Add blocklisting (blacklisting) for QuickTime plug-in version 7.1.*

RESOLVED FIXED

Status

()

Toolkit
Blocklisting
RESOLVED FIXED
9 years ago
a year ago

People

(Reporter: Adam Guthrie, Assigned: morgamic)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [server side])

Attachments

(2 attachments, 5 obsolete attachments)

(Reporter)

Description

9 years ago
One of the current topcrashes on trunk is [@ RtlEnterCriticalSection] and having the QuickTime plug-in version 7.1.* seems to be the common denominator (see bug 430576). There are different crashes related to this signature, but the majority of them are the plug-in related one.

This version of QuickTime appears to be pretty old. QuickTime 7.2 appears to have been released in July '07 (http://support.apple.com/kb/HT1263), so I'm not sure why people still have the old version.
(Reporter)

Updated

9 years ago
Blocks: 430576
(In reply to comment #0)
> This version of QuickTime appears to be pretty old. QuickTime 7.2 appears to
> have been released in July '07 (http://support.apple.com/kb/HT1263), so I'm not
> sure why people still have the old version.

I guess I somehow have the automatic update feature disabled, because I haven't seen it on this machine.

Generally I'm supportive of this, assuming we:

 - reach out to Apple (it's just friendly!)
 - test the user experience
Flags: blocking-firefox3?
(Assignee)

Comment 3

9 years ago
Have we reached out to Apple?
Who will test the user experience?
Should we still block this or let people upgrade QuickTime?
(Reporter)

Comment 4

9 years ago
(In reply to comment #3)
> Who will test the user experience?

I have a strong interest in this bug and am willing to do some testing to ensure that it gets fixed. I saw some docs you wrote up for stephend in another bug for testing add-on blocklisting. Presumably, this wouldn't be that different.

> Should we still block this or let people upgrade QuickTime?

The way I see it, we can't count on people upgrading. The new version of QuickTime was released in June '07, so either they canceled the upgrade or it was never offered to them.

Which is worse? Crashing each time you try to use QuickTime or just being shown a nag screen informing you that the plug-in's been disabled because it crashes? I think it makes more sense to nag someone to upgrade than to have them crash all the time without knowing what the heck is going on. This will lead to people switching away from Firefox because it crashes too much and maybe even discouraging using Firefox 3 because it's just too crashy.
If we're going to blocklist any plugins for security reasons (which was the point, after all), old versions of QuickTime should be right at the top of the list (along with old Java and Flash).

We should inform the vendors, but I can't imagine them being unhappy especially if we make it easy for users to upgrade.

Comment 6

9 years ago
I believe basil and kev would need to make this call.  in the meantime, the general plugin blocklist code has already been tested and has been working.
We should clearly do this.  Can someone notify Apple about this (Kev/Basil)
Assignee: nobody → morgamic
Flags: blocking-firefox3? → blocking-firefox3+
Whiteboard: [server side]

Comment 8

9 years ago
I'll verify Apple is aware that it's being considered. 

Comment 9

9 years ago
(In reply to comment #0) 
> This version of QuickTime appears to be pretty old. QuickTime 7.2 appears to
> have been released in July '07 (http://support.apple.com/kb/HT1263), so I'm not
> sure why people still have the old version.

People still have QuickTime 7.1.6 because this is last supported version on Windows 2000. Minimum requirement for 7.2+ is Windows XP.
So, upgrading QuickTime irrelevant here.

Doesn't QuickTime 7.1.6 crash then on Windows 2000?

Comment 11

9 years ago
(In reply to comment #10)
> Doesn't QuickTime 7.1.6 crash then on Windows 2000?

With FF 3.0rc1 there are almost no crashes.
With FF 3.0b5 were a lot of crashes.

Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9) Gecko/2008051206 Firefox/3.0 ID:2008051206

Comment 12

9 years ago
(In reply to comment #9)
> People still have QuickTime 7.1.6 because this is last supported version on
> Windows 2000. Minimum requirement for 7.2+ is Windows XP.
> So, upgrading QuickTime irrelevant here.

"Last supported version" could be misunderstood. 7.1.6 is the last version that will run on Windows 2000, but it's no longer supported. Aside from the crash bugs, 7.1.6 also has remote-execution security issues.
(Assignee)

Comment 13

9 years ago
Hey - final word on blocklisting?  If we blocklist 7.1.6 for Windows 2000, then people won't be able to use it at all (given no upgrade).

I'll admit that it doesn't concern me greatly -- people probably shouldn't be using Windows 2000.

Should we proceed with blocklisting 7.1.*?

Comment 14

9 years ago
Yes, let's go ahead and blocklist this - Morgamic, can you do the honors?

Comment 15

9 years ago
Kev,  and feedback from Apple?  Have the right contacts been made there to
inform them?

Comment 16

9 years ago
re comment 14:

I agree, pulling the trigger on during RC would be a good limited test to check out how this works.
(Assignee)

Comment 17

9 years ago
On top of my question in comment #13, are we blocklisting 7.1.* for all versions of Firefox?
(In reply to comment #17)
> On top of my question in comment #13, are we blocklisting 7.1.* for all
> versions of Firefox?
> 

Hey, to be clear, are we talking about blocklisting windows only?  or mac also?

mike, let me know when this is ready to roll.  are you going to stage the fix first so i can test it beforehand? 
(Assignee)

Comment 19

9 years ago
Yea, we can stage on khan or preview.  Want to make sure we don't confuse requirements here first, though.

