Updated: October 19, 2009
This article is about the new bout of silent, unasked-for installs of browser plugins by Microsoft, specifically .NET components, into Firefox, again, and the way Mozilla proactively handle the security vulnerabilities present in these plugins. Furthermore, I'm going to explain what each plugin does and what you can do about it.
Call me a fanboy, but it's always refreshing when you see a software company taking the issue of security related to its products seriously. Online security is one of the hot topics today, the anvil of reputation where heroes and villains of the Internet are forged.
The Mozilla people definitely stand out in the crowd, with their aggressive, proactive approach to security. In the recent weeks, Mozilla has launched new services, which help make your Firefox a better, safer product.
Mozilla Plugin Check is a very convenient service that will check all your browser plugins and let you know if you have any that are out of date or known to have security vulnerabilities. Should any of those be found, the Plugin Check will search for updates and install them for you.
The service is still young and there are some problems with the detection of certain items, but this will be definitely be sorted soon.
Plugin Check started as a pilot, launched with the last Firefox update. Following the browser restart, users running an older, vulnerable version of the Adobe Flash Player plugin landed on a page that informed them their Flash plugin was out of date. The public response was enthusiastic, with more than 10 million visits to Adobe website. The clickrate was also phenomenal, about 30%, whereas most banner messages of this kind elicit only about 5% clickrate. Not only did this simple check help many Firefox users gain a higher level of security, it also showed the positive trend of Firefox users toward security.
In the future, this service will be integrated into the browser, so in addition to browser and add-on updates, you will also have an automated, unattended plugin self-update, which should increase the security of your browser even further, without relying on user interaction or discipline to maintain an up-to-date baseline.
You are welcome to go to the Plugin Check page and assess your plugin state.
If you've read my .NET framework article, you will know by now that third-party companies, Microsoft in this case, have tried to add their own plugins to Firefox, as a part of dubiously enhanced Web experience. In other words, not only do you get the application installed, you get Web browser plugins for related online technologies you did not ask for.
Well, Microsoft have somewhat rectified their practice, by making the uninstallable add-on uninstallable, but that does not change the fact that Firefox users get their browsers pimped by with unwanted steroids. The worst part of all is, most of these add-ons are riddled with security holes, turning your decent browser into Swiss cheese.
It seems that Mozilla people have had enough. So much that they have developed the Add-ons blocklist! Ta-dam! What happens is, should you try to install any plugin that has known, unpatched vulnerabilities, it gets blocklisted - disabled by default. Your browser stays safe. Very commendable.
Let's take a look at the blocklist: mainly all sorts of useless toolbars, some download managers, even an anti-virus component, and Microsoft .NET Framework Assistant.
Indeed, after you install .NET 3.5SP1 and launch Firefox, you get this prompt:
Or, if you already have the said plugins installed, you may see a popup, informing you that vulnerable plugins have been disabled, due to stability or security problems. At this point, you just need to restart Firefox and continue working normally.
It turns out this move was coordinated with Microsoft and the plugins may yet be unblocked, then possibly blocked and unblocked again in the future, but it shows the right train of thought and a serious commitment to user security.
You may encounter a few more Microsoft plugins inside your browser, including Microsoft DRM items. The big questions are, do these pose any issues and should you disable them?
Well, you should read this Mozilla knowledge base article.
Those plugins are all related to Windows Media Player. The two DRM plugins and the Dynamic Library are the standard plugins. Windows Media Player Firefox Plugin is the new, for more recent versions of both Windows operating system and Firefox browser itself.
If you're asking me, you can safely disable the older, legacy plugins and see how it goes. You should have no problem playing Windows Media inside your browser. But if you notice the loss of functionality, you can always restore them. The most important thing is, you definitely do not need them both. The older ones are a legacy leftover and are superseded by the new plugin.Besides, 99.9% of all media content is Flash, so you probably won't be missing anything.
I really, really like this approach. Rather than wait for users to come storming the castle with pitchforks and torches, Mozilla takes three steps ahead and tries to anticipate the shifty, shifting needs of the chaotic browser market. Lots of emphasis is placed on security without harming the user experience, which is evident from the numerous services used and created to make the Firefox usage as streamlined as possible.
Furthermore, this is the right approach to a serious issue. If your browser gets compromised, people will not go to their plugin vendors and complain. They will only know that their browser got compromised and that's it. Mozilla cannot afford to let this happen, which is why they take such drastic control of their baby.
With Plugin Check and Add-on Blocklist, Firefox security has just jumped two notches higher. This is good news for any security-loving Firefox fan.