Have you though about this:

There are security issues with Firefox plugins. Just one example: a QuickTime drive-by issue which means if I open a QT movie on a malicious site and have QT7.1.3, they can execute whatever code they want on my PC (http://www.macnewsworld.com/story/54953.html). This also applies to the QT plugin. I didn't even know I had one (think it was installed by my codec pack, in an obscure folder)

If I have a plugin instead of the full app (i e, WMP) I can't access any settings AFAIK so it probably can't check for updates (unless it reads my mind). I imagine the "WMP plugin DLL" must have come bundled with Firefox 2.0.

I solved this by specifying only a few, known FULL products (not plugins) in the plugin list (I use JetAudio, Winamp, QT and the Adobe players), and for these I made sure they were set to check for updates often. Which for the Adobe players is done on adobe.com actually (and in 2 different ways..tricky..)

Some files are not even handled according to the plugin list - sometimes it's controlled by Windows settings. That's the case for QT, Shockwave and Flash player on my PC now, which are not in the plugin list anymore, but still work..

Anyone else that missed this giant collection of security holes or am I the only one stupid enough? :wacko:

This is one of the reasons I quit using it.

No application, as soon as it's popular enough is going to be bullet proof, as soon as it hits a level of popularity that makes it worthwhile for malicious code writers to undertake writng code to exploit it then they will, Firefox may be simply entering a level of popularity where IE is no longer running decoy.

I know no app is bullet proof. I had it installed over a year and it had a terrible memory leak. There forum was full of tons of people complaining about this but it was never fixed. They wouldn't even acknowledge that there was a problem. So until they recognise that there is a problem and fix it properly...I would never use it.

Besides once I used Opera I liked it much better.

I'm curious, how is this a firefox only problem?

Doesn't Opera use QT plugins?

However, I did notice that firefox seems to come with a build in QT plugin even if you don't have QT installed??

-{ Quote: "I'm curious, how is this a firefox only problem?

Doesn't Opera use QT plugins?

However, I did notice that firefox seems to come with a build in QT plugin even if you don't have QT installed??" }-
Yes, Opera (9.22) has QT plug-in even without QT installed...

-{ Quote: "I'm curious, how is this a firefox only problem?

Doesn't Opera use QT plugins?

However, I did notice that firefox seems to come with a build in QT plugin even if you don't have QT installed??" }-
It's a well known problem and has been for a while. Firefox shouldn't be using 381,758KB in the task manager. Now whether they fixed it since I last had it installed I don't know and don't care either way. I didn't use crap loads of plug ins either.

If you look around in there forum you find the info.

It's probably a problem for most browsers. This is not an attempt to make Firefox look bad, I still have it as my primary browser, but anyone interested in internet security should either find this scary or tell me I got it wrong.

I removed the "Windows Media Player plugin DLL" completely from my list of Firefox plugins - I have no idea how to access that plugin's settings -, and replaced it with JetAudio. I have the latest Windows Media Player as well, but as far as i understand, the WMPlayer is an exe file and the WMP Plugin is a DLL file, and the dll doesn't get updated because I update the exe, or affected by it's settings.

I tried to check my plugins: in my folder C:\Program\Mozilla Firefox\plugins there are 2 plugins for real player (which is equally scary, but I already solved this by using JetAudio instead, it's one of the few alternatives to RealPlayer, I just forgot I did this - and if you don't like JetAudio for some reason, like I do, there's also "Real Alternative"). But there are no plugins that seem to be the Windows Media Player in that folder! Googling makes me think it should probably be called either np-mswmp.dll or npdsplay.dll. I searched my whole C: for these, and found two copies of npdsplay.dll, one in C:\Program\Windows Media Player and one in C:\WINDOWS\system32\dllcache, both identical and both dated 2005-11-29! I would think it has not been updated lately! My PC has had a complete re-install this year, by I suppose it could have come with XP.

To me it seems the plugin business is a mess, and it feels MUCH better to not use any plugins at all, exchange them all for exes which you have control over.

I think it would be better to stop making plugins and just make complete exe files, or at least plugins with some sort of control panel, so that you can always access it's settings and make sure it gets updates. All apps which can make direct contact with the internet need to be on auto-update. I can find the QT control panel when I look for it in semi-weird places, but I sure can't find any for WMP or RealP.

