Friday, January 22, 2010

Firefox 3.6 with Plugin Check -- and what's missing

Firefox 3.6 is out, with a link to the Firefox Plugin Check page on the "Addons -> Plugins" tool.

The Firefox Plugin Check webpage works in a very similar fashion as SecBrowsing, giving you links to download the latest versions of plugins that are old.

The plugin check is also integrated into Firefox in another way. Blair McBride explains that "Whenever you load a page that uses a plugin that is out of date, you’ll get a warning". I expect this to dramatically reduce the ratio of Firefox users with out-of-date plugins.

There's a significant improvement that still remains to be done, however: Notice on the screenshot how Adobe Acrobat's version is detected inside Firefox. The browser itself appears to be able to detect the plugin version. On the updater page, however, the version is not detected.

The list of plugins with unknown versions is unfortunately usually long, meaning that there's still a lot of vulnerable attack vectors against the browser. Acrobat Reader in particular has been targeted a lot lately.

SecBrowsing suffers from the same issue: Reader does not expose its version to HTML pages. Deeper integration into the browser is needed for both the Firefox Plugin Check and SecBrowsing to be helpful with such plugins. I plan to post more on this in the future.