ANTenna Blog -- Internet/Web

Mozilla has a new tool that can help many Firefox users avoid potentially serious plug-in related security issues.

Most Firefox users already know that Mozilla can automatically alert them to updates both for the browser itself and for any extensions or themes that they have installed. Yet another class of software associated with Firefox -- browser plugins -- typically doesn't get the same level of protection that regular update notifications can provide.

First, a quick review of what all of these terms mean: A Firefox extension uses a built-in set of development technologies to enhance the browser's existing features or to add new features. A Firefox (or other browser) plug-in, by comparison, is a stand-alone application -- typically using its own installer and update-notification capabilities -- that interacts with the browser via an application programming interface (API).

From a software security point of view, this is an important distinction. Firefox can track the version of each installed extension and offer updates when they are available. In most cases, however, it was up to the individual plugin developer -- such as Adobe (for Flash) or Sun Microsystems (for Java) -- to handle the update process for its own plugin.

Adobe's Flash plugin has been especially vulnerable to security exploits that newer versions are designed to patch. As I noted in a previous post, Mozilla had already started using its Firefox update notifications to alert millions of users running outdated Flash plugins; the alert reduced (but did not eliminate) the number of exposed users.

Now, Mozilla is taking the next step with this approach. Its new "Plugin Check" page will automatically check all of a user's installed browser plugins, alert them when an update is available, and provide a link to the update download site.

The Plugin Check isn't perfect by any means: On my own Windows XP system, the tool couldn't determine whether or not two out of five installed plugins were up to date. (The "Research" link you see in the screen shot wasn't exactly helpful; it simply dumps you on a list of Google search results.)

Yet the Plugin Check did tell me that my VLC multimedia plugin was out of date and directed me to the latest version. This was genuinely helpful, since I had actually forgotten that the plugin was installed in the first place. (That's more than I can say for Apple's astoundingly unreliable QuickTime plugin, which reminded me of its existence every time it crashed Firefox.)

It is not clear to me whether the Plugin Check does a good job of correlating the appropriate plugin version to a user's Firefox or OS version; in either case, an older version simply might not support a current plugin -- a situation that could confuse some users or even create additional software problems.

Since that situation is applicable to very few users, however, it seems like a minor quibble. My biggest concern at this point would be whether Mozilla can improve Plugin Check so that it can determine the versions of plugins that currently escape analysis.

Anyway, using Plugin Check is drop-dead simple: Just point your Firefox browser to this address. It's a task that literally requires a few seconds to complete, and it could reap big security benefits for you and your small business.