Or did I miss anything. Seems pretty convincing to me, but only a fool is ever totally convinced when it comes to PCs.... :blink:

By the way, Firefox uses 51MB on my PC.

Can these not be disabled in Firefox and only enabled on a site specific basis?
Surely all browsers use plugins?
BTW I'm not anging for a fight about FF, I don't use it anymore. Just curious on what's out there.

The more popular Firefox gets, the more people will continue to pick and poke at it till it eventually has the same reputation that IE 6 has had in the past...

Hello,

1. I see no problems with plugins ... they are updated when you update your local software and replace the dlls.

2. Memory leak did not happen to everyone, only certain people.

3. Firefox is bulletproof and stories about how it's gonna ... x y x blah ... are merely spreading the FUD. You say how can I claim this? Well, simply because there is no existing exploit that can trigger remote drive-by in Firefox.

4. Firefox is semi-sentient. If you love it, it will love thee. I have found this to be true for most software. If you love it and cherish it and praise it, the software will behave to you. This is a reason why I have encountered almost zero bugs with most of the programs I use.

Mrk

-{ Quote: "they are updated when you update your local software and replace the dlls." }-
If an important update is available, you will not know about it. The only sensible way is to have automatic check for updates, for all programs with internet access.

-{ Quote: "there is no existing exploit that can trigger remote drive-by in Firefox." }-
I'm not talking about Firefox itself, I'm talking about plugins associated with Firefox. If you browse with Firefox to a malicious or hijacked site with a QT movie on it and watch that movie, then the QT plugin will be activated and you're screwed

This thread is not about which browser is "da best". I put Firefox in the heading since that's what I use but this is probably valid for all browsers that use plugins, unless they check for updates for it's plugins, which Firefox doesn't. I don't know how IE works. But I wouldn't change default browser to IE. What I would suggest is look your plugins over.

Seems noone yet even admits this is a major problem. One giant reason why people use Firefox is because it's safer. Firefox not using ActiveX, Mozilla updating bugs really quickly, etc makes it a good choice regarding safety. But what's the point if Mozilla swiftly remove one bug every month if at the same time there are 20 unfixed exploits for the plugins. Firefox without updated plugins is safe only as long as you don't play any sounds, watch any movies etc, while browsing.

-{ Quote: "Firefox is bulletproof " }-

I beg to differ.

http://mywebpages.comcast.net/SupportCD/FirefoxMyths.html

But then again I do not use FF and never will.

Nothing is bulletproof.Nothing.

Hello,
That site is nothing but pure propaganda.
And Mozilla is not responsible for QT, Adobe or anyone else.

edit: SHOW ME ONE WEBSITE THAT CAN TRIGGER REMOTE DRIVE-BY IN FIREFOX. NOT JUST EMPTY WORDS - ONE WORKING LIVING MALICIOUS EXAMPLE. THANK YOU.

Mrk

-{ Quote: "
I removed the "Windows Media Player plugin DLL" completely from my list of Firefox plugins - I have no idea how to access that plugin's settings -, and replaced it with JetAudio. " }-

You do know that About:plugins will show you what plugins are running right?. I *think* there is a way to selectively disable plugins, but I suppose you could just go into the plugin directory and delete the files.

If you want plugins to run only in certain sites, NoScript I think has an option to do that.

-{ Quote: "
I have the latest Windows Media Player as well, but as far as i understand, the WMPlayer is an exe file and the WMP Plugin is a DLL file, and the dll doesn't get updated because I update the exe, or affected by it's settings.
" }-

No idea about WMP, but with QT, if you update QT it will update the plugins as well (i checked same for realplayer also). So this reduces to the normal problem of keeping stuff on your computer patched.

What I was surprised to find is that on one of my machines without QT installed, there was a old QT plugin that was capable of running clips??