Comment 20

9 years ago
There are two main reasons why we are BL'ing this. #1: for the Fx3 crashes and #2 for the security issues.

So, I suggest we BL as follows:

Plugin Name/Version: Quicktime 7.1.*
Operating System: Windows (including Windows 2000, XP, Vista)
Firefox Versions: 2.* & 3.*

Comment 21

9 years ago
I'd say that if there is a way to stage the blocklisting so it only is for firefox 3.x it might be good to do that first.  If all goes well for a couple of days extend the blocklisting to Firefox 2.*.

But if that is complicated basil's proposal in comment 20 would work.
It doesn't crash with Firefox2.* version, so I think it would be harmful to blocklist it for those versions.

Comment 23

9 years ago
Martijn, there are two reason to blocklist this plugin. #1 for crashing and #2 for security problems (see comment 5) including Fx 2.

For a list of various security issues with the QT 7.1 series and fixes that QT 7.* series resolved, see http://support.apple.com/kb/index?page=search&src=support_site.kbase.search&q=security%20content%20quicktime

Comment 24

9 years ago
(In reply to comment #13)
> I'll admit that it doesn't concern me greatly -- people probably shouldn't be
> using Windows 2000.

Why not? I'm still using Windows 2000 and I'm still very happy with it. I don't plan to upgrade to XP nor Vista.
(Assignee)

Comment 25

9 years ago
Because Apple doesn't support that plugin on that operating system anymore and it has security holes in it.  You can always still use the plugin by disabling blocklisting.  There is a pref to set to false: extensions.blocklist.enable -- if you're using Windows 2000 and Quicktime 7.1.6, blocklisting is probably not going to help/hurt much.
Plugin blocklisting is new in Firefox 3.  You can't block it in Fx2 (no matter how hard you try).

Comment 27

9 years ago
Sorry, I was mixing up with add-on blocklisting. So, here's the revised request.

Plugin Name/Version: Quicktime 7.1.*
Operating System: Windows (including Windows 2000, XP, Vista)
Firefox Versions: 3.*

(Morgamic outlined in comment 25 how W2K users who have to/insist to use this plugin can disable BL'ing).
Well, since the Quicktime 7.1.* version is crashing Firefox 3, I don't see how they would be able to use the plugin there, anyhow. But I think it's good that it's not disabled for Firefox 2 users.

One thing that concerns me a little bit. The Quicktime 7.1.* plugin didn't crash on Firefox 2 and older Firefox 3 builds, but it did crash with newer Firefox 3 builds.
Boris, is that normal? Who is to blame for that?
(Reporter)

Comment 29

9 years ago
Martijn, see bug 416521 comment 12 (and other comments). This crash was introduced after jemalloc was enabled on Windows and is most likely due to binary extensions directly using the system's malloc, which doesn't play nice with jemalloc. There's simply nothing we can do about it except disable the faulty plug-in.

Comment 30

9 years ago
> Boris, is that normal? 

Not so much.  ;)

> Who is to blame for that?

Adam probably has this part right: the plug-in is misusing the memory allocator and can no longer get away with it.

Updated

9 years ago
Blocks: 434752
Can we get this blocklisted earlier rather than later so that we can make sure it works before we release?
(Assignee)

Updated

9 years ago
Status: NEW → ASSIGNED
(Assignee)

Comment 32

9 years ago
This is going to be a little more difficult because the original blocklist spec for plugins didn't call for OS-specific behavior.  So I'm working on:
1) adding OS_VERSION information to the blplugins table
2) parsing schema 2 data, passed by beta5-ish and higher
3) adjusting queries to pull the correct plugin blocklist data based on OS

I think this is a case where we are assuming plugin blocklisting works per OS.  The original blocklist URL never even passed OS_VERSION until we fixed bug 430120 and subsequently bug 430278 -- so the fact that we have OS_VERSION at all is sort of a coincidence.

Anyway, ETA is tomorrow.
(Assignee)

Comment 33

9 years ago
...or we could just blocklist 7.1.* for all platforms:
http://docs.info.apple.com/article.html?artnum=305947
(Assignee)

Comment 34

9 years ago
Since we can key off filename, it pinpoints Windows -- so we don't have to make plugin blocklisting platform-specific yet.  Filed bug 438287 for that, but it doesn't block this one since quicktime's filename on Windows is unique -- npqtplugin7.dll.  That plus a match on name should suffice.
(Assignee)

Comment 35

9 years ago
Additional note - bug 393285 added support for this in the plugin blocklist XML, but bug 438287 still needs to be resolved to add full support for this on the server-side.  I asked Dave to update our doc for the blocklist XML to cover the changes here:
http://wiki.mozilla.org/Extension_Blocklisting:Code_Design
(Assignee)

Comment 36

9 years ago
Created attachment 324414 [details]
v1, sample blocklist.xml for testing

Tony - this is the sample blocklist document.  We need to test this tomorrow.  Let me know when you have time and I'll get staging set up.
Attachment #324414 - Flags: review?
(Assignee)

Updated

9 years ago
Attachment #324414 - Flags: review? → review?(tchung)
(Assignee)

Comment 37

9 years ago
Created attachment 324415 [details]
qt blocklist sql, for reference
(Assignee)

Comment 38

9 years ago
Created attachment 324416 [details]
qt sql, correct dates
Attachment #324415 - Attachment is obsolete: true
(Assignee)

Comment 39

9 years ago
Created attachment 324533 [details]
v2, blocklist.xml as a result of testing

