Feeds

Mozilla detects insecure plugins for IE, Chrome, Safari

Protection beyond Firefox

Combat fraud and increase customer satisfaction

Updated Mozilla has introduced a service that checks plugins for the Internet Explorer, Chrome, Opera, and Safari browsers to make sure they don't contain known bugs or security vulnerabilities.

The page builds off a feature rolled out last year that checked only for out-of-date plugins for Firefox. At the moment, the service offers limited coverage for Internet Explorer extensions, but Mozilla says it plans to offer full coverage eventually.

"We believe that plugin safety is an issue for the web as a whole, so while our initial efforts focused on building a page that would work for Firefox users, the team has since expanded plugin check coverage to work with Safari 4, Chrome 4, and Opera 10.5," Johnathan Nightingale, Mozilla's Director of Firefox Development, writes here.

The check is designed to gently nag people who are using out-of-date versions of Adobe Flash, Oracle's Java Virtual Machine, and many other types of software that work closely with standard web browsers. Indeed, in the weeks after Mozilla introduced a page that checked for for Flash, it caught more than half of Firefox installations running an insecure version Adobe's web animation software.

That figure has improved slightly since then, with "over 60% of the users we see on the plugin check" running the most recent version of Flash, Nightingale says. Older versions of Flash are regularly exploited in malware drive-by attacks, so it's still problematic that such a high percentage of users leave themselves vulnerable. But the proportion of up-to-date Flash installations for Firefox is better than figures Mozilla cited for the web as a whole.

In quick tests we ran on the service, we noticed a small discrepancy: While loading the page in Firefox, we received a message that version 11.5.6.606 of Adobe's Shockwave for Director was the most current, while the same page loaded into Opera and Safari indicated we should update to version 11.5.7.609. Mozilla, it would seem, is no better than the rest of us at us at navigating Adobe's confusing road to patch Nirvana.

Still, kinks such as that one will probably be straightened out soon enough. More important is that Mozilla is stepping up and offering sensible protections designed to lower the number of people running insecure apps. Which makes you wonder why a service like this wasn't offered long ago. ®

Update

As of Wednesday morning, Mozilla's plugin check for Firefox now detects Shockwave version 11.5.6.606 as out of date. But the overall thrust of our comment - that the service delivers inconsistent results depending on the browser - still holds true.

For instance, loading the page in Firefox, we get a message that QuickTime 7.6.6.0 is up to date. Loading it in Opera or Safari, QuickTime 7.6.6.0 is displayed, but it is accompanied by the text "Unable to Detect Plugin Version."

At least two Reg readers say in the comments section they are having problems as well. Again, this is a great service, but it doesn't appear to be fully functional yet.

SANS - Survey on application security programs

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.