-{ Quote: "
I tried to check my plugins: in my folder C:\Program\Mozilla Firefox\plugins there are 2 plugins for real player (which is equally scary, but I already solved this by using JetAudio instead, it's one of the few alternatives to RealPlayer, I just forgot I did this - and if you don't like JetAudio for some reason, like I do, there's also "Real Alternative"). But there are no plugins that seem to be the Windows Media Player in that folder! Googling makes me think it should probably be called either np-mswmp.dll or npdsplay.dll. I searched my whole C: for these, and found two copies of npdsplay.dll, one in C:\Program\Windows Media Player and one in C:\WINDOWS\system32\dllcache, both identical and both dated 2005-11-29! I would think it has not been updated lately! My PC has had a complete re-install this year, by I suppose it could have come with XP.
" }-

I have the same date for npdsplay.dll. Version listed is 3.0.2.629. Are you sure there is a later version?

-{ Quote: "
To me it seems the plugin business is a mess, and it feels MUCH better to not use any plugins at all, exchange them all for exes which you have control over.
" }-

Well trade-off you know...

-{ Quote: "Are you sure there is a later version?" }-
Well you don't know if it is the latest version, do you? How fix that? If not by downloading the full exe an setting it to auto update, or replace it with another player?

Seems the latest version is from April 13th 2007 and that the official download site (redirected to by M$) is http://port25.technet.com/pages/windows-media-player-firefox-plugin-download.aspx.

But that's not the point. Apparently there's a risk you are vulnerable to whatever bugs WMP has had since 2005, and you can go download that plugin right now, but then they might find a new bug and make a new update tomorrow, or next week. So you need (have I said it before) aauutooo-updating. And can you get that from a plugin? I can't find settings for it anyway.

-{ Quote: "if you update QT it will update the plugins as well (i checked same for realplayer also). So this reduces to the normal problem of keeping stuff on your computer patched" }-
Well no. I'm talking about what can be the effects if you only have the plugin (but your tests are intersting to know of). You are now saying that you also have the full exes. Don't know why you bother to use the plugins then, but that's not very interesting. Point is apparently you have the exes, and if you've set them to update and allow them through your firewall, then you are as safe as it gets, for those players. But the reason you have the exes is probably that you're interested in using RM and QT players, so you downloaded them for that reason. But anyone not doing that will just have the plugins, and they are not very safe, it seems. Like you, on that other computer. Do you believe your computer with the QT plugin is safe?

Thanks for reminding me of the old about: commands, I never can remember them. If you know of a list it'd be nice. And I see several in the list I'd like to fully disable, do you know how to do that?

The RTSP exploit for QT is apparently wide spread (http://vil.nai.com/vil/content/v_142501.htm) through the mpack (http://en.wikipedia.org/wiki/MPack_%28software%29) but this is just ONE example. I also know WMP has had serious exploits. If you want lists they can be found for example at http://www.milw0rm.com/platforms/windows .

And Mr Massive Poster, asking to show a web site that has this exploit is just so... What would you do if I did? I'm sure you'd browse there and start clicking all QT movies wouldn't ya?

-{ Quote: "That site is nothing but pure propaganda." }-

Propaganda, no more like reality.

You keep saying FireFox is bulletproof,if you have it you are safe anywhere on the web. That would be nice.
Sorry but thats just a false sence of security.

Can Pedro and the likes please take that debate to a different thread?

Stick to plugins or be gone.

I roger that... deleted

Hello,

I was talking on topic. You can consider all programs as "plugins" in an operating system, in a way. So? Is Microsoft, for example, responsible for how Skype people design their tool?

Firefox / other browsers do not have their own built-in players and such. So they must use third-party tool. And if these are bugged ... well ... The developers of the browser can do their best to try to sandbox their application as much as possible, but when you leave the folder of the native application, you venture into the waters of murky, proprietary dlls that you cannot fully control.

An analogy: blaming a car company for a burst tyre. Do you expect the car company to have control over it?

Same here. You can try to maximize compatibility etc, but it's up to the user to make sure his system is not vulnerable.

And offtopic, LoneWolf, I want code - written code - and links that prove me wrong. Until then, my "false" sense of reality is THE reality. Wth Firefox you are more than safe anywhere on the web. I have done it a million times. It's up to you, to provide evidence in the court of law, incriminating the innocent-until-proveb-guilty suspect.

Mrk

Thanks Pedro.

Kvonic, you were partly and half on topic. Regarding cherishing Firefox, could you please go start a different thread. I have lots to say on the subject, and will happily join your thread (not the sect), but for this thread, it ends now.