This is the working XML output as tested by tchung and ispiked.
Attachment #324414 - Attachment is obsolete: true
Attachment #324414 - Flags: review?(tchung)
(Reporter)

Comment 40

9 years ago
I had a long comment typed up describing what Tony and I tested this afternoon, then I crashed. But suffice to say that we tested this thoroughly and think it's ready to go live (with a small update to the blocklist.xml file regexps that morgamic is aware of).
(Assignee)

Updated

9 years ago
Depends on: 438428
(Assignee)

Comment 41

9 years ago
Created attachment 324537 [details]
qt sql, updated name and filename match exps
Attachment #324416 - Attachment is obsolete: true
(Assignee)

Comment 42

9 years ago
I added a dependency on bug 438428 because we found that we can't have a match element without an exp attribute.  It's a quick fix, shouldn't add any additional delay.
agree with Adam.  the testcase in comment #39 is indeed fixed and working now.  We'll standby for testing this after it goes live.  (In reply to comment #40)
> I had a long comment typed up describing what Tony and I tested this afternoon,
> then I crashed. But suffice to say that we tested this thoroughly and think
> it's ready to go live (with a small update to the blocklist.xml file regexps
> that morgamic is aware of).
> 

agree with Adam.  the testcase in comment #39 is indeed fixed and working now.  We'll standby for testing this after it goes live.  

Verified against Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0
(Assignee)

Comment 44

9 years ago
This is live:
https://addons.mozilla.org/blocklist/1/%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D/3.0/
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED

Comment 45

9 years ago
> This version of QuickTime appears to be pretty old. QuickTime 7.2 appears to
> have been released in July '07 (http://support.apple.com/kb/HT1263), so I'm not
> sure why people still have the old version.
> 
People that are still running Windows 2000 on some older machines, like myself, have no possibility of upgrading to newer Quicktime plugin versions since the industry-wide support-stop that coincided with the introduction of Windows Vista.

No big worry however, because I will be "upgrading" to Ubuntu Linux soon ;-)

Comment 46

9 years ago
It's great that Serge is shifting to Ubantu Linux soon, so no big worry for HIM.

I, however, have a well-operating windows 2000, and it works fine. But now I can't use Firefox for YouTube or videos on MySpace, two of my favorite internet hang-outs. 

This blocklist makes Firefox now impractical for me. Do you guys get a commission from Microsoft for selling Vista?

Is there a way to reinstall Firefox 2?
Isn't the problem with Firefox3, which can't use Quicktime?

Comment 47

9 years ago
(In reply to comment #46)
> now I can't use Firefox for YouTube or videos on MySpace, two of my
> favorite internet hang-outs. 

As far as I know, both of those sites use Flash, not Quicktime, so that problem has nothing to do with this bug.

> Is there a way to reinstall Firefox 2?
> Isn't the problem with Firefox3, which can't use Quicktime?

The problem is with older versions of Quicktime, and because Apple isn't making new versions of Quicktime for Windows 2000, it's never going to be fixed.  If you want, you can undo this blocking as described in comment 25 so you can use the old versions. You can certainly also reinstall Firefox 2. If you want help, http://support.mozilla.com is the place to ask.

Comment 48

9 years ago
Thanks for that feedback, Michael.

I have no idea what was happening with YouTube...it works, now. I thought it was the quicktime.

Thanks also for the links!

Much appreciated!
Have a great day!

Comment 49

9 years ago
(In reply to comment #47)
> The problem is with older versions of Quicktime, and because Apple isn't making
> new versions of Quicktime for Windows 2000, it's never going to be fixed.  If
> you want, you can undo this blocking as described in comment 25 so you can use
> the old versions. You can certainly also reinstall Firefox 2. If you want help,
> http://support.mozilla.com is the place to ask.

It would be nice if the Add-ons/Plugins dialog provided a way around this on a per-plugin basis.  I'm using a work-provided laptop, so upgrading/replacing my current Windows 2000 is problematic.  All of my company's internal web pages are labeled "IE only", and I've been evangelizing that FF works just fine on all of them (with occasional help from UserAgentSwitcher).  But now all of the QT content is broken!

I knew that QT hadn't been working in my copy of FF for some time now, but it wasn't until today that it became irritating enough for me to try to fix it.  It took several minutes to track down this bug report, and that was only after an unsuccessful attempt to install the latest version of QT.  Now, I have to disable blacklisting of *all* plugins, just so I can use one of them.  I realize that this is ultimately all Apple's fault, but I'm trying to help Firefox here!

Ideally, I'd like to see three things:  First would be two blacklist entries using the OS-VERSION info as proposed above.  One would be for Win2K, the other for XP and Vista,  Second, there should be a way to disable individual entries.  This would not only allow the continued blacklisting of non-QT plugins, but would re-instate the block if/when I upgrade to a later version of Windows.  Finally, FF pops up all sorts of messages when I start it, so toss in a message listing disabled blacklists, so I won't forget that I'm operating in a danget zone.

Thanks!

Comment 50

9 years ago
"I'll admit that it doesn't concern me greatly -- people probably shouldn't be
using Windows 2000."

Nice 'tude. I assume your check is in the mail to replace my W2K boxen.

Comment 51

9 years ago
Using QuickTime Alternative instead of Quicktime works in FF3/Win2K w/o crashes

Recent version (from 2.0, I believe) require XP, but I've had v1.9.0 on Win2K (SP4, of course) installations since last year, which still in FF3.x.

