Closed Bug 317130 Opened 19 years ago Closed 19 years ago

ActiveX Flash Player running on embeded WMP plug-in

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED INVALID

People

(Reporter: masayuki, Assigned: dveditz)

References

(
URL
)

Details

Attachments

(1 file)

My about:plugins on WinXP + 2005121605 + WMP10 + SWF7(ActiveX)
14.91 KB, text/html
Details
This URL http://www.cow-milk.com/up2/source/cow0119.htm returns following HTML. -------------------------------------------------------------------------------- <embed src=http://www.cow-milk.com/up2/source/cow0081.m3u width=100% height=100% playcount=0 displaysize=4 type=video/x-ms-asf-plugin> -------------------------------------------------------------------------------- On Firefox(Win2k/XP), WMP plug-in is loaded as content. And the m3u file has following contents. -------------------------------------------------------------------------------- http://www.renderwahnsinn.com/swf/spyker/config_xml.swf -------------------------------------------------------------------------------- WMP plug-in loaded the SWF file using Flash Player but that is ActiveX. On my environment, IE's ActiveX Flash Player version is 5, this is very old. Because I don't use IE. But the IE's non-Secure ActiveX control is loaded on our product. This is very serious. Isn't there some way that other ActiveX component is loaded on WMP?
Work around: We can control the loading ActiveX control on WMP from [Internet Options] -> [Security] tab -> [customize] button -> [ActiveX controls and plug-ins] # I don't know formal English caption of these items.
which version of firefox?
Latest trunk. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051119 Firefox/1.6a1
I think that this is a security issue of WMP. WMP should not launch ActiveX control regardless of IE settings. Becuase we don't need to use ActiveX on WMP. (But we need ActiveX on IE for Windows Update.) Shouldn't we abort to support WMP plug-in until WMP fixing the issue?
I'm using Win2k + WMP9 and WinXP + WMP10.
This is not a Gecko's security bug. But we have this security issue. I think that we have following issues. 1. We are including WMP plug-in automaticaly. That means the some users might not accept for using on Firefox.(bug 193883) 2. Many users might not know the ActiveX Shockwave flash plug-in is run on WMP plug-in. 3. the ActiveX shockwave flash player is not installed by the users. Because it includes Windows OS. 4. We cannot disable the using ActiveX shockwave flash palyer only on WMP.(If all access for ActiveX is disabled, WMP is not useless for standalone application. Because it's using ActiveX controll for Music library.) 5. We cannot uninstall ActiveX flash player from UI. 6. Sometimes, Shockwave flash player is found the security bug. Many Firefox users may only download NP version newer flash player. 7. Now, we need to update both Flash player on Windows. This is very trouble. For our marketing strategy, we cannot disable automatic install the WMP plug-in. I think the best approach for this security issue is the plug-in vendor(i.e., Macromedia) includes the ActiveX version plug-in in NPAPI version plug-in installer. If so, the user doesn't need to update twice each a plug-in. Michelle Sintov: This is very melancholy issue. Do you have any idea? I hope that Macromedia will include the both plug-ins in an installer for NPAPI. (Or, I hope that the ActiveX plug-ins are upgraded by Windows Update automatically. Because we can say that it is a part of WMP.) I cannot find the another ActiveX controll running on WMP plug-in. But this depends on WMP sepc. In future, newer WMP plug-in may support other ActiveX plug-ins....
Summary: ActiveX(Flash Player) running on embeded WMP plug-in → ActiveX Flash Player running on embeded WMP plug-in
this bug is getting stale. what's the current plan for it?
how does your about:plugins page look? does it have anything with "oleobject" in it?
See this. I cannot find the ActiveX Flash Player is loadable on Firefox.
We can't prevent a media player from hosting other media players within its content, that's strictly their security issue. We'll talk w/Macromedia about the possibility of bundling the .ocx with the NPAPI plugin. Bug 271599 is to deal with the general issue of superseded plugin versions (which wouldn't really help here but is sort of related).
Group: security
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
(In reply to comment #11) > We can't prevent a media player from hosting other media players within its > content, that's strictly their security issue. Yeah, I agree. > We'll talk w/Macromedia about the possibility of bundling the .ocx with the > NPAPI plugin. Yes. I think that we need this solution.(Or if it's possible, it should be updated by Windows Update.)
Status: RESOLVED → VERIFIED
Hi all, In response to the announce of critical security flaws in Flash Player, we at Mozilla Japan are preparing to publish advisory about this issue. If necessary, I can provide its (poor) translation. # Fix in for 'critical' Flash player flaws # http://news.com.com/2100-1002_3-6049676.html
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: