Firefox Will Start Warning of Outdated Flash Versions

Mozilla will be rolling out a new feature in the upcoming Firefox 3.5.3 and 3.0.14 versions that is geared towards decreasing the number of vulnerable Adobe Flash Player installations. According to Firefox developers, this is only the first step of an implementation that will eventually automatically update all the plug-ins installed in the browser.

The new plug-in check introduced in Firefox 3.5.3 and 3.0.14 will be performed after updating the browser. If a vulnerable version of Flash player is found, users will be presented with a Web page that instructs them to download and install the latest version of the plug-in.

"Our intent is to get the user’s attention, and direct them to the Adobe web site where they can download the most up to date version. For users who are already running the latest version, or who don’t have the Adobe Flash Player installed, the page will look very much like what they would normally see after a Firefox security update," Johnathan Nightingale, Mozilla's head of security, explains.

Flash Player has a huge install base and is deployed on the vast majority of computers connected to the Internet. Because of this, it has become a common target for cyber-criminals, who exploit its vulnerabilities to silently infect Web surfers with malware when visiting compromised websites. A recent study released by Internet security company Trusteer revealed that, two weeks after a critical Flash Player update was released, 80% of users were still using the vulnerable version.

It is this failure to patch popular software on behalf of users that Mozilla wants to tackle with the plug-in update-check feature. Even though, at the beginning, it will only scan for Flash-Player updates, the company plans to extend this to other popular plug-ins, such as QuickTime or Java, in the near future.

While this is a great first step towards a commendable goal, it still leaves a lot of room for improvement. According to some people, even if Mozilla advises users to patch and provides them with a link to Adobe's Flash Player official download website, they are likely to fail the process, due to its complexity.

However, as Christopher Blizzard, open source evangelist at Mozilla, explains, the system will gradually improve in the future. A special page where users can get other plug-ins checked as well will be implemented later this month, while, starting with Firefox 3.6, the checking will be performed inside the browser, as currently done for extensions. Users will still be sent to the aforementioned page to download the updates, though.

Automatically updating the plug-ins directly via the browser's plug-in service is still a long-term goal for now, but it's encouraging to see that it is strongly being considered. We hope that the Adobe Acrobat plug-in will benefit from a similar attention, as it is also targeted in many Web-based attacks.