The older versions are still widely available for download [e.g.]
http://www.videohelp.com/tools/QuickTime_Alternative?oldversions=1#download

Comment 52

9 years ago
(In reply to comment #25)
> ... There is a pref to set to false: extensions.blocklist.enable --
> if you're using Windows 2000 and Quicktime 7.1.6, blocklisting is probably not
> going to help/hurt much.
> 

For those that are in need, it's actually extensions.blocklist.enabled (note the trailing 'd').  ;)

Comment 53

9 years ago
Toggling the option doesn't do anything. It still blocks QT.
Darn... I couldn't figure out why QuickTime Plug-in 7.1.6 was still listed, even though I have completely removed QuickTime from my WXP SP3 machine. And reinstalled 7.5 afterwards. And removed that version again. Until I opened up the pluginreg.dat and noticed it points to my old Netscape Communicator :-(
Any way to remove this link?

Generated File. Do not edit.

[PLUGINS]
D:\Netscape\Communicator\Program\Plugins\npqtplugin.dll|$
|$
1178630432617|1|5|$
The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the <A HREF=http://www.apple.com/quicktime/>QuickTime</A> Web site.|$
QuickTime Plug-in 7.1.6|$
7
Just remove the D:\Netscape\Communicator\Program\Plugins\npqtplugin.dll file?
Yes, I just did that (and npqtplugin{2..7}.dll too).
Thanks for the tip though, it did the trick

Comment 57

9 years ago
So, let me see if I have this straight:

1) Nagios requires Quicktime to play alert sounds
2) Windows 2000 will not run any Quicktime newer than 7.1.6
3) Quicktime older than 7.2 is blocked "for my protection"
4) That blocking can be turned off... with no granularity at all
5) The best anyone can come up with is "downgrade to FF2 or upgrade from 2000"

I find myself exceedingly unimpressed with the way this problem is being handled; I expect that sort of response from the IE team, not the Mozilla team.

Who, *precisely* took the decision that this solution was a pretty neat idea?

Comment 58

9 years ago
seems like a ridiculous solution to me as well.

Comment 59

9 years ago
changing extensions.blocklist.enabled did not work
installing Quicktimealt190.exe did work

not impressed with how this one was handled

Comment 60

9 years ago
Not cool. Not only do I lose QT capability for my win2k machine in FF, FFS, but so do all who use win2k to view my web page.  If I had known this I would never have allowed the upgrade to 3.0.  It's already difficult to cater to both browsers, as they are as different as IE and Netscape once were, but worse.

"> I'll admit that it doesn't concern me greatly -- people probably shouldn't be
> using Windows 2000."

I love this mentality too... NOT!  Win2k works fine for a general purpose machine, and I don't see the benefit in spending the $$ for another OS, just to get the small differences.

Comment 61

9 years ago
Looks like time to find an alternative to QT... possibly back to IE as well!

Comment 62

9 years ago
Look, it's great to complain that Firefox "isn't supporting Windows 2000", and all, but it's clearly a misinformed opinion.  Please note the following:

1. The version of Quicktime supported on Windows 2000 has security issues.
2. Firefox is only blocking this *INSECURE* version of Quicktime.
3. The way to fix this is for Apple to release a new version of Quicktime for 2000.

Mozilla has done nothing wrong here.  The old, insecure and buggy, version of Quicktime does not work properly, and so it is being blocked.  The ball is in Apple's court if Windows 2000 users want Quicktime.

It's really that simple.

I think the mentality is that if someone is running Windows 2000, they probably would rather have the security than Quicktime (since XP is mostly just 2000 with lipstick, and not really a consumer OS.)  Consumers should not be using Windows 2000, especially not in 2008.

-[Unknown]
You can always go back to Firefox 2, if you need QT 7.1 to keep working.
Firefox 3 is crashing with QT 7.1, so it had to be disabled. There is nothing that can be done about that, unfortunately.

Comment 64

9 years ago
Well, Martin; your reply gives the lie to the comment from the gent immediately before you, doesn't it?

If it will run on FF3, but not on FF2, then the fundamental cause is unlikely to be "security issues", and indeed, the reason I saw given was "it makes the browser unstable if we let users install it".

That points the finger *directly* at FF3, until someone *proves* differently to me.

Shame.  Clearly, from the looks of this bug and other large swaths of the Bugzilla, the Mozilla Foundation -- oh, excuse me, that's *The Mozilla Corporation, who are collecting lots of money from Google, among other people*, has overextended itself, probably unrecoverably.

I can't imagine that, if Google thought FF3 was going to be a win, they'd have spent lots of engineer time and money on Chromium.

I may be having a really negative week, but FOSS projects are just dropping like *flies* lately.  Must be this Republican total-lack-of-an- economy.

Bye guys; this was really the only bug I bothered signing up for.

Comment 65

9 years ago
Please check Secunia or another security vendor before making such dubious assertions.

http://secunia.com/advisories/26034/
http://secunia.com/advisories/22048/
http://support.apple.com/kb/HT1263
http://secunia.com/advisories/product/5090/?task=advisories

Martijn's statement in no way contradicts mine; if you require Quicktime on Windows 2000, and do not care about security, you should use Firefox 2.  This is a workaround, although imho security is more important.

It is also true that Quicktime 7.1 causes Firefox 3 to crash, due to bugs in Quicktime 7.1.  These bugs do not affect Firefox 2.  Please keep in mind that the SECURITY bugs in Quicktime 7.1 are/would be present in BOTH browsers irregardless of this fact.

-[Unknown]
Like comment 65 says, I wasn't contradicting comment 62.

