Closed Bug 1164948 Opened 9 years ago Closed 9 years ago

Sign eme-adobe.dll CDM using Authenticode

Categories

(Core :: Audio/Video, defect, P2)

Product:
Core
Component:
Audio/Video
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox38 --- wontfix
firefox38.0.5 --- fixed
firefox39 --- fixed
firefox40 --- fixed
firefox41 --- fixed

People

(Reporter: cpeterson, Unassigned)

References

(Blocks 1 open bug)

Details

As reported on Hacker News [1], gmpopenh264.dll and eme-adobe.dll are not signed. These DLLs are loaded from AppData, a folder with read/write permissions but not execute permissions.

Windows can be configured to *only* run signed programs, which would break the Adobe CDM. Bob says you can configure Windows to only run signed programs in the security policy mmc snap-in.

The reporter also asked for a "Publisher rule attached". What is that? Also, "The lack of a signature is at best an administrative burden and at worst an attack vector depending on how the Admin handles it ("let's just add a wildcard exeception")."


[1] https://news.ycombinator.com/item?id=9533260
Component: General → Video/Audio
I don't know a lot about this, but this is the Microsoft page I was looking at:
https://technet.microsoft.com/en-us/library/dd723683%28v=ws.10%29.aspx

Looks like you can add per Publisher rules, amongst other things.
Priority: -- → P2
Summary: Sign GMP plugins → Sign eme-adobe.dll CDM
On our side, do we have anything we can do except to convince ourselves that this is a problem? Are we already convinced enough to ask Adobe to sign the DLL?
Summary: Sign eme-adobe.dll CDM → Sign eme-adobe.dll CDM using Authenticode
We don't have any concrete evidence that there is a problem yet. Anthony volunteered to test Windows' only-run-signed-code configuration.

cpearce already asked Adobe if they could sign their DLL like they do for Flash. They're looking into it.
The best evidence we have is some crash reports of the GMP process where the Firefox is a build that would check that the DLL is on disk first before starting the GMP processs and the Adobe DLL is not present in the plugin process. Implying that the Adobe DLL is on disk, but we failed to load it.
Joe says Adobe will look into signing the CDM DLL.
Flags: needinfo?(steele)
We are working on integrating this into our build process. ETA is this Friday.
Adobe have delivered a signed GMP.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(steele)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.