Closed Bug 265835 Opened 20 years ago Closed 14 years ago

Check user plugins (esp. Java) for known bad versions

Categories

(Core Graveyard :: Plug-ins, enhancement)

Product:
Core Graveyard
Component:
Plug-ins
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: dveditz, Unassigned)

Details

Many popular plugins have known exploits in old versions, but people tend not to
upgrade if the version they've got is displaying the content they want to see.
Java is particularly important as its size discourages updates and some
vulnerabilities are being actively exploited in the wild.

We should check what users have and warn them if vulnerable versions are found,
with links to the where the user can get an upgrade (if there is one).

We can probably get what we need for most plugins from the plugin array visible
to web content: most plugins include their version, if not exact patchlevel, in
their name or description string.

We could do this "catch as catch can" for people who visit www.mozilla.org
(particularly the start pages) from the plugins array, or perhaps include this
data in the transmission used to check extension versions.

Some times we'll know that a plugin is vulnerable, but no patched version is
available. It would be nice to have the ability to "turn off" a plugin until an
update is ready.
Please do not rely on websites for this, but include this information in the
build, at least additionally. A check on the mozilla.org startpage doesn't help
distributors or people who changed their homepage and don't happen to visit the
right mozilla.org page at the right time.

I would suggest:
- add some static information in the binary about known bad plugins versions
- check that at startup
- if a bad plugin is found, disable it automatically, inform the user to upgrade
the plugin, Maybe assist the user using the plugin finder service.
- in the above information dialog, do *not* give the user a choice to re-enable
the plugin. Do give that choice in the plugin enable/disable dialog (bug
19118?), for the rare cases where people need to test old software.
When the browser checks for vulnerable plugins at next startup, onyl disable
those that haven't been disabled automatically before (to not overwrite the
user's choice above).
- *Maybe* fetch new vulnerabilities via a website.

There are countless plugins, we can't keep track of them all. If we offer that
service for some, users will assume to be safe. How do we deal with that?
-> browser/plugins, because this should be available in Mozilla as well.
Component: General → Plug-ins
Product: Firefox → Browser
Version: 1.0 Branch → Trunk
Assignee: firefox → nobody
QA Contact: firefox.general → core.plugins
This was implemented a while ago in <https://www.mozilla.com/en-US/plugincheck/>
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.