See comment 29 why this is happening.

Like comment 25 says, if you really want to enable the QT plugin again, you can disable blocklisting, by setting extensions.blocklist.enable to false in about:config.

Comment 67

9 years ago
As reported in #53 and #59, setting that option does not appear to effect any change; QT still gets blocked when visiting a page that attempts to load it regardless of how this option is set. If this is not intentional, then would it be prudent to file that as a new bug?
That indeed sounds bad.
Changing extensions.blocklist.enabled to false should unblock the QT 7.1 plugin, afaict. If that doesn't happen, then I think it's a bug. So indeed, you should file a new bug for that.
Ok, I downloaded and installed Quicktime7.1.6 from http://www.apple.com/support/downloads/quicktime716forwindows.html (uninstalled the already installed Quicktime)
I then tried to view this movie:
http://94-west.com/Valet/HUD_large.html
That didn't work, because I had extensions.blocklist.enabled still set to true.
After I set that to false and restarted, I could watch that Quicktime movie, though.
So for me, extensions.blocklist.enabled=false seems to work just fine.
dont forget to blow away (or move) your blocklist.xml file also.  Setting the value just means it wont download any more blocklists, but you may still be running off your old list.

Comment 71

9 years ago
> Please keep in mind that the SECURITY bugs in Quicktime 7.1 are/would be present in BOTH browsers irregardless of this fact.

A handful more drive-by's in older versions of quicktime announced this week.

http://secunia.com/advisories/31821/

Comment 72

9 years ago
What the hell do you mean by "People shouldn't be using windows 2000???

I happen to prefer it greatly over XP.
Many of us don't just prefer 2000 for its stability and better loading times, we are also limited by funds to older hardware which will not run XP and especially VISTA.  Microsoft chose to leave people like me behind, limited income vets, disabled, retired or with huge medical debts [pick a combination]contrary to their rhetoric.   There are a lot of businesses in the same crunch.  When I can upgrade the hardware I'll consider a new OS, probably open doc.  It will take a lot of learning, but worth it. 

I know it complicates what you are trying to do and I really appreciate all of your efforts.  I will only use Microsoft software as a last resort because what you do is more reliable, transparent and virus free.
PS I intend to copy this comment to Apple Quicktime.  If Microsoft has been forced to extend 2000 support, then perhaps Apple and others need to consider it.  Previous points are valid. If apple won't support 2000 a lot of us in my situation, business and private user alike, have some hard decisions about where we put our money in the immediate future.

Comment 75

9 years ago
I use Windows 2000, and I do not understand why as its core is similar to
both XP and Vista that it is not supported by the Apple plugin.

Some people think you should blindy jump at an new OS at the drop of a hat!

Comment 76

9 years ago
(In reply to comment #9)
well it seems no-one here uses Adobe After Effects CS3 under Windows - the 7.1.6 and later releases of Quicktime cause dastardly havoc for After Effects and it's impossible to upgrade beyond v7.1.5. Another reason why Firefoxers are stuck. Giving us some control over plug-in blocks like this one makes sense - or we have to dump Firefox for (ick) IE

> (In reply to comment #0) 
> > This version of QuickTime appears to be pretty old. QuickTime 7.2 appears to
> > have been released in July '07 (http://support.apple.com/kb/HT1263), so I'm not
> > sure why people still have the old version.
> 
> People still have QuickTime 7.1.6 because this is last supported version on
> Windows 2000. Minimum requirement for 7.2+ is Windows XP.
> So, upgrading QuickTime irrelevant here.
Kirk, see comment 69, if you set extensions.blocklist.enabled=false in about:config, then you should be able to use the QuickTime plugin again.

Comment 78

9 years ago
(In reply to comment #77)
Doh! Doncha hate it when ya get sprung not reading the entire thread...
Thanks a lot Martijn
> Kirk, see comment 69, if you set extensions.blocklist.enabled=false in
> about:config, then you should be able to use the QuickTime plugin again.
(In reply to comment #7)
> Giving us some control over plug-in blocks like this one makes sense -
> or we have to dump Firefox for (ick) IE

We are in fact planning that for 3.1--see screenshots in bug 455906. We'll still strongly recommend and by default block problematic plugins, but users will be able to override for all but the worst/most-malicious problems.

The flip side is that we'll probably feel free to block more plugins since users will have a reasonable work-around if they're really and truly stuck using an old version.

Updated

9 years ago
Flags: blocking-firefox3+
Flags: blocking-firefox3.1?
Flags: blocking-firefox3.1?

Comment 80

9 years ago
http://support.apple.com/kb/HT3403 shows list of more critical bugs fixed in the recently release quicktime 7.6 update and expose users to additional risk.

Comment 81

9 years ago
Working in a shop that is predominately Windows 2000 based *still*, I can honestly say that this is a *bad* move. We just did the upgrade to 3.0.6, on a couple of the machines here and are encountering this nonsense of Firefox blocking QuickTime. If I follow this to it's logical conclusion, I'm going to be entering extensions.blocklist.enabled=false in all 150+ machines!?!  Since I won't have budget till 3rd quarter to upgrade 1/3 of my machines; perhaps I shouldn't be pushing Firefox if it's going to be so restrictive as to determine incorrectly what is correct for my environment. 

Giving a warning to a user, giving them the ability to bypass the blocker permanently for that particular issue would be acceptable. Even giving them a status bar warning everytime after that would be ok. BUT totally blocking the plugin, because you deem it a security risk isn't a good practice and makes a whole bunch more work for those of us managing those systems.

Comment 82

9 years ago
I also use Windows 2000 for two reasons.  The main one is that I have a very old machine with a 633MHz processor and 256MB RAM.  This is not enough to run XP or Vista.  There is no way I can afford to replace this machine with being out of work at the moment.  Another reason, and this is a big one for me, is when I have a folder open containing mp3's, I can play them using the small media player preview player on the left hand side of the window instead of having to launch Media Player or Winamp.  This is not available on XP or Vista.
(In reply to comment #81)
> Working in a shop that is predominately Windows 2000 based *still*, I can
> honestly say that this is a *bad* move. We just did the upgrade to 3.0.6, on a
> couple of the machines here and are encountering this nonsense of Firefox
> blocking QuickTime. If I follow this to it's logical conclusion, I'm going to
> be entering extensions.blocklist.enabled=false in all 150+ machines!?!

So your office of 150 users is better off using a browser plugin with numerous unpatched and actively exploited security issues?  Doesn't that seem, I don't know, like you're playing Russian Roulette with your network's security?

Comment 84

9 years ago
I still think it's a bad move.  Couldn't the user decide whether or not to block Quicktime. and take responsibility for any problems caused by using it?

As a result of this block, I am no longer able to watch any quicktime movies, and the only browser I use is Firefox.  I've tried the extensions.blocklist.enabled=false, but it still blocks it.

I use Windows 2000 mainly because I have no choice. I use a very old computer from 2001 with a 633MHz processor and 256MB RAM. I can't even buy parts for this machine now.  Because I'm disabled and living on very limited funds, there is no way I can even think of buying a new computer.  This one just about manages to do what I want it to do.  I also happen to like Windows 2000 Pro.

The only workaround at the moment for me would be to install an older version of Firefox but I'd rather not.  I'd rather be given the opportunity to run whatever software I like on my computer.  I'm not stupid and wouldn't deliberately put myself at risk though.
Michael, the plugin caused crashes, when loading a page with a Quicktime movie. Most users wouldn't know why Firefox would be crashing and would not know how to fix it.

I don't know why the pref isn't working for you. Perhaps you could try removing the blocklist.xml file as mentioned in comment 70?
http://kb.mozillazine.org/Blocklist.xml

Comment 86

9 years ago
"Consumers should not be using Windows 2000, especially not in 2008."

Why not? It still works for me. Replacing it costs money and I am just plain cheap, which may explain why my house is not in foreclosure. I can live without the Vietnamese language pack, but I will live better if I do not have to "upgrade" my computers.

Comment 87

9 years ago
Robert, 

It's definitely your choice, and has been mentioned in this bug people can use win2k and old versions of plugins that are required for that old OSes.  You should understand the risks of doing that.  You might "live better" in the short run if you don't upgrade, but if your computer is attacked via exploit of out-of-date plugins and you possible lose credit card and bank account information to criminals will you still be living as well?  That's a question you will ultimately assess the risks and answer.

We just want to make sure you know the risks.  Here is another independent analysis of the problem we are trying to help solve in this bug, and an outline of the risks that people are exposed to when they run old versions of plugins.

http://www.techzoom.net/publications/insecurity-iceberg/index.en

Comment 88

8 years ago
Created attachment 375532 [details]
 Bug 430826 -  Consider blocklisting (blacklisting) QuickTime plug-in version 7.1.*
The content of attachment 375532 [details] has been deleted by
    Dave Miller [:justdave] <justdave@mozilla.com>
who provided the following reason:

Windows EXE file, unrelated to bug

The token used to delete this attachment was generated at 2009-05-03 14:39:44 PDT.

Comment 90

8 years ago
Obviously, global unblocking is bad as it opens the system to drive-by pollution. So why not allow unblocking on a per-site, per-session basis? I currently see an 'option' to "Update plugins...," which is not option at all. I'd like to see another option: "Unblock plugin for this session."

Comment 91

8 years ago
Ok hypothetically speaking lets say someone on win2k that doesn't care to have the qt plugin. How does one stop the box at the top from popping up saying it's blocked? Can I...er I mean...someone delete or remove the plugin all together?

Comment 92

8 years ago
I'm having a problem with you blocking this plug-in - the reason being, I'm on a 64-bit windows machine.  Quicktime stopped supporting 64-bit in their application after version 7.1.6.   So if I update the plugin, nothing works (not in quicktime, or in the browser).  Can you please figure out a way to fix this for 64-bit users?  It's super frustrating that I can't view movies on my machine anymore.
tshellen@yahoo.com, if you set the extensions.blocklist.enabled=false pref in about:config, then the Quicktime plugin should work for you again (but beware of the crashes you will get).

Comment 94

8 years ago
Thanks for getting back to me so quickly!  :)

Is there a way to only unblock that one extension?  The only blocklist item I'm having a problem with is the quicktime one.  I'd hate to enable everything false and have to deal with it crashing all the time.  Is there a better way?

Thanks for your help.
You can disable plugins on a individual basis, if that's what you mean. Just look under Tools->Add-ons->Plugins.

Comment 96

8 years ago
I have just downloaded the latest free version of Quicktime (Quicktime 7.6.4 with I-Tunes for XP or Vista) on Apple's website, but the plug-in is still blocked. 
http://www.apple.com/fr/quicktime/download/
I use Windows XP, and Firefox 3.5
Is there any way out (except buying Quicktime 7 pro? ) 

Thank you for your help

Comment 97

8 years ago
There are many reasons why a person would want to continue with Windows 2000, such as custom hardware which does not have a driver that works under XP...
There is a file blocklist.xml which seems to have a list of blocked plugins. However, when I removed Quicktime from the list it is still blocked. I exited Firefox and restarted it, but it is still blocked.  I have a couple questions on this.

