Closed
Bug 282257
(startpagewarning)
Opened 20 years ago
Closed 15 years ago
Warn about old plugins on start page
Categories
(www.mozilla.org :: General, defect)
www.mozilla.org
General
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: rebron, Assigned: pkim)
References
()
Details
(Whiteboard: [sg:want P3])
Attachments
(1 file, 1 obsolete file)
(deleted),
text/plain
|
Details |
Update Start page via snippets or main page to notify users to upgrade to latest
version of Java.
Updated•20 years ago
|
Flags: blocking-aviary1.0.1+
Comment 1•20 years ago
|
||
In particular, we might want to have some javascript that looks through
navigator.plugins, something like:
for (var i = navigator.plugins.length - 1; i >= 0; --i) {
if (navigator.plugins[i].name.indexOf("Java") == 0) {
/* does this work for all java plugins */
var versionStr = navigator.plugins[i].name.split(" ")[2];
/* parse the version number somehow , figure out if it's a vulnerable
version, and alert somehow (document.write?) */
}
}
OS: Windows XP → All
Hardware: PC → All
Comment 2•20 years ago
|
||
Rafael, did anything ever come of our call for help in that last meeting with
the start page folks?
Updated•19 years ago
|
Assignee: rebron → nobody
Component: Product Site → www.mozilla.com
Flags: blocking-aviary1.0.1+
Product: Firefox → Websites
QA Contact: product.site → www-mozilla-com
Version: 1.0 Branch → unspecified
Reporter | ||
Updated•19 years ago
|
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → WONTFIX
Comment 4•19 years ago
|
||
Yes, this is still valid. Every Firefox who has reported being hacked has been hacked through Java. This was recently confirmed independently by reporters who surfed lots of sites using IE and Firefox in default configurations and found Firefox got hacked less, and when it was it was always through Java.
Frankly I think we should just turn it off.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
Comment 5•19 years ago
|
||
Oh, and in addition to the 1.4.2_05 and earlier exploit that's been used, Sun recently announced a bunch of vulnerabilities up through 1.5.0_05 and there's some anecdotal evidence those are being used, too.
Rafael owns start page updates.
Raf - can you please review this bug and figure out next steps?
Assignee: nobody → rebron
Status: REOPENED → NEW
Comment 7•19 years ago
|
||
now that flash has drive-by remote code exection possible for flash player 8.0.22.0 and below
http://secunia.com/advisories/19218/
we should consider adding a flash sniff too.
http://www.macromedia.com/software/flash/about/
has sniffing code that might be lifted for flash player version detection.
<!-- $RCSfile: FlashDetection2k.pm,v $ $Revision: 1.71 $ : server can't tell if your browser has Flash; you have a Netscape-like browser, here is some client-side JavaScript to detect if you have Flash. --><script type="text/javascript" language="JavaScript">
<!-- start JS detection
FlashMode = 0;
if (navigator.plugins && navigator.plugins.length > 0)
{
if (navigator.plugins["Shockwave Flash"])
{
var plugin_version = 0;
var words = navigator.plugins["Shockwave Flash"].description.split(" ");
for (var i = 0; i < words.length; ++i)
{
if (isNaN(parseInt(words[i])))
continue;
plugin_version = words[i];
}
if (plugin_version >= 6)
{
var plugin = navigator.plugins["Shockwave Flash"];
var numTypes = plugin.length;
for (j = 0; j < numTypes; j++)
{
mimetype = plugin[j];
if (mimetype)
{
if (mimetype.enabledPlugin && (mimetype.suffixes.indexOf("swf") != -1))
FlashMode = 1;
// Mac wierdness
if (navigator.mimeTypes["application/x-shockwave-flash"] == null)
FlashMode = 0;
}
}
}
}
}
Comment 8•19 years ago
|
||
Raf - any updates on whether we can push out notifications like this to affected Java/Flash users?
Comment 9•19 years ago
|
||
This can be used as the basic detection script. "if hasOldJava() <put up java msg>" and "if hasOldFlash() <put up flash msg>"
The messages should be prominent (red boxes?) and link to the vendor sites to get the updates (yes, we have the plugin finder service, but we can't really trigger it from the start page in this way).
http://www.java.com/
http://www.macromedia.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash
(could link to macromedia homepage, less danger of future broken links, but it's a cluttered page and hard to find the free flash player download)
Comment 10•19 years ago
|
||
Looks like not all platforms have 8.0 r24 as the latest, some use 7.0 r63
http://www.macromedia.com/software/flash/about/
The sniffing code in the attachment will have to be adjusted by platform. We don't have to worry about Mac classic, so I think it's just *nix versions using the older-branch update.
Comment 11•19 years ago
|
||
Attachment #215386 -
Attachment is obsolete: true
Comment 12•19 years ago
|
||
any international issues to consider if we do this? I'm guessing each localization is firewalled on the start page side.... where to point users once an old version is detected might need some research for each local...
Comment 13•19 years ago
|
||
Shockwave for director is also affected, 10.1r16 contains the fix, 10.1r11 and earlier are vulnerable. Unfortunately unlike flash they don't put the release number in the plugin name or description, both versions simply say 10.1
Comment 14•19 years ago
|
||
(In reply to comment #12)
> where to point users once an old version is detected might need
> some research for each local...
I don't know about adobe/macromedia, but www.java.com redirects me to www.java.com/en/ so there's some language sniffing there that should cover it.
Reporter | ||
Comment 15•19 years ago
|
||
Checking-in with the start page team on how to go about doing this.