Of course Mozilla is not responsible for plugins, but being marketed as safer, they could well provide the service to check available updates for the plugins (at least the most common ones), or at the very least mention this problem and their solution for it so people don't miss it. Because they sure do recommend those plugins. And if they don't recognize the problem, who will? Same way as your car dealer may well tell you recommended tire wear before exchanged, even though it's not his responsibility, because if he's truly interested in the customer being safe, he would do what he can. And the repair shop responsible for servicing the car, even if under guarantee and paid for by the manyfacturer, should of course do their best to warn about any security threats, including bad tires, if they are aware of them. If maybe the majority (my guess) of Fx users aren't safe because of their plugins, then it would be good to try to improve the situation; arguing the responsibility won't solve it I'm sure.

What you call offtopic to the wolfe in your last post seems to actually be on topic even if just repeating yourself, and my comment is: you will not get links to exploiting sites. I gave you THREE links to follow to learn what the RTSP exploit is, what mpack is and how common it is with paid updates and all, and also a complete list of other real threats that apply to several plugins. That information is better than links to sites with exploits of Firefox plugins (exploits of Firefox itself is not on this thread, you know), and milw0rm does even provide the code. I suggest you sit down an read all that for a few hours and come back better educated.

-{ Quote: "
And offtopic, LoneWolf, I want code - written code - and links that prove me wrong. Until then, my "false" sense of reality is THE reality. Wth Firefox you are more than safe anywhere on the web. I have done it a million times. It's up to you, to provide evidence in the court of law, incriminating the innocent-until-proveb-guilty suspect.
" }-
An example can be found here (http://hackademix.net/2007/08/07/java-evil-popups/). And it also applies to Opera. However, it can be prevented in FF by using Noscript, and a fix by Sun should be available soon.

Don't get me wrong: I'm a convinced Firefox supporter and I never use IE (least of all on my Kubuntu machine ;D ), but maintaining that FF is 100% safe is too simplicistic. On the other, any bugs discovered are usually fixed within a few days, while it took sometimes many months in the case of IE. Thus, any possible exploits are more or less irrelevant as long as you keep your FF always updated. And since new bugs are mostly Javascript or Java or plugins related, Noscript is an excellent protection against many zero-day attacks.

Hello,
I'm gonna post my answers in another thread.
Mrk

It's actually quite simple. Keep your programs up-to-date and fully patched and you will be safe from most of those exploits.
QT 7.1.3 is not the latest version, the latest is 7.2 ;)

-{ Quote: "QT 7.1.3 is not the latest version, the latest is 7.2" }-
Yes exactly. So if anyone sees that he has QT7.1.3 in the plugins list, then it's time to get scared - and I bet you are a few! I even checked it with the Fx support forum, and the 7.1.3 plugin is vulnerable to the RTSP exploit, just like the 7.1.3 exe.

-{ Quote: "It's actually quite simple. Keep your programs up-to-date and fully patched and you will be safe from most of those exploits" }-

And exactly how do you keep a plugin up-to-date, if you can't set it to auto update? Supernatural plugins? ??? I see only one good solution (again): Get rid of the plugin, and get the exe instead, because this you can set to auto-update.

I suspect the majority of the Fx users have un-updated plugins either without realizing it or because not being able to access settings to make it update itself. Where do they come from? I think real player and adobe flash player came with Firefox. The WMP plugin I'm guessing comes with Windows. QT plugin I suspect came with the K-Lite Codec pack, which is very popular. I also have a Zylom plugin, which I suspect was installed by a game I bought called Chicken Invaders. VLC Player has added a plugin. And then there's 2 M$ DRM network i/f plugins, wonder how they got here, I certainly never approved them, but they probably belong to WMP (M$ "Digital Rights Management"). All of these are security holes in Firefox on my PC, as far as I can see.

I can't understand you guys not getting upset over this, it's a much greater security hole than 99% of the posts in this forum, both from a user's point of view and for the Firefox community.

You should add it to the ToDo list when installing Windows on a new PC:
- Decent firewall, AV, antispyware, and check the settings
- antirootkit and guard of register and some files & folders (hosts file etc)
- Replace default browser with e g Firefox. Add Noscript or disable java.
- Maybe some more tweaking of Windows (shut down some services etc)
- Set auto-update on all apps with www access
- Hm. Am I done? NO! You have like 5 or 10 major security holes left! All of the above may well be in vane! Many on this forum like playing with multiple AVs, ASs, ATs, ARKs etc. What's the point, if not fixing the MAJOR stuff first!

