User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; fr-FR; rv:1.8.1b2) Gecko/20060909 BonEcho/2.0b2 Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; fr-FR; rv:1.8.1b2) Gecko/20060909 BonEcho/2.0b2 Non-patched plugins vulnerability are one of the major security threads to Gecko-based browsers. Several bugs proposed solutions (see bug 271559 or bug 282257), but none that I found proposed the following. The interface of plugins does not allow to give back information about how and where to check, and download, updates of the plugins. This is the case of all the others add-ons on Firefox, (for example extensions, themes are checked periodically on the vendor site and the application proposes an update). Adding such an interface would allow the Gecko-based applications to check for update and, eventually, to handle it. (The way each of the gecko-based application does this is outside the scope of this bug) This proposal as several advantages on the proposed solution until now (see the two bugs): + it works with all plugins, not only the one we have decided to check; + it is the responsibility of the plugins maker to implement the interface correctly and to make the update available; no more a responsibility of the MoFo to add specific code to detect some dangerous plugin; + it allows Gecko-based application to implement their check-for-update and auto-update mechanism at will; + it makes the system coherent with others add-ons (themes, extensions, ...). It has also drawbacks: - the plugins interface is changed, and plugins-makers must adapt their plugins; that probably also means that the current interface should be supported for a quite long transition period (and temporary detections mechanisms would still be needed). That also means that major plugins-writer (Adobe, Sun, Apple, Microsoft, Real, ...) should be contacted early enough so that they can adapt their plugins; - Gecko-based applications must be adapted to use such features. Ok, that's just an idea, but it seems to me to be a sustainable way of handling regular plugins-check, and plugins-update: a mid to long term solution. Reproducible: Always
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.