Security holes in Firefox due to plugins

Have you though about this:

There are security issues with Firefox plugins. Just one example: a QuickTime drive-by issue which means if I open a QT movie on a malicious site and have QT7.1.3, they can execute whatever code they want on my PC (http://www.macnewsworld.com/story/54953.html). This also applies to the QT plugin. I didn't even know I had one (think it was installed by my codec pack, in an obscure folder)

If I have a plugin instead of the full app (i e, WMP) I can't access any settings AFAIK so it probably can't check for updates (unless it reads my mind). I imagine the "WMP plugin DLL" must have come bundled with Firefox 2.0.

I solved this by specifying only a few, known FULL products (not plugins) in the plugin list (I use JetAudio, Winamp, QT and the Adobe players), and for these I made sure they were set to check for updates often. Which for the Adobe players is done on adobe.com actually (and in 2 different ways..tricky..)

Some files are not even handled according to the plugin list - sometimes it's controlled by Windows settings. That's the case for QT, Shockwave and Flash player on my PC now, which are not in the plugin list anymore, but still work..

Anyone else that missed this giant collection of security holes or am I the only one stupid enough?

 

This is one of the reasons I quit using it.

 

No application, as soon as it's popular enough is going to be bullet proof, as soon as it hits a level of popularity that makes it worthwhile for malicious code writers to undertake writng code to exploit it then they will, Firefox may be simply entering a level of popularity where IE is no longer running decoy.

 

I know no app is bullet proof. I had it installed over a year and it had a terrible memory leak. There forum was full of tons of people complaining about this but it was never fixed. They wouldn't even acknowledge that there was a problem. So until they recognise that there is a problem and fix it properly...I would never use it.

Besides once I used Opera I liked it much better.

 

I'm curious, how is this a firefox only problem?

Doesn't Opera use QT plugins?

However, I did notice that firefox seems to come with a build in QT plugin even if you don't have QT installed??

 

Yes, Opera (9.22) has QT plug-in even without QT installed...

 

It's a well known problem and has been for a while. Firefox shouldn't be using 381,758KB in the task manager. Now whether they fixed it since I last had it installed I don't know and don't care either way. I didn't use crap loads of plug ins either.

If you look around in there forum you find the info.

 

It's probably a problem for most browsers. This is not an attempt to make Firefox look bad, I still have it as my primary browser, but anyone interested in internet security should either find this scary or tell me I got it wrong.

I removed the "Windows Media Player plugin DLL" completely from my list of Firefox plugins - I have no idea how to access that plugin's settings -, and replaced it with JetAudio. I have the latest Windows Media Player as well, but as far as i understand, the WMPlayer is an exe file and the WMP Plugin is a DLL file, and the dll doesn't get updated because I update the exe, or affected by it's settings.

I tried to check my plugins: in my folder C:\Program\Mozilla Firefox\plugins there are 2 plugins for real player (which is equally scary, but I already solved this by using JetAudio instead, it's one of the few alternatives to RealPlayer, I just forgot I did this - and if you don't like JetAudio for some reason, like I do, there's also "Real Alternative"). But there are no plugins that seem to be the Windows Media Player in that folder! Googling makes me think it should probably be called either np-mswmp.dll or npdsplay.dll. I searched my whole C: for these, and found two copies of npdsplay.dll, one in C:\Program\Windows Media Player and one in C:\WINDOWS\system32\dllcache, both identical and both dated 2005-11-29! I would think it has not been updated lately! My PC has had a complete re-install this year, by I suppose it could have come with XP.

To me it seems the plugin business is a mess, and it feels MUCH better to not use any plugins at all, exchange them all for exes which you have control over.

I think it would be better to stop making plugins and just make complete exe files, or at least plugins with some sort of control panel, so that you can always access it's settings and make sure it gets updates. All apps which can make direct contact with the internet need to be on auto-update. I can find the QT control panel when I look for it in semi-weird places, but I sure can't find any for WMP or RealP.

Or did I miss anything. Seems pretty convincing to me, but only a fool is ever totally convinced when it comes to PCs....

By the way, Firefox uses 51MB on my PC.

 

Can these not be disabled in Firefox and only enabled on a site specific basis?
Surely all browsers use plugins?
BTW I'm not anging for a fight about FF, I don't use it anymore. Just curious on what's out there.

 

The more popular Firefox gets, the more people will continue to pick and poke at it till it eventually has the same reputation that IE 6 has had in the past...

 

Hello,

1. I see no problems with plugins ... they are updated when you update your local software and replace the dlls.

2. Memory leak did not happen to everyone, only certain people.

3. Firefox is bulletproof and stories about how it's gonna ... x y x blah ... are merely spreading the FUD. You say how can I claim this? Well, simply because there is no existing exploit that can trigger remote drive-by in Firefox.

