Network News

X My Profile
View More Activity

Mozilla: Firefox Users, Check Your Plug-ins

Mozilla is now offering Firefox users a simple way to tell whether the browser's various plug-ins are up-to-date with the latest security patches.

Plug-ins are components installed by third-party software that power videos, animation and games in the browser, among other things. Outdated plug-ins can give malware an easy way into your computer, so it's important to make sure your browser has the latest, most secure versions. Even if you are normally vigilant about updating third-party software, occasionally a software update will fail to automatically patch its accompanying plug-in.

plugincheck.JPG

Enter Mozilla's Plugin Check: Let it scan Firefox, and it will tell you which of the plug-ins you have installed needs patching. (A screen shot of the results of a scan done on my test machine is pictured above). Any outdated plug-ins for which Plugin Check can find an updated version will land at the top of the list, and when you click the "update" tab, Mozilla will send you to the software vendor's download page to grab the latest version.

But then I noticed that the site was only showing me half of my installed plug-ins. When I clicked the "view all your plugins" link, the page revealed that it was unable to detect the current version of five other installed plug-ins. The site does, however, offer a "Research" tab that essentially automates a Google search query on the name of the plug-in and the term "current version."

pic2.JPG

In any event, Mozilla says it is adding more detection capability. Still, a notice that the service can't detect a current plug-in version should alert you to potentially outdated plug-ins and associated programs. Kudos to Mozilla for providing this useful service, which Mozilla says eventually will be incorporated into the browser itself.

If you use Firefox, take a second to visit the Plugin Check page. Please consider posting your results in the comments section below.

Some readers may not understand the difference between plug-ins, "add-ons" and "extensions" in Firefox. Plug-ins most often are installed by third-party programs, and handle certain types of content that Web sites offer, such as the display of PDF documents or QuickTime videos. Extensions refer to add-ons that introduce new features to Firefox, such as Noscript, Adblock Plus, and Firebug. An add-on is a more general term that can include plug-ins, extensions, and themes.

By Brian Krebs  |  October 14, 2009; 5:18 PM ET
Categories:  New Patches , Safety Tips  | Tags: firefox, mozilla, plugin check  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Trojan Turns Smash & Grab Into Grab & Smash
Next: Researcher: Hackers Hijack Some Facebook Apps

Comments

You indicate that the scanner will scan Firefox. Will it also scan Mozilla's other browser (which everyone forgets about): Seamonkey, the suite product?

Posted by: cahwyguy | October 14, 2009 8:31 PM | Report abuse

I got some strange results on my Fedora 10 Linux system.

For example, it told me I have Java plugin "Java(TM) Plug-in 1.6.0_13-b03" but then told me it couldn't find the version number of the plugin. (Did I interpret this correctly?) It told me I have an outdated version of Totem (a Linux movie player) and when I checked I found I had the latest version available for Fedora 10.

I think either the tool or the documentation needs some further work.

Posted by: StanKlein | October 14, 2009 8:35 PM | Report abuse

The Plugin Check page loads and shows a "Plugin Finding Service Error" message with a retry button that doesn't help. No plugins are displayed. Will try again later.

Posted by: Tyelctu | October 14, 2009 9:20 PM | Report abuse

My results: I got 12 "Research" and 5 "Up to Date" which isn't a great percentage, IMO. Still, the tool's a step in the right direction.

Posted by: jmrzx | October 14, 2009 9:40 PM | Report abuse

Found answer to my problem posted above: Had NoScript set to allow mozilla.ORG but not mozilla.COM, and didn't think to look. My results show six plugins detected out of a total of 13. This will probably improve over time.

Posted by: Tyelctu | October 15, 2009 6:47 AM | Report abuse

Running Linux 3.5.3. Detected 4 out of 8 plugins installed although Totem shows as 3 plugins. So maybe really 4 out of 6. Of the 4 it reported only one (Shockwave) up to date. Erroneously reported Totem out of date. Could not detect version for Java or Demo Print Plugin for unix/linux.
I hope they build this into Firefox.

Posted by: k4mdg | October 15, 2009 7:51 AM | Report abuse

Due to some site compatibility issues still using Firefox 3.0.14 but ran the Plugin Check which detected an old version of Silverlight and flagged the Office Live and RealPlayer Plugins for research.