Firstly, why is the "Enable" button disabled in my tools/addons list for this plugin? Give me the choice!
Secondly, if that XML file is not a list of plugins to block, what is it?  How do I enable only a single blocked plugin?

Comment 98

8 years ago
(In reply to comment #13)
> Hey - final word on blocklisting?  If we blocklist 7.1.6 for Windows 2000, then
> people won't be able to use it at all (given no upgrade).
> 
> I'll admit that it doesn't concern me greatly -- people probably shouldn't be
> using Windows 2000.
> 
> Should we proceed with blocklisting 7.1.*?

let me just say i just found this site . .

as for people probably shouldnt be using windows 2000.. if you would like to donate me a new computer that runs at least xp .. please feel free to contact me .. some of us unfortunately have to work with 2000 since we have no choice.. not everyone is so privileged .. and i think the blocklisting it has now made my firefox continuously crash ...and also messes up my ims on fb book and many other things on various sites .. so a round of applause for making this even more of a nuisance .. 

think about others before doing an action ..

Comment 99

8 years ago
(In reply to comment #62)

> It's really that simple.
> 
> I think the mentality is that if someone is running Windows 2000, they probably
> would rather have the security than Quicktime (since XP is mostly just 2000
> with lipstick, and not really a consumer OS.)  Consumers should not be using
> Windows 2000, especially not in 2008.
> 
> -[Unknown]

unknown .. you really should practice not thinking because your thought processes are really warped and unpolished .. by the way, you also can buy me a new computer to accommodate this otherwise ... clamp shut .. thanks .. have a blessed day :)
>i think the blocklisting it has now made my firefox continuously cras
The blocklisting doesn't cause crashes and it disables only the qt plugin.
That means that disabling the plugin prevents crashes because the reason for the blocklist is that the plugin causes crashes.

And why do you blame us if this blocklisting is done because of bugs in the apple QT plugin (not in FF) and apple stopped the support of win2k and not us ?

Comment 101

8 years ago
(In reply to comment #100)
> >i think the blocklisting it has now made my firefox continuously cras
> The blocklisting doesn't cause crashes and it disables only the qt plugin.
> That means that disabling the plugin prevents crashes because the reason for
> the blocklist is that the plugin causes crashes.
> 
> And why do you blame us if this blocklisting is done because of bugs in the
> apple QT plugin (not in FF) and apple stopped the support of win2k and not us ?

.why do i blame firefox and not apple?? because firefox is making that dam red line come up every time i get an im on fb ... and on other various sites i get that line .. and prior to this i have not had a problem with firefox crashing .. only recently and i guess that is around the time that the addon was disabled or blocked ..  maybe someone needs to step up and find out how to go around and get the firefox application to work without crashing, instead of making the web experience annoying .. because by the way, wasnt firefox intended to help the population to have a more blessed time exploring the internet?
In that case go to the support (http://support.mozilla.com) and ask for help and don't add irrelevant comments this bug, thanks.
(and please read/understand a bug before you add a comment)

Comment 103

8 years ago
(In reply to comment #102)
> In that case go to the support (http://support.mozilla.com) and ask for help
> and don't add irrelevant comments this bug, thanks.
> (and please read/understand a bug before you add a comment)

understand and read clearly, JUST BECAUSE YOU ARE FORTUNATE TO HAVE AN UPGRADED COMPUTER DOESNT GIVE YOU THE LIABILITY TO BELITTLE ANOTHER BECAUSE THEY DONT HAVE THE SAME LUXURY ... 

OBVIOUSLY FOR YOUR MINUTE MIND, IT IS A RELEVANT COMMENT SINCE THE BUG AND YOUR ALLEGED RESOLVE TO IT AFFECTS ME .. SO MAYBE YOU NEED TO UNDERSTAND PRIOR TO INSERTING YOUR FOOT INTO YOUR MOUTH !! 

hope you dont have any toe fungi .. 

have a bless day and think prior to typing ... ;)

Comment 104

8 years ago

(In reply to comment #103)

> 
> OBVIOUSLY FOR YOUR MINUTE MIND, IT IS A RELEVANT COMMENT SINCE THE BUG AND 

and i am not referring to implements of time either .. but when i put minut (pronounced "my noot" its saying spelling correction needed
vida, your comments are out of line and unwelcome in this bug. Please read https://bugzilla.mozilla.org/page.cgi?id=etiquette.html and make sure you understand all of it, as the next time you violate one of its tenets, your account will be disabled. This is your only warning. Thanks!

Comment 106

8 years ago
I tried to embed Quicktime in to a web page using code I found in 'HTML, XHTML & CSS' sixth edition by Elisabeth Castro and found that no matter what I did I could not get Firefox to show the videos.  So it does come as a shock that a supposedly top browser company like Mozilla Firefox can't work together with apple to resolve the issue.  

Perhaps it is time for the Mozilla team to call it a day and to leave browser development to companies like Microsoft who seem to know what they are doing with their IE.  Also Opera and Safari.
Why bother developing a browser that causes more Geeky problems?

