Closed Bug 1264874 (quicktimeforeverday) Opened 7 years ago Closed 7 years ago

Plugin block request: QuickTime on Windows due to critical vulnerabilities that will never be fixed

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Platform:
Unspecified
Windows
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: hsivonen, Assigned: jorgev)

References

Details

http://blog.trendmicro.com/urgent-call-action-uninstall-quicktime-windows-today/ says:
"Second, our Zero Day Initiative has just released two advisories ZDI-16-241 and ZDI-16-242 detailing two new, critical vulnerabilities affecting QuickTime for Windows. These advisories are being released in accordance with the Zero Day Initiative’s Disclosure Policy for when a vendor does not issue a security patch for a disclosed vulnerability. And because Apple is no longer providing security updates for QuickTime on Windows, these vulnerabilities are never going to be patched."

Please blocklist all versions on the QuickTime plug-in on Windows to protect users from the above-mentioned vulnerabilities that won't be fixed.
Alias: quicktimeforeverday
Summary: Block QuickTime plug-in due to critical vulnerabilities that will never be fixed → Plugin block request: QuickTime on Windows due to critical vulnerabilities that will never be fixed
See Also: → 1264875
The above article links to https://support.apple.com/en-us/HT205771 where Apple itself says:
"Websites increasingly use the HTML5 web standard for a better video-playback experience across a wide range of browsers and devices, without additional software or plug-ins. Removing legacy browser plug-ins enhances the security of your PC."
Assignee: nobody → jorge
Pushed live: https://addons.mozilla.org/en-US/firefox/blocked/p1151

Kamil, please verify.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(kjozwiak)
Resolution: --- → FIXED
Windows 10 x64:

File: npqtplugin.dll,npqtplugin2.dll,npqtplugin3.dll,npqtplugin4.dll,npqtplugin5.dll
Path: C:\Program Files (x86)\QuickTime\Plugins\npqtplugin.dll,C:\Program Files (x86)\QuickTime\Plugins\npqtplugin2.dll,C:\Program Files (x86)\QuickTime\Plugins\npqtplugin3.dll,C:\Program Files (x86)\QuickTime\Plugins\npqtplugin4.dll,C:\Program Files (x86)\QuickTime\Plugins\npqtplugin5.dll
Version: 7.7.9.0
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
-> Checked Logging: Blocklist state for QuickTime Plug-in 7.7.9 changed from 0 to 5
-> Correctly being pointed towards: /firefox/blocked/p1151
-> Ensured you cannot select "always active" under about:addons
-> Build used: 45.0.2 m-r, buildID: 20160407164938 changeset: e35da3da61cb

Windows 8.1 x64:

File: npqtplugin.dll,npqtplugin2.dll,npqtplugin3.dll,npqtplugin4.dll,npqtplugin5.dll
Path: C:\Program Files (x86)\QuickTime\Plugins\npqtplugin.dll,C:\Program Files (x86)\QuickTime\Plugins\npqtplugin2.dll,C:\Program Files (x86)\QuickTime\Plugins\npqtplugin3.dll,C:\Program Files (x86)\QuickTime\Plugins\npqtplugin4.dll,C:\Program Files (x86)\QuickTime\Plugins\npqtplugin5.dll
Version: 7.7.9.0
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
-> Checked Logging: Blocklist state for QuickTime Plug-in 7.7.9 changed from 0 to 5
-> Correctly being pointed towards: /firefox/blocked/p1151
-> Ensured you cannot select "always active" under about:addons
-> Build used: 48.0a1 m-c, buildID: 20160420030213 changeset: f05a1242fb29

Windows Vista x64:

File: npqtplugin.dll,npqtplugin2.dll,npqtplugin3.dll,npqtplugin4.dll,npqtplugin5.dll
Path: C:\Program Files (x86)\QuickTime\Plugins\npqtplugin.dll,C:\Program Files (x86)\QuickTime\Plugins\npqtplugin2.dll,C:\Program Files (x86)\QuickTime\Plugins\npqtplugin3.dll,C:\Program Files (x86)\QuickTime\Plugins\npqtplugin4.dll,C:\Program Files (x86)\QuickTime\Plugins\npqtplugin5.dll
Version: 7.7.9.0
State: Enabled (STATE_VULNERABLE_NO_UPDATE)
The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
-> Checked Logging: Blocklist state for QuickTime Plug-in 7.7.9 changed from 0 to 5
-> Correctly being pointed towards: /firefox/blocked/p1151
-> Ensured you cannot select "always active" under about:addons
-> Build used: 46.0b9 m-b, buildID: 20160407053945 changeset: b007110e9005

OSX 10.11.4 x64:

File: QuickTime Plugin.plugin
Path: /Library/Internet Plug-Ins/QuickTime Plugin.plugin
Version: 7.7.3
State: Enabled
The QuickTime Plugin allows you to view a wide variety of multimedia content in web pages. For more information, visit the QuickTime Web site.
-> Checked Logging: Blocklist state for QuickTime Plug-in 7.7.3 changed from 0 to 0
-> Build used: 48.0a1 m-c, buildID: 20160420030213 changeset: f05a1242fb29
Looks like the block is working as expected. Downloading the latest Quicktime plugin [1] from Apple on Win will show the plugin as vulnerable/blocked under about:addons. Results are listed under comment # 3.

