Closed Bug 1060990 Opened 10 years ago Closed 9 years ago

Using the "Update Now" Action in Plugin Check doesn't have the desired effect

Categories

(Plugin Check Graveyard :: UI, defect)

Product:
Plugin Check Graveyard
Component:
UI
Platform:
x86
Windows Vista
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: ionut.ambrosie, Assigned: espressive)

Details

User Agent: Mozilla/5.0 (Windows NT 6.0; rv:31.0) Gecko/20100101 Firefox/31.0 (Beta/Release)
Build ID: 20140716183446

Steps to reproduce:

I opened https://www.mozilla.org/en-US/plugincheck/
The Shockwave Flash plugin's status was listed as vulnerable 14.0.0.145
Thus, I clicked on the Update Now button


Actual results:

A new tab opened, displaying the webpage located at the following url: https://helpx.adobe.com/security/products/flash-player/apsb14-18.html


Expected results:

A new tab should have opened, displaying the webpage located at the following url:
https://get.adobe.com/flashplayer/
Component: Untriaged → plugins.mozilla.org
Product: Firefox → Websites
QA Contact: cbook
Version: 31 Branch → Trunk
(In reply to iambrozie from comment #0)
> User Agent: Mozilla/5.0 (Windows NT 6.0; rv:31.0) Gecko/20100101
> Firefox/31.0 (Beta/Release)
> Build ID: 20140716183446
> 
> Steps to reproduce:
> 
> I opened https://www.mozilla.org/en-US/plugincheck/
> The Shockwave Flash plugin's status was listed as vulnerable 14.0.0.145
> Thus, I clicked on the Update Now button
> 
> 
> Actual results:
> 
> A new tab opened, displaying the webpage located at the following url:
> https://helpx.adobe.com/security/products/flash-player/apsb14-18.html
> 
> 
> Expected results:
> 
> A new tab should have opened, displaying the webpage located at the
> following url:
> https://get.adobe.com/flashplayer/

Thanks for reporting this.

Generally the latter will be the case however, if the plugin is vulnerable we will link the the security advisory. With that said however, I do agree this is not the expected behaviour from a user' perspective.

Therefore I suggest (and will implement) the following:

Plugin marked as vulnerable

[ UPDATE NOW ]
read security bulletin <= in a smaller font size.
Assignee: nobody → schalk.neethling.bugs
Status: UNCONFIRMED → ASSIGNED
Component: plugins.mozilla.org → UI
Ever confirmed: true
Product: Websites → Plugin Check
QA Contact: cbook
Version: Trunk → unspecified
Thanks for replying,

How do you feel about including a link to the security bulletin in the Status column? I.e.:

Plugin                               Status                            Action
Shockwave Flash            Vulnerable. Read security bulletin        Update Now

This way, users have the choice of either:
i) informing themselves with regard to the vulnerability details 
ii) proceed to update the plugin
(In reply to iambrozie from comment #2)
> Thanks for replying,
> 
> How do you feel about including a link to the security bulletin in the
> Status column? I.e.:
> 
> Plugin                               Status                            Action
> Shockwave Flash            Vulnerable. Read security bulletin        Update
> Now
> 
> This way, users have the choice of either:
> i) informing themselves with regard to the vulnerability details 
> ii) proceed to update the plugin

That will also work, thanks for the suggestion. I will experiment with different options to find the one that provides the best user experience and clears up the current confusion without polluting the UI.
(In reply to iambrozie from comment #2)
> Thanks for replying,
> 
> How do you feel about including a link to the security bulletin in the
> Status column? I.e.:
> 
> Plugin                               Status                            Action
> Shockwave Flash            Vulnerable. Read security bulletin        Update
> Now
> 
> This way, users have the choice of either:
> i) informing themselves with regard to the vulnerability details 
> ii) proceed to update the plugin

That's an excellent idea. Providing status/bulletin information along with an actual path to remediation (an "Update" button that links to an actual resource for obtaining a plugin update) makes sense. 

As it stands now, being directed to a security bulletin without a direct path to remediation is not very useful. If user experience is being taken into account, it might be worth also looking at how some of these security bulletins are laid out. 

Java is a perfect example here. On just about a weekly basis, those bulletins provide a ton of very technical information, but the actual link to update Java is buried at the very bottom of Java's long document, sitting alongside nearly 30 other links at the footer of the page.

As a user of Firefox at home and for a few small organizations, I'm doing this for several plugins from different organizations, where the update/download/"get xyz" link may not be clearly identifiable or located in a consistent place on the page (if at all). When updating plugins on a regular (usually weekly) basis on several machines, the amount of time required to keep these updates adds up quickly.
 
Hopefully this won't sound silly or hyperbolic, but the Firefox Plugin Check has essentially changed from being a one-stop add-on resource for "here's how to fix your problem" to "here's more info about your problem. Good luck." Iambrozie's idea (or something similar) sounds like a great way to improve this experience without cluttering the UI.
We are seeing that end users, in significant numbers, are now being driven to the oracle.com security advisory, rather then to the java.com download page. This leaves users systems at risk as they do not have the latest version with the current fixes for security vulnerabilities. While providing users with access to the security advisory seems reasonable, the security advisory is not a suitable replacement for a download page.
(In reply to Roger from comment #5)
> We are seeing that end users, in significant numbers, are now being driven
> to the oracle.com security advisory, rather then to the java.com download
> page. This leaves users systems at risk as they do not have the latest
> version with the current fixes for security vulnerabilities. While providing
> users with access to the security advisory seems reasonable, the security
> advisory is not a suitable replacement for a download page.

Historically we have sent users to the security advisory when a plugin is vulnerable however, I have been toying with the idea of having the button link to the download site (as you mention) and adding a security advisory link under the button when available.
Blocks: 1121456
No longer blocks: 1121456
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.