If anyone new should join here who would actually be interested in fixing this problem on his/hers PC, then I googled this instruction, which complements just changing plugins to exes in the Firefox settings: http://plugindoc.mozdev.org/faqs/uninstall.html

How do FF addons/plugins compare with BHO and activex used by IE? Won't missing updates to such cause similar potential security holes in IE? I guess the update issue is more general than relating to a particular program. There is also an Update Notifier addon for FF written by Todd Long that notifies the user when updates for extension and themes are available. It is supposedly "easily configurable for automatically installing updates when available and checking for updates when Firefox starts." But then users have to keep this addon up-to-date first in case of bugs. :D

-{ Quote: "There is also an Update Notifier addon for FF written by Todd Long that notifies the user when updates for extension and themes are available. It is supposedly "easily configurable for automatically installing updates when available and checking for updates when Firefox starts." But then users have to keep this addon up-to-date first in case of bugs. :D" }-

Fx 2.0 will check for updates to addons, search plugins, as well as the browser on a daily basis if the user allows it.

Sticking with Mozilla Addons site to get any extensions and themes goes a long way in protecting yourself as the addons and themes are tested.

-{ Quote: "Well you don't know if it is the latest version, do you? How fix that? " }-

How do you know that the full 'exe' that you use is updated? It's the same problem, the exe that you install will and should update the plugin at the same time. So far my check shows that they all do. WMP is the same except their plugins reside in the normal program folder except the plugins folder. Firefox is set to scan various standard folders (which you can turn off) if the plugins do not exist in the normal plugin folder, you can google all the glory details if you want, but it's not necessary.

-{ Quote: "
Seems the latest version is from April 13th 2007 and that the official download site (redirected to by M$) is http://port25.technet.com/pages/windows-media-player-firefox-plugin-download.aspx.

But that's not the point. Apparently there's a risk you are vulnerable to whatever bugs WMP has had since 2005, and you can go download that plugin right now, but then they might find a new bug and make a new update tomorrow, or next week.
" }-

Okay calm down you are not vulnerable, if you have "npdsplay.dll" (normally located in the C:\Program Files\Windows Media Player folder) - version 3.0.2.629 (which I have). Here's what mozilla says

"In Windows XP and earlier, the WMP plugin file "npdsplay.dll" and related plugin files are normally included in the Windows Media Player program folder. The WMP plugin is automatically detected through plugin scanning and will be used by Mozilla applications for embedded media that require the WMP plugin. Important: Microsoft Security Bulletin MS06-006 (February 2006) reported a vulnerability in the standard Windows Media Player plugin file "npdsplay.dll" on Windows 2000 and Windows XP systems, that could result in remote code execution when using non-Microsoft web browsers. The "Security Update for Windows Media Player Plug-in (KB911564)", available from Windows Update or from the download links given in the security bulletin, updates the file "npdsplay.dll" (normally located in the C:\Program Files\Windows Media Player folder) to version 3.0.2.629. If your system includes the standard WMP plugin, make sure that it is the updated version of this file."

It goes on to explain about the newer plugin you found, but it has nothing to do with security problems. And as I highlighted in bold, if you keep up date with windows update you have nothing to worry.

-{ Quote: "
So you need (have I said it before) aauutooo-updating. And can you get that from a plugin? I can't find settings for it anyway.
" }-

As many of us have being saying in this thread, the plugin will be updated together with the application. So WMP plugin is updated when you run windows update as shown by my experience.

I am somewhat surprised to see that there are plugins that work without the full exe, I'm going to reinstall firefox in a new fsystem and see what plugins if any come with them.

-{ Quote: "
Well no. I'm talking about what can be the effects if you only have the plugin (but your tests are intersting to know of). You are now saying that you also have the full exes. Don't know why you bother to use the plugins then, but that's not very interesting.
" }-

If you don't know what browser plugins do, you can do a google... :D
But yeah plugins allow you to play content embededd in the webpage. Some might find that pointless, but to each their own.

