Closed Bug 437200 Opened 16 years ago Closed 7 years ago

When a plugin exists both globally and in profile, prefer newer rather than profile

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: norahmarinkovic, Unassigned)

Details

(Keywords: sec-want, Whiteboard: [sg:want?]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14

When the plugins of the different version is installed, Firefox decides plugins to use by the folder which plugins is installed in not a version. 

Though I install the latest plugins depending on the installation environment of the user, Firefox uses the plugins of an old version.

Reproducible: Always

Steps to Reproduce:
1.I make a "plugins" folder in a profile folder and store the Flash plugins of an old version.
2.Install the latest Flash player.
3.I confirm the version of a Flash player installed in the following URL.
http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_15507
Actual Results:  
The version of an old Flash player (one installed in a profile folder) is displayed

Expected Results:  
When the plugins of the different version is installed, Firefox performs a version check and invalidates an old version automatically

When the plugins of an old version is installed in the browser of the other vendor, Firefox installs the plugins.
This was an intentional design, if a user goes out of their way to put a plugin in their profile there is assumed to be a good reason for that. One reason would be that they don't have administrator rights to upgrade the global location, or maybe they specifically need a down-rev version for compatibility with some internal site and only (safely) use that profile for that internal site.

It's worth re-evaluating the risks of each approach to make sure we're still happy with the current algorithm. This doesn't need to be kept secret, it's not an "exploit" that attackers can use against a user (this is not the only way people end up with outdated plugins, and attackers don't care what the reason is). If anything publicizing the way things work can help people protect themselves.

in a broad brush:
 1) local wins ("users who bother know best what works for them")
 2) global wins ("administrators are more clueful than users")
 3) newest wins ("security holes are bad, compatibility be damned")
   others?
Group: security
Status: UNCONFIRMED → NEW
Component: General → Plug-ins
Ever confirmed: true
Product: Firefox → Core
Summary: When plural same plugins are installed, a version check is not performed → Evaluate plugin-load search order (is preferring profile plugins always best?)
Whiteboard: [sg:investigate]
QA Contact: general → plugins
I think that the best solution is a thing that the user can set by "About:
config". 
The default thinks that "newest wins" is good if I think about a consumer.
Summary: Evaluate plugin-load search order (is preferring profile plugins always best?) → When a plugin exists both globally and in profile, prefer newer rather than profile
Whiteboard: [sg:investigate] → [sg:want?]
The policy we're using and going to stick with is newest version number.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.