Comment 107

8 years ago
(In reply to comment #0)
> One of the current topcrashes on trunk is [@ RtlEnterCriticalSection] and
> having the QuickTime plug-in version 7.1.* seems to be the common denominator
> (see bug 430576). There are different crashes related to this signature, but
> the majority of them are the plug-in related one.
> 
> This version of QuickTime appears to be pretty old. QuickTime 7.2 appears to
> have been released in July '07 (http://support.apple.com/kb/HT1263), so I'm not
> sure why people still have the old version.

Because very often people use some professional editing software such as Avid Xpress Pro that requires only specific version of quicktime and doesn't work otherwise. This is my experience to answer your wondering question why people still use old version of quick time.
If I have to update my software everytime quicktime make a change I have to waste a good amount of money.
Thanks for understanding.
What I can do to not be bored by such a warning every page I visit in Facebook?
Have a nice day...from Angelo

Comment 108

8 years ago
re comment 107, this isn't a support service. if you need support, please visit https://support.mozilla.com however, i believe that if you disable the plugin yourself in tools>plugins, you shouldn't see the warning.

Please note that as reed has already warned someone in comment 105, and as we expect *EVERYONE* to *READ* and *UNDERSTAND* https://bugzilla.mozilla.org/page.cgi?id=etiquette.html as well as to *READ* the *ENTIRE* bug before commenting in it, it seems reasonable for people who comment here asking for support to have their accounts terminated.

re comment 106, again, this is not a support forum, visit support, try a newsgroup, ask online, and when you do so, provide a url with a sample (but do *NOT* use this bug as such actions are offtopic).
Summary: Consider blocklisting (blacklisting) QuickTime plug-in version 7.1.* → Add blocklisting (blacklisting) for QuickTime plug-in version 7.1.*

Comment 109

8 years ago
Created attachment 419890 [details]
xvideo

Updated

8 years ago
Attachment #419890 - Attachment is obsolete: true
Attachment #419890 - Attachment is patch: false
The content of attachment 419890 [details] has been deleted by
    Reed Loden [:reed] <reed@reedloden.com>
who provided the following reason:

Firefox.exe binary

The token used to delete this attachment was generated at 2010-01-17 20:04:45 PST.

Updated

8 years ago
Flags: blocking1.8.1.next?
Flags: blocking1.8.1.next?
OK, so when does this now get sorted? It was now for a long time NOT a problem, now today, firefox is blocking the plugins again. And how many times do the bar have to take up all the space on my screen. Every time I open the facebook chat, the bar pops up. I took note, I closed the bar, so why can you now not either stop blocking the plugins, or stop telling me about it> tell me once a day, if you have to, but not the whole day!!

Comment 112

7 years ago
... actually, I'm rather annoyed about Mozilla Firefox 3.6.3 blocking some plugins completly now without leaving it eventually to the users to decide how to handle reported bugs in addons like quicktime 7.1.* or others?! 

why not offering an option to activate it "on own risk" in this pop up info bar - even if the plugin version is rather outdated (ok, but for some reason some people still use it!)? And not all users are so smart or technically expereienced to find out why all off the sudden their browser doesn't play songs on websites anymore etc.!

I appreciate very much the competence of the creators of Mozilla and I still love my Firefox  - but nevertheless: in moments like I know why I prefer Opera even more, sorry guys!
Monika, the Quicktime 7.1.* plugin version is crashing Firefox 3 and higher. So users wouldn't be able to use the plugin anyhow. Even worse, their browser would crash entirely.

Comment 114

7 years ago
cheers @ Martijn, well, I understood this from the other comments, but since quicktime 7.1. was there first, and it also does not clash with other browsers (my Opera and IW work perfectly with it), it leaves one a bit curious why this happens with FF 3, when even it's predecessor FF 2 was obviously able to tackle this ....
Iirc, the crashes started happening when pgo was enabled by default. See bug 361343 and further.

Comment 116

7 years ago
Created attachment 459352 [details]
QuickTimePlugin

=)
The content of attachment 459352 [details] has been deleted by
    Dave Miller [:justdave] <justdave@mozilla.com>
who provided the following reason:

Attaching random executables is bad form

The token used to delete this attachment was generated at 2010-07-28 13:09:01 PDT.

Comment 118

7 years ago
Derek Watson
Read all the comments, accept that Qt does not work with FF3.. but can find no hints as to which plug-in I need to use to listen to .mps files!
Does "support" offer the help I seek?

Comment 119

7 years ago
derek: this isn't http://support.mozilla.com. You can try it out, or you could follow the maxim: "Google is your friend." 

fwiw, I don't think ".mps" is the file type you mean...

http://support.mozilla.com/en-US/search?qs=s&q=mp3

note that if you want to use QuickTime, you just need to install a *current* version of QuickTime player (it's free...).

Comment 120

7 years ago
timeless wrote:
>note that if you want to use QuickTime, you just need to install a *current*
>version of QuickTime player (it's free...).

Unless, of course, you are one of the luckless souls for whom QT is blacklisted and so isn't an option... which is the whole point of this bug.
>Unless, of course, you are one of the luckless souls for whom QT is blacklisted
>and so isn't an option... which is the whole point of this bug.
The _current_ version of QT is NOT blacklisted.
This bug is about blacklisting an _old_ version of QT that causes crashes and isn't supported anymore by Apple.

Comment 122

7 years ago
If you are stuck with WIndows 2000 (and I concede it's a shrinking population), then the only versions of QT that you can use are the ones that are blacklisted.

Comment 123

7 years ago
sam: probably any of: real player, vlc, wmp, and probably others. but really, google. not this bug.
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.