4. Firefox is semi-sentient. If you love it, it will love thee. I have found this to be true for most software. If you love it and cherish it and praise it, the software will behave to you. This is a reason why I have encountered almost zero bugs with most of the programs I use.

Mrk

 

If an important update is available, you will not know about it. The only sensible way is to have automatic check for updates, for all programs with internet access.

I'm not talking about Firefox itself, I'm talking about plugins associated with Firefox. If you browse with Firefox to a malicious or hijacked site with a QT movie on it and watch that movie, then the QT plugin will be activated and you're screwed

This thread is not about which browser is "da best". I put Firefox in the heading since that's what I use but this is probably valid for all browsers that use plugins, unless they check for updates for it's plugins, which Firefox doesn't. I don't know how IE works. But I wouldn't change default browser to IE. What I would suggest is look your plugins over.

Seems noone yet even admits this is a major problem. One giant reason why people use Firefox is because it's safer. Firefox not using ActiveX, Mozilla updating bugs really quickly, etc makes it a good choice regarding safety. But what's the point if Mozilla swiftly remove one bug every month if at the same time there are 20 unfixed exploits for the plugins. Firefox without updated plugins is safe only as long as you don't play any sounds, watch any movies etc, while browsing.

 

I beg to differ.

http://mywebpages.comcast.net/SupportCD/FirefoxMyths.html

But then again I do not use FF and never will.

Nothing is bulletproof.Nothing.

 

Hello,
That site is nothing but pure propaganda.
And Mozilla is not responsible for QT, Adobe or anyone else.

edit: SHOW ME ONE WEBSITE THAT CAN TRIGGER REMOTE DRIVE-BY IN FIREFOX. NOT JUST EMPTY WORDS - ONE WORKING LIVING MALICIOUS EXAMPLE. THANK YOU.

Mrk

 

You do know that Aboutlugins will show you what plugins are running right?. I *think* there is a way to selectively disable plugins, but I suppose you could just go into the plugin directory and delete the files.

If you want plugins to run only in certain sites, NoScript I think has an option to do that.

No idea about WMP, but with QT, if you update QT it will update the plugins as well (i checked same for realplayer also). So this reduces to the normal problem of keeping stuff on your computer patched.

What I was surprised to find is that on one of my machines without QT installed, there was a old QT plugin that was capable of running clips??

I have the same date for npdsplay.dll. Version listed is 3.0.2.629. Are you sure there is a later version?

Well trade-off you know...

 

Well you don't know if it is the latest version, do you? How fix that? If not by downloading the full exe an setting it to auto update, or replace it with another player?

Seems the latest version is from April 13th 2007 and that the official download site (redirected to by M$) is http://port25.technet.com/pages/windows-media-player-firefox-plugin-download.aspx.

But that's not the point. Apparently there's a risk you are vulnerable to whatever bugs WMP has had since 2005, and you can go download that plugin right now, but then they might find a new bug and make a new update tomorrow, or next week. So you need (have I said it before) aauutooo-updating. And can you get that from a plugin? I can't find settings for it anyway.

Well no. I'm talking about what can be the effects if you only have the plugin (but your tests are intersting to know of). You are now saying that you also have the full exes. Don't know why you bother to use the plugins then, but that's not very interesting. Point is apparently you have the exes, and if you've set them to update and allow them through your firewall, then you are as safe as it gets, for those players. But the reason you have the exes is probably that you're interested in using RM and QT players, so you downloaded them for that reason. But anyone not doing that will just have the plugins, and they are not very safe, it seems. Like you, on that other computer. Do you believe your computer with the QT plugin is safe?

Thanks for reminding me of the old about: commands, I never can remember them. If you know of a list it'd be nice. And I see several in the list I'd like to fully disable, do you know how to do that?

The RTSP exploit for QT is apparently wide spread (http://vil.nai.com/vil/content/v_142501.htm) through the mpack (http://en.wikipedia.org/wiki/MPack_(software)) but this is just ONE example. I also know WMP has had serious exploits. If you want lists they can be found for example at http://www.milw0rm.com/platforms/windows .

And Mr Massive Poster, asking to show a web site that has this exploit is just so... What would you do if I did? I'm sure you'd browse there and start clicking all QT movies wouldn't ya?

 

Propaganda, no more like reality.

You keep saying FireFox is bulletproof,if you have it you are safe anywhere on the web. That would be nice.
Sorry but thats just a false sence of security.

 

Can Pedro and the likes please take that debate to a different thread?

Stick to plugins or be gone.

 

I roger that... deleted

 

Hello,

I was talking on topic. You can consider all programs as "plugins" in an operating system, in a way. So? Is Microsoft, for example, responsible for how Skype people design their tool?

Firefox / other browsers do not have their own built-in players and such. So they must use third-party tool. And if these are bugged ... well ... The developers of the browser can do their best to try to sandbox their application as much as possible, but when you leave the folder of the native application, you venture into the waters of murky, proprietary dlls that you cannot fully control.