-{ Quote: "
Thanks for reminding me of the old about: commands, I never can remember them. If you know of a list it'd be nice. And I see several in the list I'd like to fully disable, do you know how to do that?
" }-

Yes, I do. There are several ways. You can find them in the usual places on mozillazine etc which I'm sure you already have.

IMHO, while I appreciate your attempt to raise awareness and yes media players will be the next holes people will go after, I think you should step back, and take a breath. Your post has inspired me to look a bit deeper (some nice info on plugin scanning locations), but so far I have found nothing really big worth worrying about.

In fact, some of your responses (not to me) strike me as lacking in logic and perhaps you seem determined to be afraid. I don't know.

-{ Quote: "Update Notifier addon for FF written by Todd Long that notifies the user when updates for extension and themes are available. It is supposedly "easily configurable for automatically installing updates when available and checking for updates when Firefox starts." But then users have to keep this addon up-to-date first in case of bugs. :D" }-

The part about having to keep this plugin up-to-date probably isn't a problem, since for the Fx-specific "plugins" I've added (IEtab and ADblocker) Fx does check for updates automatically and even download and install them.

But if I got the meaning of the words extension, plugin etc right, then this plugin doesn't check for updates for what is really called plugins, such as the media players, only for extensions and themes, which is already built into Fx it seems (maybe not themes, dunno). So it seems redundant for extensions and useless for plugins, if I got it right.

I did search addons.mozilla.org for update checkers AND post a question at their forum, so I'd be surprised if there existed a useful plugin.

-{ Quote: "
But if I got the meaning of the words extension, plugin etc right, then this plugin doesn't check for updates for what is really called plugins, such as the media players, only for extensions and themes, which is already built into Fx it seems (maybe not themes, dunno). " }-
That's correct. And I agree that keeping 3rd party plugins updated is a problem. On the other hand (as I've already mentioned in another post), by using Noscript and checking to block Java, flash and other plugins for untrusted sites the security risk of not always having up-to-date plugins is minimized.

-{ Quote: "How do you know that the full 'exe' that you use is updated?" }-
I use an exe which can be set to auto-update! If it wasn't possible, I'd use a different exe. Feels like I said that before......................

milw0rm.com has a few WMP exploits dated 2006 listed. You can check them out and report how serious they are if you're up to it. And you can also check if all exes update all dlls, it's all interesting details, I'm sure. Me, I don't have to worry about that, I dont use plugins anymore..

-{ Quote: "perhaps you seem determined to be afraid" }-
Why should I be afraid? I don't use plugins anymore.

-{ Quote: "I am somewhat surprised to see that there are plugins that work without the full exe" }-
Don't they all? One of the major reasons that plugins exist is they are smaller that the exes (sometimes enormeously much smaller). You can find that too by googling

-{ Quote: "I agree that keeping 3rd party plugins updated is a problem" }-
Finally someone who agrees this IS a problem! I wasn't sure if it was me going insane or the rest of the forum. Thanks for saving my mental health (what's left of it). :wacko:

BTW, I think Noscript blocks java already, so you don't have to do that twice. I tried Noscript but found it slightly annoying and wouldn't recommend it for my mama and persons like that (which are like 80% of the population), but I'm sure it's a good addon for many users. I'm not aiming at becoming an expert on how exploits work, but I do know java and activeX has too much access to my whole PC to feel safe, javascript is much more restrained (though not bug free). But I'm not aware that Noscript saves you from all exploits like the QT RTSP mentioned. Regarding Flash I have set it to update often, so I feel I can allow it uncrippled.

-{ Quote: "
BTW, I think Noscript blocks java already, so you don't have to do that twice." }-
No, that's incorrect. Noscript blocks Javascript by default, and this makes sense since a lot, if not most FF security leaks were somehow related to it. If you want to block Java, Flash and other plugins (which I recommend highly, of course) you have to check the appropriate buttons in the settings menu.

-{ Quote: " I tried Noscript but found it slightly annoying and wouldn't recommend it for my mama and persons like that (which are like 80% of the population), but I'm sure it's a good addon for many users. " }-
I read that quite often but I don't understand it. Let's face it: The percentage of websites most users regularly load is probably at about 80-90%. They are trustworthy sites, otherwise you wouldn't load them, would you? So just add them to trusted sites just once (if necessary), Noscript will remember your decision till eternity and you won't have any problems with them. Why do you view that as annoying? And since they are trustworthy sites, it shouldn't do any harm if your plugins are not up-to-date. But on all other sites you come across, e.g. via Google, you'll still be protected as JS, Java, Flash and other plugins are blocked. If some of them cause problems, you still can allow them temporarily with two mouseclicks if you regard them trustworthy. By the way: Another important aspect is that Noscript is AFAIK the only solution so far against the more and more popular cross-site scripting (XSS).

