Last Comment Bug 695927 - Plugin block request: npmozax.dll
: Plugin block request: npmozax.dll
Status: VERIFIED FIXED
[plugin]
:
Product: Toolkit
Classification: Components
Component: Blocklisting (show other bugs)
: unspecified
: All All
: -- normal with 1 vote (vote)
: ---
Assigned To: Jorge Villalobos [:jorgev]
:
Mentors:
Depends on: 692149
Blocks:
  Show dependency treegraph
 
Reported: 2011-10-19 17:21 PDT by Matthias Versen [:Matti]
Modified: 2016-03-07 15:30 PST (History)
16 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Matthias Versen [:Matti] 2011-10-19 17:21:59 PDT
Plugin name: npmozax.dll - Mozilla ActiveX control and plugin support
Plugin versions to block: 1.0.0.4 or lower
Applications, versions, and platforms affected: Firefox7.0.1+, Seamonkey2.4.1+ on Windows
Block severity: hard

How does this plugin appear in about:plugins?
    File: npmozax.dll
    Version: 1.0.0.4
    Description: Mozilla ActiveX control and plugin support

Homepage and other references and contact info: 
http://www.iol.ie/~locka/mozilla/plugin.htm
AFAIK: Adam Lock created this Plugin as part of his work at Netscape

from http://www.adamlock.com/mozilla/#contact
>Note this project is no longer in active development. Content is made available for reference purposes only!

Reasons:
This is a very old Plugin that adds ActiveX Support to Mozilla and this Plugin will not work in any Firefox version higher as Firefox 1.5,

This Plugin will crash in Firefox7.0.1 and Seamonkey2.4.1
The crash reporter is triggered without any visible crash notification.
A simple page can trigger many crashes in the background and the pending folder of the crash Reporter will store gigabytes of pending crash reports !
That is the main reason for the hard block: The users hdd will get filled up with pending crash reports.
Comment 1 Justin Scott [:fligtar] 2011-10-20 02:22:17 PDT
Johnath, does this block sound okay to you?
Comment 2 Matthias Versen [:Matti] 2011-11-13 23:52:24 PST
ping
Comment 3 Johnathan Nightingale [:johnath] 2011-11-24 07:11:03 PST
I missed this bugmail the first time around - sorry about that. The summary talks about a DLL, but comment 0 makes it sound like plugin blocklist.

I have no idea whether this thing is actually used in the wild for any legitimate purpose, cc'ng bsmedberg on the off chance that he does.

If it isn't, I certainly have no objection to either form of blocklisting.
Comment 4 Benjamin Smedberg AWAY UNTIL 2-AUG-2016 [:bsmedberg] 2011-12-02 08:29:29 PST
This thing *was* used in the wild for legitimate purposes (Mozilla shipped it), but it has not been maintained in years and is pretty much guaranteed not to work in current builds. I think we are safe blocking it. If somebody were to resurrect a new version of this code/functionality, we can give it a different filename.
Comment 5 Jorge Villalobos [:jorgev] 2012-05-23 10:20:05 PDT
I have staged a block for this plugin: https://addons-dev.allizom.org/en-US/firefox/blocked/p89

It is hard-blocked for all platforms (the plugin only works on Windows, though) and all Firefox versions. If we care about 1.5 users who may still use this (did we even have a blocklist back then?), I can limit the version range.
Comment 6 Underpass 2012-06-07 09:08:18 PDT
Following the release of Firefox 13 we had a fair number of support requests in the Italian support forum with users unable to play Flash content. And we found that this plugin is the "culprit".

Even in the US forum there are similar threads:

https://support.mozilla.org/en-US/questions/928865
Comment 7 Matthias Versen [:Matti] 2012-06-07 09:18:10 PDT
Jorge: Can we push the block to production ?
Comment 8 Jorge Villalobos [:jorgev] 2012-06-07 12:19:01 PDT
Anthony, can you test the staged block?
Comment 9 Jorge Villalobos [:jorgev] 2012-06-07 14:22:49 PDT
(In reply to Jorge Villalobos [:jorgev] from comment #8)
> Anthony, can you test the staged block?

Mid-aired and forgot to CC Anthony.
Comment 10 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-06-07 15:17:42 PDT
I have no idea how to install this plugin to test the stage. Can someone please help me? The instructions on the website do not seem to work.
Comment 11 Jorge Villalobos [:jorgev] 2012-06-07 16:09:58 PDT
Andrew, can you give this a try?
Comment 12 Jorge Villalobos [:jorgev] 2012-06-07 17:47:27 PDT
The website on comment #0 offers the plugin packaged in an XPI file with isn't compatible with any recent version of Firefox. This means users who have this plugin installed got it in a different way that installed it as a standalone plugin. Since manually installing plugins is a convoluted process involving touching the Windows Registry, I think it's best just to push this block to prod and gauge user reaction.

