dangerous."

Firefox 3.6 sports features which aren't included in the Web tool, including a warning when users surf to a page that tries to load an outdated plug-in. Mozilla has also said it will integrate a plug-in update service, similar to what it offers for the browser's extensions, into Firefox at some point. At the moment, the newest edition, a beta of the soon-to-ship Firefox 3.6.4, still leads users to the plug-in check Web page when the "Find Update" button is clicked in the "Plugins" section of the "Add-ons" tool.

The plug-in page can be found on Mozilla's Web site.

Mozilla's plug-in check
Mozilla's new tool scans only a limited number of IE plug-ins.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is

Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon