By warning users that they're using out-of-date plug-ins, Mozilla's Firefox is helping to immunize the online community from malware contagion.
Usually, when computer hardware and software companies point out security vulnerabilities in the products of a competitor, there's a marketing goal: appearing to be more secure than the competition. Such is aim of Apple's advertising, which makes frequent reference to the viruses that can affect Windows PCs.
But in keeping with a trend to encourage community cooperation to combat malware, Mozilla recently began advising users to update Adobe's Flash software following a Firefox security update. While one could argue this represents a subtle attempt to discredit Flash and boost the appeal of HTML 5 video, which works in Firefox 3.5 without a third-party plug-in, a more charitable interpretation is that Mozilla is providing a genuine service to the community by helping to close a major vector for malware infection.
By helping to fix vulnerabilities in third-party software, Mozilla is making online life better for everyone. That's because infected computers aren't merely a problem for their owners. Infected computers affect everyone, by becoming bots that send spam and spread viruses.
The results are impressive. In the past week, the update notification page, displayed following upgrades to Firefox 3.5.3 and Firefox 3.0.14, has prompted over 10 million users to click on the Flash update link and install the most recent version of Flash. Assuming most of these people followed through and installed the update, that's a substantial reduction of the risk that 10 million computers could become infected with malware.
In a blog post on Wednesday, Ken Kovash, Mozilla's manager of analytics, notes that the click-through rate for this page is more than 30%, five times higher than it is typically. It turns out there are a lot of people out there with vulnerable versions of Flash, not to mention other software.
According to Adobe, 99% of desktop Internet users have Flash installed. And according to Mozilla's Internet traffic statistics, at least 75% of Flash users aren't using the more current version. While it may seem obsessive to worry about keeping one's software updated, failure to do so leaves one open to cyber attack.
The recent Top Cyber Security Risks Report singles out Adobe Flash, which accounts for four of the Top 30 vulnerabilities in the first half of 2009, as a source of ongoing problems.
"Flash presents additional challenges: It does not have its automatic update mechanism and one needs to patch Internet Explorer in a separate step from other browsers," the report states. "For users that have more than one browser installed, it is quite easy to forget to completely close Flash vulnerabilities and continue to be unwillingly vulnerable."
Mozilla plans to extend its alert system to other plug-ins. In a post on the Mozilla security blog, Jonathan Nightingale explains, "We're working to roll other plug-ins into our web-based checking, and the Firefox team is also building an integrated check that will let you know whenever a site you visit is trying to use an outdated plug-in (more on that soon). This is just the beginning."
InformationWeek has published an in-depth report on smartphone security. Download the report here (registration required).
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.