Security can be a complex matter but why make things any harder than they need to be? This is a simple, straightforward way for people to take practical steps in their own (system) defense. Ongoing improvement in plugin detection and raising of awareness will make this beneficial for all - even those who don't use Firefox.

Posted by: m_ayre | October 15, 2009 9:01 AM | Report abuse

The plugins listed below are up to date

Java(TM) Platform SE 6 U15
Next Generation Java Plug-in 1.6.0_15 for Mozilla browsers
1.6.0.15
Up to Date

Silverlight Plug-In 3.0.40818.0 3.0.40818.0
Up to Date

Shockwave Flash 10.0 r32 10.0.32.0
Up to Date

Java Deployment Toolkit 6.0.140.8
NPRuntime Script Plug-in Library for Java(TM) Deploy
Unable to Detect Plugin Version

Java Deployment Toolkit 6.0.150.3
NPRuntime Script Plug-in Library for Java(TM) Deploy
Unable to Detect Plugin Version

Adobe PDF Plug-In For Firefox and Netscape
Unable to Detect Plugin Version

Windows Presentation Foundation (WPF) plug-in for Mozilla browsers
Unable to Detect Plugin Version

Posted by: wiredog | October 15, 2009 9:57 AM | Report abuse

Out of 12 plugins found, 3 were up to date, 9 were marked as 'research'. Seems that it could've done better. Just wondering if there was something in FF that showed all the Plugins like it does for the Addons?

Posted by: wrr123 | October 15, 2009 10:46 AM | Report abuse

I ran it and found 13 plugins listed. Three were up to date and ten were listed as research. One of the research was an older version of the Java Platform that I can't find on my computer. My list of what's up to date and unavailable looks very similar to others. Nothing found to actually update.

Posted by: elyrest | October 15, 2009 12:31 PM | Report abuse

Does anyone know what crypto safeguards that Firefox Plug-in Check uses to ensure that updates are from a legitimate source and arrive unaltered/substituted? On the same note, is Firefox employing crypto checks for Firefox updates yet?

On another note, when performing updates, one ought to close out all tabs and windows except for one "safe" one. Even better, restart Firefox to flush out any potentially lingering nasties, then conduct the updates.

We make a similar recommendation to AppGuard users, who must suspend protection temporarily to perform 3rd party software updates. Unlike the iPhone's AppStore framework, there's no uniform clearinghouse in Windows for software installs and updates (most vendors, including Mozilla, do not utilize the Microsoft BITS infrastructure). This makes discriminating between legitimate and malicous changes quite difficult from an auotmated perspective.

Cheers,

Eirik

Posted by: eiverson1 | October 15, 2009 1:05 PM | Report abuse

@StanKlein
I'm also using Firefox on Linux (Ubuntu 9.04), and one of the things you have to take into account is how distros get updated. I don't have much specific experience with Fedora, but in Ubuntu, it is quite common that the base version of a package will not be upgraded, but that security and other serious bug fixes will be backported to the earlier version, which then is offered as an update. I think another (unintentional) consequence of this is that package version numbers can get out of sync with the outside world.

When in doubt, I suggest first making sure you have a distro release that is still getting support, and that you have the latest version of the package for your distro. Clearly some more digging may be appropriate if it's something you're particularly concerned about.

Posted by: richg74 | October 15, 2009 11:04 PM | Report abuse

In my quest to be ever more vigilant about security, I ran the scan. Most of my plug-ins were tagged "research." Only one was up to date. One was out of date. The out of date one, some kind of "meta filter" plug-in that I don't even recognize, I just decided to disable.

The problem with those plug-ins tagged "research" is that you get diverted to a Google search page. There's no indication which links should be clicked. Adding to the uncertainty is that when I did take a chance and clicked, No-Script and WOT issued warnings that the sites weren't trustworthy. IMHO, while firefox users need to be aware of this security issue and scan feature, there is not enough guidance to assist in solving whatever problems exist. For people who are not computer programmers, there needs to be a more transparent (that is obviously safe) way of getting plug-ins updated. I simply don't feel comfortable trying to plow through a list of 20 or more websites (for each plug-in) none of which I am familiar with, to download some new, unfamiliar program. From a security standpoint, that sounds like a walk on the wild side!

Posted by: kadenmor | October 16, 2009 6:18 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company