-{ Quote: "I'm not aiming at becoming an expert on how exploits work, but I do know java and activeX has too much access to my whole PC to feel safe, javascript is much more restrained (though not bug free). " }-
As a matter of fact, Java has a better track record than Javascript regarding security issues. Giorgio Maone, the programmer of Noscript shares (http://noscript.net/faq#qa1_8) this opinion. But you're right that ActiveX is probably the worst technology security-wise that Microsoft ever invented.

I guess the same logic can go for updating softwares in general. For a plugin that comes together with a program, e.g. WMP, if doing an update of the program (be it via WMP or Windows) does not in fact update the plugin, then you may prefer to stop using it too. Or if you prefer to meticulously check all the files (executables and plugins that come with them) to see if they are in fact up-to-date or not, you may prefer to download a fresh full installer and install over the existing version. I could not see a link of security concern between plugins and FF in terms of updating. The same thing will happen to IE and in fact many other programs that use any extensions, plugins, activex controle, etc. At times users will be responsible to do some updating of softwares, drviers, etc. installed on their PCs. For a lazy person like me I just run my web browsers within a sandbox HIPS program to get a little more security without thinking too much about how things really work.

-{ Quote: "I use an exe which can be set to auto-update! If it wasn't possible, I'd use a different exe. Feels like I said that before......................
" }-

tlu, what I meant is that you can block java either in Noscript or in Firefox, no need to do both. And I don't feel I ever need java, but js is everywhere so blocking it means annoyances for every other new site. And looking at the capabilities of java vs js and restraints of js, java should be worse, but maybe it isn't in reality, dunno why, maybe JRE limits java somehow or maybe hackers prefer js? You may well be right I should limit js, but I can't be bothered since it's too annoying to do so. Don't you think it's enough to logout from the internet bank when finished, not visit the bank + other sites simultaneously, don't follow links in e-mails without thinking, and keeping www-apps on auto-update, using Fx as default and disallowing java, as an option to using Noscript?

And lu_chin, the problem at hand is that it's not really possible to handle updating of plugins in a secure manner, at least noone has shown a way to me yet, and the solution I use myself is to stop using plugins, since full apps exist which do the same job but can auto-update themselves. So, think that was the 5th time I said that. Also, of all programs to patch, those with internet access are the most important, since for e g Word and stuff, though full of bugs and scripts, the user has a degree of control what documents he opens, but for stuff at www, it's enough to visit the wrong site and you suddenly have nasties installed, like spyware. The same may well be valid for all browsers more or less, but since I use Fx I can't really make intelligent posts regarding the others.

-{ Quote: "tlu, what I meant is that you can block java either in Noscript or in Firefox, no need to do both. And I don't feel I ever need java," }-
Well, I need Java on a couple of sites I visit regularly, that's why I don't block it in FF.

-{ Quote: " but js is everywhere so blocking it means annoyances for every other new site. " }-
Please read my previous post - it's no problem for me. Most sites I visit regularly, and allowing JS for them - if needed - is a breeze. And that all or at least most new sites necessarily require JS is a myth.

-{ Quote: "And looking at the capabilities of java vs js and restraints of js, java should be worse, but maybe it isn't in reality, dunno why, maybe JRE limits java somehow or maybe hackers prefer js? " }-
Java applets run in a sandbox from which they shouldn't be able to break out.

-{ Quote: "You may well be right I should limit js, but I can't be bothered since it's too annoying to do so. Don't you think it's enough to logout from the internet bank when finished, not visit the bank + other sites simultaneously, don't follow links in e-mails without thinking, and keeping www-apps on auto-update, using Fx as default and disallowing java, as an option to using Noscript?" }-
I don't want to do without the extra security Noscript provides, the more so as I don't find it annoying (I described why).

