September 18, 2009

Mozilla claims victory for Firefox Flash warning

Mozilla says 30 percent updated, 10m visitors to Adobe site

By Gregg Keizer

---

Mozilla said yesterday that Firefox's check for outdated editions of Adobe's Flash Player convinced 10 million users to go to Adobe's Web site and grab the latest software.

About a third of the Firefox users who were warned last week that they were running an old, and vulnerable, version of Flash followed the link to update the Adobe software, said Mitchell Baker, the former CEO of Mozilla and current chairman of the Mozilla Foundation.

"This is a very high response rate," said Baker in a post to her blog. "A typical response rate for this [landing] page is around 5%."

"Those results have been nothing short of awesome," echoed Johnathan Nightingale, of Mozilla's security team, in an entry on the company's security blog yesterday.

Adobe on Thursday confirmed a spike in traffic to its Flash Player update page, and applauded Mozilla's move. "For us, anything that others do to help users stay up-to-date is a good thing," said Brad Arkin, Adobe's director for product security and privacy. "We're glad to see Mozilla doing this."

After Firefox 3.0 and 3.5 users installed the security update Mozilla issued last Wednesday, they saw a message on the "landing page", the first page that appeared after the browser restarted, if they had an out-of-date version of Flash Player. "You should update Adobe Flash right now," the message read. "Firefox is up to date, but your current version of Flash can cause security and stability issues. Please install the free update as soon as possible."

The message also included a link to Adobe's download site for the latest Flash Player plug-in.

According to Ken Kovash, Mozilla's chief of metrics, 10 million people clicked on that link in the week after the update and Flash plug-in check were fed to Firefox users. On Sept. 10, the first full day after the update rolled out, about six million users saw the landing page. More than three million, said Kovash on his metrics blog, were running an outdated copy of Flash, and of those, over one million clicked on the link to Adobe's download page.

"Beyond the total impact of 10 million clicks, the most impressive pattern that stands out is the click-through rate," said Kovash. "While the Firefox 'whatsnew' page generally sees a click-through rate below 5%, the Flash update link alone has generated a click-through rate better than 30%. Phenomenal!"

Adobe's Arkin said that Mozilla's tactic isn't the first time a company's urged its users to update Flash. "Other sites, such as Facebook, have been doing this for awhile, and are already encouraging their users to stay up-to-date," Arkin said. "No one has to ask our permission to do it."

The request is frequent enough, in fact, that Adobe provides JavaScript code to Web site developers that they can use to detect the current version of Flash on a machine. Dubbed "SWFObject," the code is part of an open-source project of several Adobe engineers. "Anyone who wants to help update their users, they can get in touch with us and we'll help them," said Arkin.

Even though he welcomed Mozilla's plug-in check, Arkin said it isn't a complete solution to the problem of outdated software. "Firefox's is a good approach for a certain demographic, but not all users have the rights to update on their own," said Arkin. "It's not the complete and final solution."

Arkin declined to go into specifics about what plans Adobe has in mind, or in the works, to boost update uptake.

But doing that is imperative, a collection of security experts concluded earlier this week after releasing a report that correlated data on Web attacks with patching practices. "Applications that are widely installed are not being patched at the same speed as the operating system," said Wolfgang Kandek, the chief technology officer of Qualys on Tuesday. Qualys contributed its patching data to the study. "For Adobe Reader, Adobe Flash, Sun Java, Microsoft Office, Apple QuickTime, the patch cycles are much much slower than for the operating system," he said.

Baker acknowledged that Firefox's check for outdated plug-ins, something the company intends to expand later this year in version 3.6, won't solve the problem on its own, but was optimistic that the browser maker was on the right track.

"The response suggests that people are receptive to clear information about how to keep themselves safer," she said. "That's encouraging. It benefits the individual doing the updating, and also provides a system wide 'public health' benefit, as well."

To manually download the latest version of Flash Player, users can head to Adobe's Web site.

Newsletters

Our Daily & Weekly Newsletters highlight breaking news, vital issues, expert analysis and solutions to help you stay ahead of developments in the industry.