Status: NEW → ASSIGNED
Comment 16•19 years ago
|
||
Another URL that may be good to link to is http://www.macromedia.com/go/getflash
Comment 17•19 years ago
|
||
Lets not reinvent the wheel. PluginFinderService has all of the plugins we support and where to get them.
http://lxr.mozilla.org/update1.0/source/plugins/PluginFinderService.php
Summary: Update start page for Java update → Update start page for plugin security update
Comment 18•19 years ago
|
||
For the record, we're also looking at adding the ability to block vulnerable plugins from being intstantiated, and that would most likely also include notifications to the user when plugins do get blocked. Once done, a user that's got a vulnerable flash player would simply get the plugin finder UI when loading a page with flash, and that way be able to download an updated plugin, provided one exists etc.
Comment 19•18 years ago
|
||
https://bugzilla.mozilla.org/show_bug.cgi?id=337768 points out the need to get going on some solutions for this soon.
Assignee | ||
Comment 21•18 years ago
|
||
Hey folks --
Ownership of start page snippets has moved to me. Is this still an issue? (Update Start page via snippets or main page to notify users to upgrade to latest version of Java.)
-Paul
Assignee: rebron → pkim
Status: ASSIGNED → NEW
Comment 22•18 years ago
|
||
Yes, it is definitely still an issue -- a BIG issue.
In the code snippet attached
JAVA_UPDATE should be changed from 6 to 7
FLASH_VER should be 9.0
FLASH_SUBVER should now be 16
The Linux flash verson is unchanged -- they're still vulnerable :-(
We may want to consider adding checks for QuickTime and Real -- both have had pretty nasty holes also, though I haven't heard they're being exploited in the wild unlike Flash and Java which definitely are being attacked.
Alias: startpagewarning
Summary: Update start page for plugin security update → Warn about old plugins on start page
Comment 23•18 years ago
|
||
It seems like it might be pretty desireable to have the checks happen on the Mozilla side before the redirect to Google so that Mozilla can hijack the home page and send the user to a page on mozilla.com. Can this be done without slowing down all start page loads?
Comment 24•18 years ago
|
||
No. That would require a redirect rather than a CNAME.
Comment 25•18 years ago
|
||
As in all comments today, my brain is off.
We'd need an approval from google to do js-magic on the startpage, which would, AFAICT, be required to do any warning about particular plugins.
One way to do that would be to create an on-topic special snippet, that may or may not be to work through with the lack of change management for the start pages.
PS: I don't have an up-to-date report on the start page snippets and the update on google.
Comment 26•18 years ago
|
||
jay, maybe we should hook up talkback auto responders to any plugin related crash to also instruct users to update to the most recent plugins for for improved security and stability...
Comment 27•18 years ago
|
||
Chofmann: That is a good idea, but not sure if I'll be able work on that with 1.5.0.x adn 2.0 tasks on my plate. If you can please log a bug, that will be great and hopefully I can get to it sooner than later. The autoresponder code is old and not hooked up, and most likely broken right now... so will have to rewrite some of it.
Comment 28•18 years ago
|
||
We're also getting reports of people being hacked through vulnerable WMP, appear to be using the MS06-006 flaw:
http://www.microsoft.com/technet/security/Bulletin/MS06-006.mspx
http://www.symantec.com/security_response/writeup.jsp?docid=2006-011115-4414-99
Symantec gives it a Damage Level of "low", but it's being used to drop Trojans on people's machines.
Unfortunately there's no way to check the version of Npdsplay.dll from the existing plugin interface available to scripts.
Comment 29•17 years ago
|
||
Re-awakening. Our newish strategy is to stick some alerts on the first-run and "you've been updated" pages. These alerts will lead to a general-use plug-in check page, similar to http://www.guninski.com/mozbugs/plug-test.html (from bug 271559) . Handy for everyone, eh?
My first pass at summarizing/attacking this is available here: http://wiki.mozilla.org/PluginUpdating
AFAICT, PFS will not be able to provide such updates. I'm proposing we hack out something extensible that will initially check for just Flash and Java -- adding links to this page on our common, easily controllable, landing pages (first run, updated).
I'm seeking feedback on the overall plan, particularly on how to keep track of the latest secure versions.
Comment 30•17 years ago
|
||
It's probably best to do this off of a timeout so it doesn't hurt the rendering time of the page. Loading plugins (in order to populate navigator.plugins) takes a while the first time each session, IIRC.
Comment 31•17 years ago
|
||
I've filed bug 391433, in an attempt to get the production scripts created. We'll probably farm this out -- but if anyone wants to take a stab at it, feel free :)
Updated•17 years ago
|
Depends on: upyourplug
Comment 32•17 years ago
|
||
The recent hype on the Flash malloc failure problems (http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf) caused me to actually look at my Flash plugin recently and note that it was woefully out-of-date. Since I run Minefield I'd never see any of these warnings, which made me wonder what would other users do who either change too quickly or too slowly than the "normal" user.
Is there anything beyond the First Run or "You've been updated" pages being looked at as a checking mechanism? Since AMO provides Add-on Version Update checking, would it be possible to extend that update concept to cover Plugins as well? My Bugzilla-fu is not what it used to be, but I couldn't find anything open covering that.
Comment 33•15 years ago
|
||
We're not ever going to put this on the Google-hosted start page. This concept has been carried on in other bugs, however, such as upyourplug and other server-side and client features.
Status: NEW → RESOLVED
Closed: 19 years ago → 15 years ago
Resolution: --- → WONTFIX
Updated•13 years ago
|
Component: www.mozilla.org/firefox → www.mozilla.org
Updated•12 years ago
|
Component: www.mozilla.org → General
Product: Websites → www.mozilla.org
You need to log in
before you can comment on or make changes to this bug.
Description
•