-{ Quote: " And lu_chin, the problem at hand is that it's not really possible to handle updating of plugins in a secure manner, at least noone has shown a way to me yet," }-
Switch to Linux and you won't have this problem any more. In Linux, you install at least 99.9% of your applications not from some more or less trustworthy websites but from the repositories of your distribution - including those plugins. If security updates are available you will get informed about them (or they will be installed automatically if you chose so). That's one of the big advantages of Linux: Not only the OS itself but also all applications are always up-to-date.

-{ Quote: " and the solution I use myself is to stop using plugins, since full apps exist which do the same job but can auto-update themselves. " }-
I think you're throwing out the baby with the bath water. There are enough sites available that inform you about available updates of important applications. And if you use Noscript and block plugins by default for any site not being on your whitelist, you are protected even if your plugin(s) are outdated.

Well, now I'm tired of this thread. I won't be checking it anymore. And this thread starting business was a disappointment. Good luck, especially to you who decide to keep your plugins.

Don't be. I understand your concerns, even though others have explained why it's not Firefox itself.
Maybe there could be a feature to watch for plugin updates, and warn? I can see the use for that, sugesting a link to update the software in question, with instructions.

-{ Quote: "
Maybe there could be a feature to watch for plugin updates, and warn? I can see the use for that, sugesting a link to update the software in question, with instructions." }-
One site that helps to easily check for new releases might be http://www.download.com/3140-20_4-0-1.html?tag=browsedl_new

@DavidGGG
How about chegking them here:
http://secunia.com/software_inspector/

-{ Quote: "Yes exactly. So if anyone sees that he has QT7.1.3 in the plugins list, then it's time to get scared - and I bet you are a few! I even checked it with the Fx support forum, and the 7.1.3 plugin is vulnerable to the RTSP exploit, just like the 7.1.3 exe.



And exactly how do you keep a plugin up-to-date, if you can't set it to auto update? Supernatural plugins? ??? I see only one good solution (again): Get rid of the plugin, and get the exe instead, because this you can set to auto-update.

I suspect the majority of the Fx users have un-updated plugins either without realizing it or because not being able to access settings to make it update itself. Where do they come from? I think real player and adobe flash player came with Firefox. The WMP plugin I'm guessing comes with Windows. QT plugin I suspect came with the K-Lite Codec pack, which is very popular. I also have a Zylom plugin, which I suspect was installed by a game I bought called Chicken Invaders. VLC Player has added a plugin. And then there's 2 M$ DRM network i/f plugins, wonder how they got here, I certainly never approved them, but they probably belong to WMP (M$ "Digital Rights Management"). All of these are security holes in Firefox on my PC, as far as I can see.

I can't understand you guys not getting upset over this, it's a much greater security hole than 99% of the posts in this forum, both from a user's point of view and for the Firefox community.

You should add it to the ToDo list when installing Windows on a new PC:
- Decent firewall, AV, antispyware, and check the settings
- antirootkit and guard of register and some files & folders (hosts file etc)
- Replace default browser with e g Firefox. Add Noscript or disable java.
- Maybe some more tweaking of Windows (shut down some services etc)
- Set auto-update on all apps with www access
- Hm. Am I done? NO! You have like 5 or 10 major security holes left! All of the above may well be in vane! Many on this forum like playing with multiple AVs, ASs, ATs, ARKs etc. What's the point, if not fixing the MAJOR stuff first!

If anyone new should join here who would actually be interested in fixing this problem on his/hers PC, then I googled this instruction, which complements just changing plugins to exes in the Firefox settings: http://plugindoc.mozdev.org/faqs/uninstall.html" }-

Well David,

I'm using firefox 3.0 alpha 8 here. To keep things brief, I like to highlight certain things:

And exactly how do you keep a plugin up-to-date, if you can't set it to auto update? Supernatural plugins? ??? I see only one good solution (again): Get rid of the plugin, and get the exe instead, because this you can set to auto-update.

The only way to keep a plugin up-to-date is to update the respective program it belongs to. The way you put your statement is telling me that you are just feeling paranoid.
Example, I update Adobe Flash and Shockwave, their plug-ins in firefox are updated as well. And the add-ons dialog in firefox gives me options such as enabling and disabling plug-ins, but not for removing them completely. Those plug-ins that I don't want- I can simply disable them without removing them completely.