So, the block is now in place:
https://addons.mozilla.org/en-US/firefox/blocked/p102

Matti, please follow up with users next week so we can make sure the block is working correctly.
Comment 13 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-06-07 17:50:36 PDT
Yeah, there were manual instructions on the website which I was trying to follow but it didn't seem to be working for me.

FWIW, I do confirm that the block appears in my blocklist.xml file.
Comment 14 Matthias Versen [:Matti] 2012-06-07 18:40:55 PDT
The easiest way to install it now is to download the xpi, rename it to zip, extract the npmozax.dll and put the file in c:\program files\Mozilla Firefox\plugins\.
That is enough to let it appear in about:plugins.

I triggered a blocklist reload and I can confirm that the block is working.

Jorge: 
Does this block include Seamonkey ?
This would make sense because this is a NPAPI Plugin and not an extension and is therefore not app specific.
Comment 15 Jorge Villalobos [:jorgev] 2012-06-07 22:56:19 PDT
Thanks, Matti.

The block should work on any application that uses the same blocklist. I don't know if SM has one, but if it does, I assume this block will also apply.
Comment 16 Matthias Versen [:Matti] 2012-06-07 23:18:59 PDT
Seamonkey has the same blocklist but the blocklist server delivered different entries based on the OS and the app in the past. It seems that this changed as i have all the Firefox extensions in my Seamonkey blocklist.
Comment 17 frank.bertelsen@mail.dk 2012-06-09 01:28:38 PDT
(In reply to Jorge Villalobos [:jorgev] from comment #12)
> The website on comment #0 offers the plugin packaged in an XPI file with
> isn't compatible with any recent version of Firefox. This means users who
> have this plugin installed got it in a different way that installed it as a
> standalone plugin. Since manually installing plugins is a convoluted process
> involving touching the Windows Registry, I think it's best just to push this
> block to prod and gauge user reaction.

Just for information: I had this plugin blocked today, but it is nothing I have ever installed manually. I have been running an older version of Firefox for a long time, and it most likely got installed then, when some website, game or whatever needed the plugin to be able to run. The XPI format (whatever that is) must be compatible with the older versions of Firefox, and the plugin must have been installed automatically, because I have certainly not edited any registry entires to get this plugin.
Comment 18 Matthias Versen [:Matti] 2012-06-09 04:34:30 PDT
This plugin came preinstalled with Netscape6/7 to support ActiveX in the browser.
At that time IE had a market share of 90% and many websites used ActiveX technology.
Due to the success of Firefox this is now history.
XPI stands for "Cross Platform install" and is special zip file that contains extensions for Mozilla Products. The format changed over time (install.js vs install.rdf ) and this XPI worked in previous version (up to Firefox 3.6?).
Comment 19 frank.bertelsen@mail.dk 2012-06-09 14:40:57 PDT
I just checked Firefox's folder containing crash reports, and I have 8,500 files using up 84MB of disk space. I assume they were all created by this plugin as they have been comming daily until june 7th when the plugin was blocked.

Couldn't you possibly clean out all these files in the process where you block the plugin, or at least tell people that they might have a lot files that need to be deleted manually? I only found out about the report files because I began reading more about the plugin, and I bet they will go unnoticed by most people. I never even knew about a folder with crash reports before I read about it in here.
Comment 20 Jorge Villalobos [:jorgev] 2012-06-10 16:38:27 PDT
@akeybl: could we use the Hotfix add-on to do a one-time cleanup?
Comment 21 Matthias Versen [:Matti] 2012-06-10 16:54:54 PDT
bug 690841 should remove those pending reports if it get fixed someday...
Comment 22 Alex Keybl [:akeybl] 2012-06-10 17:17:53 PDT
(In reply to Jorge Villalobos [:jorgev] from comment #20)
> @akeybl: could we use the Hotfix add-on to do a one-time cleanup?

I'd rather take the in-product fix in bug 690841 instead of coming up with a well qualified one-off. I don't think this issue is critical enough to warrant an add-on hotfix, or escalation of bug 690841. My opinion would be different if the crash reports took up significantly more space, or this somehow caused performance issue.

Note You need to log in before you can comment on or make changes to this bug.