The only thing I did notice was that there was two entries being displayed under the browser console when pinging the live blocklisting server, example:

* Blocklist state for QuickTime Plug-in 7.7.9 changed from 0 to 5 (correct)
* Blocklist state for QuickTime Plug-in 7.7.9 changed from 0 to 0 (incorrect)

Created bug # 1266190 to address that issue.

[1] http://www.apple.com/ca/quicktime/download/
Status: RESOLVED → VERIFIED
Flags: needinfo?(kjozwiak)

Well, then...

I know these are two different Plugins, but anyway...
How does this (quote):

"Henri Sivonen (:hsivonen) (not reading bugmail until 2019-08-05)
Reporter
Comment 1 • 3 years ago

The above article links to https://support.apple.com/en-us/HT205771 where Apple itself says:
"Websites increasingly use the HTML5 web standard for a better video-playback experience across a wide range of browsers and devices, without additional software or plug-ins. Removing legacy browser plug-ins enhances the security of your PC."

...make any sense with/compared with THIS (quote) straight from my Firefox-Plugins:

"OpenH264 Video Codec provided by Cisco Systems, Inc. 1.6

This plugin is automatically installed by Mozilla to comply with the WebRTC specification and to enable WebRTC calls with devices that require the H.264 video codec. Visit http://www.openh264.org/ to view the codec source code and learn more about the implementation."

Here´s also a link to the "The Mozilla Blog", where they embrace the Cisco´s plugin/codec.
https://blog.mozilla.org/blog/2013/10/30/video-interoperability-on-the-web-gets-a-boost-from-ciscos-h-264-codec/

...yet it is CISCO itself as a manufacturer who has endangered some ROUTERS (in a way that not any browser/firewall/Antivirus can not prevent/repair.
My systems: Router, WLan, Wi-Fi, Three Laptops, Three Desktops, and all the other equipment in the Wi-Fi were impacted, included with three Smartphones, three Tablets and one Smartwatch. Luckily I had not put my Pioneer AV Home theater & BluRay into utilizing the internet capabilities... But still, the total damage and costs are MASSIVE.

https://nvd.nist.gov/vuln/detail/CVE-2019-1663#VulnChangeHistorySection ...there is a list "mile-long" of observations...

https://www.google.com/search?q=CVE-2019-1663&source=lnms&sa=X&ved=0ahUKEwiuptCsoKPjAhVimYsKHYOWBMUQ_AUICygA&biw=1366&bih=628&dpr=1

(In reply to SML from comment #5)

Well, then...

I know these are two different Plugins, but anyway...
How does this (quote):

"Henri Sivonen (:hsivonen) (not reading bugmail until 2019-08-05)
Reporter
Comment 1 • 3 years ago

The above article links to https://support.apple.com/en-us/HT205771 where Apple itself says:
"Websites increasingly use the HTML5 web standard for a better video-playback experience across a wide range of browsers and devices, without additional software or plug-ins. Removing legacy browser plug-ins enhances the security of your PC."

...make any sense with/compared with THIS (quote) straight from my Firefox-Plugins:

"OpenH264 Video Codec provided by Cisco Systems, Inc. 1.6

This plugin is automatically installed by Mozilla to comply with the WebRTC specification and to enable WebRTC calls with devices that require the H.264 video codec. Visit http://www.openh264.org/ to view the codec source code and learn more about the implementation."

Here´s also a link to the "The Mozilla Blog", where they embrace the Cisco´s plugin/codec.
https://blog.mozilla.org/blog/2013/10/30/video-interoperability-on-the-web-gets-a-boost-from-ciscos-h-264-codec/

...yet it is CISCO itself as a manufacturer who has endangered some ROUTERS (in a way that not any browser/firewall/Antivirus can not prevent/repair.
My systems: Router, WLan, Wi-Fi, Three Laptops, Three Desktops, and all the other equipment in the Wi-Fi were impacted, included with three Smartphones, three Tablets and one Smartwatch. Luckily I had not put my Pioneer AV Home theater & BluRay into utilizing the internet capabilities... But still, the total damage and costs are MASSIVE.

https://nvd.nist.gov/vuln/detail/CVE-2019-1663#VulnChangeHistorySection ...there is a list "mile-long" of observations...

https://www.google.com/search?q=CVE-2019-1663&source=lnms&sa=X&ved=0ahUKEwiuptCsoKPjAhVimYsKHYOWBMUQ_AUICygA&biw=1366&bih=628&dpr=1

"Just one more thing"...

How to remove Cve-2019-1663 trojan
http://it-help.info/how-to/adwares/5321-how-to-remove-cve-2019-1663-virus

You need to log in before you can comment on or make changes to this bug.