An analogy: blaming a car company for a burst tyre. Do you expect the car company to have control over it?

Same here. You can try to maximize compatibility etc, but it's up to the user to make sure his system is not vulnerable.

And offtopic, LoneWolf, I want code - written code - and links that prove me wrong. Until then, my "false" sense of reality is THE reality. Wth Firefox you are more than safe anywhere on the web. I have done it a million times. It's up to you, to provide evidence in the court of law, incriminating the innocent-until-proveb-guilty suspect.

Mrk

 

Thanks Pedro.

Kvonic, you were partly and half on topic. Regarding cherishing Firefox, could you please go start a different thread. I have lots to say on the subject, and will happily join your thread (not the sect), but for this thread, it ends now.

Of course Mozilla is not responsible for plugins, but being marketed as safer, they could well provide the service to check available updates for the plugins (at least the most common ones), or at the very least mention this problem and their solution for it so people don't miss it. Because they sure do recommend those plugins. And if they don't recognize the problem, who will? Same way as your car dealer may well tell you recommended tire wear before exchanged, even though it's not his responsibility, because if he's truly interested in the customer being safe, he would do what he can. And the repair shop responsible for servicing the car, even if under guarantee and paid for by the manyfacturer, should of course do their best to warn about any security threats, including bad tires, if they are aware of them. If maybe the majority (my guess) of Fx users aren't safe because of their plugins, then it would be good to try to improve the situation; arguing the responsibility won't solve it I'm sure.

What you call offtopic to the wolfe in your last post seems to actually be on topic even if just repeating yourself, and my comment is: you will not get links to exploiting sites. I gave you THREE links to follow to learn what the RTSP exploit is, what mpack is and how common it is with paid updates and all, and also a complete list of other real threats that apply to several plugins. That information is better than links to sites with exploits of Firefox plugins (exploits of Firefox itself is not on this thread, you know), and milw0rm does even provide the code. I suggest you sit down an read all that for a few hours and come back better educated.

 

An example can be found here. And it also applies to Opera. However, it can be prevented in FF by using Noscript, and a fix by Sun should be available soon.

Don't get me wrong: I'm a convinced Firefox supporter and I never use IE (least of all on my Kubuntu machine ), but maintaining that FF is 100% safe is too simplicistic. On the other, any bugs discovered are usually fixed within a few days, while it took sometimes many months in the case of IE. Thus, any possible exploits are more or less irrelevant as long as you keep your FF always updated. And since new bugs are mostly Javascript or Java or plugins related, Noscript is an excellent protection against many zero-day attacks.

 

Hello,
I'm gonna post my answers in another thread.
Mrk

 

It's actually quite simple. Keep your programs up-to-date and fully patched and you will be safe from most of those exploits.
QT 7.1.3 is not the latest version, the latest is 7.2

 

Yes exactly. So if anyone sees that he has QT7.1.3 in the plugins list, then it's time to get scared - and I bet you are a few! I even checked it with the Fx support forum, and the 7.1.3 plugin is vulnerable to the RTSP exploit, just like the 7.1.3 exe.

And exactly how do you keep a plugin up-to-date, if you can't set it to auto update? Supernatural plugins? I see only one good solution (again): Get rid of the plugin, and get the exe instead, because this you can set to auto-update.

I suspect the majority of the Fx users have un-updated plugins either without realizing it or because not being able to access settings to make it update itself. Where do they come from? I think real player and adobe flash player came with Firefox. The WMP plugin I'm guessing comes with Windows. QT plugin I suspect came with the K-Lite Codec pack, which is very popular. I also have a Zylom plugin, which I suspect was installed by a game I bought called Chicken Invaders. VLC Player has added a plugin. And then there's 2 M$ DRM network i/f plugins, wonder how they got here, I certainly never approved them, but they probably belong to WMP (M$ "Digital Rights Management"). All of these are security holes in Firefox on my PC, as far as I can see.

I can't understand you guys not getting upset over this, it's a much greater security hole than 99% of the posts in this forum, both from a user's point of view and for the Firefox community.

You should add it to the ToDo list when installing Windows on a new PC:
- Decent firewall, AV, antispyware, and check the settings
- antirootkit and guard of register and some files & folders (hosts file etc)
- Replace default browser with e g Firefox. Add Noscript or disable java.
- Maybe some more tweaking of Windows (shut down some services etc)
- Set auto-update on all apps with www access
- Hm. Am I done? NO! You have like 5 or 10 major security holes left! All of the above may well be in vane! Many on this forum like playing with multiple AVs, ASs, ATs, ARKs etc. What's the point, if not fixing the MAJOR stuff first!

If anyone new should join here who would actually be interested in fixing this problem on his/hers PC, then I googled this instruction, which complements just changing plugins to exes in the Firefox settings: http://plugindoc.mozdev.org/faqs/uninstall.html