1222130 - Blocklist Real Player for Windows (17.0.10.7 and lower)

Status: RESOLVED FIXED

(Toolkit :: Blocklist Policy Requests, defect)

Description

[Jorge Villalobos [:jorgev] (he/him)]

Per bug 1081644 and http://service.real.com/realplayer/security/06272014_player/en/, we need to block the vulnerable versions of the Real Player plugin.

For Windows, it's versions 17.0.10.7 and lower and for Mac OS it's versions 12.0.1.1737 and lower.

Comment 1

[Jorge Villalobos [:jorgev] (he/him)]

Kamil, for this bug I need the plugin install information from about:plugins, for Windows and Mac OS. I need the file name and the version number, to make sure it's correctly reported.

Comment 2

[Kamil Jozwiak [:kjozwiak]]

It seems like RealNetworks doesn't keep extensive archives of RealPlayer.. I tried looking around but only found [1]. I also tried searching several third party websites [2] [3] (and many more) but most of those are really sketchy and don't have close to the version that I'm looking for. I'll try looking through the archive.org results and see if the version we're looking for is somewhere in there.

Jorge, do you need to know the exact entries in about:plugin using 17.0.10.7 (PC) & 12.0.1.1737 (OSX) or could it be any versions that are close to those builds? Maybe we can email RealNetworks and see if they they keep an archive somewhere?

[1] https://customer.real.com/hc/en-us/articles/204040003-Download-previous-version-of-RealPlayer
[2] http://www.majorgeeks.com/mg/sortname/video_players.html
[3] https://archive.org/search.php?query=real%20player

Comment 3

[Jorge Villalobos [:jorgev] (he/him)]

It should be good enough to get the information for relatively recent versions. I doubt they change their metadata format very frequently.

Comment 4

[Kamil Jozwiak [:kjozwiak]]

I'm having problems finding a relatively recent version of RealPlayer for OSX... Downloading the DMG from their official site [1] installs version 2.0.10 (2.0.10.89) but I couldn't get anything listed under fx42 in about:plugins/about:addons. I did download RealPlayer SP 12.0.1 (1750) from [2] which I listed below. Unfortunately it looks like FX is listing all older versions of RealPlayer as "Version: 0.0.1d1". I'm assuming this is going to cause issues with the blocklisting :/

Jorge, is this enough information? Let me know if there's anything else that I can do.

[1] http://www.real.com/
[2] https://customer.real.com/hc/en-us/articles/204040003-Download-previous-version-of-RealPlayer

Windows 10 x64:
===============

RealTimes Download Plugin

File: nprpplugin.dll
Path: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpplugin.dll
Version: 18.1.2.175
State: Enabled
RealTimes Download Plugin

RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit)

File: nppl3260.dll
Path: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nppl3260.dll
Version: 18.1.2.175
State: Enabled
RealPlayer(tm) LiveConnect-Enabled Plug-In

RealPlayer Download Plugin

File: nprpplugin.dll
Path: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpplugin.dll
Version: 16.0.3.51
State: Enabled
RealPlayer Download Plugin

RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit)

File: nppl3260.dll
Path: C:\Program Files (x86)\Real\RealPlayer\Netscape6\nppl3260.dll
Version: 16.0.3.51
State: Enabled
RealPlayer(tm) LiveConnect-Enabled Plug-In

OSX 10.10.1 x64:
================

RealPlayer Plugin.plugin (appearing as Version 12.0.1 (1750) under "About RealPlayer")

File: RealPlayer Plugin.plugin
Path: /Applications/RealPlayer.app/Contents/MacOS/RealPlayer Plugin.plugin
Version: 0.0.1d1
State: Enabled
RealPlayer Plugin

RealPlayer Plugin.plugin (appearing as Version 12.0.0 (1444) under "About RealPlayer")

File: RealPlayer Plugin.plugin
Path: /Applications/RealPlayer.app/Contents/MacOS/RealPlayer Plugin.plugin
Version: 0.0.1d1
State: Enabled
RealPlayer Plugin

Comment 5

[Jorge Villalobos [:jorgev] (he/him)]

Okay, given the provided information, I don't think we can effectively block the plugin on Mac OS. I'll block the old versions for Windows, at least.

Comment 6

[Jorge Villalobos [:jorgev] (he/him)]

The block is now live: https://addons.mozilla.org/blocked/p1053

Comment 7

[myfamhas7@yahoo.com]

I'm using Firefox and it has blocked my Adobe Flash and won't let me re-install it. Causing major issues as I can't get on some of my gaming sites. Have tried loading the updates 10 times and always fails half-way through. What can I do?  Won't re-activate them from the tools dropdown either. I'm using Windows XP pro'

Comment 8

[Kamil Jozwiak [:kjozwiak]]

(In reply to myfamhas7@yahoo.com from comment #7)
> I'm using Firefox and it has blocked my Adobe Flash and won't let me
> re-install it. Causing major issues as I can't get on some of my gaming
> sites. Have tried loading the updates 10 times and always fails half-way
> through. What can I do?  Won't re-activate them from the tools dropdown
> either. I'm using Windows XP pro'

This bug shouldn't have caused your issue as it's related to blocking vulnerable versions of Real Player and not flash. In your URL bar, type in about:plugins and ensure that the version that's being listed also matches the latest version that Adobe has released [1].

I double checked and ensured that the latest version of flash is still working with 52.0.2esr, which is the only supported version of Firefox for XP/Vista [2]. Here's an example of what's appearing under about:plugins:

> Shockwave Flash
> File: NPSWF32_25_0_0_148.dll
> Path: C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_25_0_0_148.dll
> Version: 25.0.0.148
> State: Enabled
> Shockwave Flash 25.0 r0

I know it's easier said than done, but I highly suggest you update to a newer OS. Microsoft has stopped supporting XP for a while and Mozilla recently announced it's dropping support for XP/Visa. However, the latest ESR version should still work.

[1] http://www.adobe.com/software/flash/about/
[2] https://support.mozilla.org/t5/Install-and-Update/Important-Firefox-is-ending-support-for-Windows-XP-and-Vista/ta-p/31270