Closed Bug 837377 Opened 10 years ago Closed 10 years ago

Plugin block request: QuickTime 7.7.2

Categories

(Toolkit :: Blocklist Policy Requests, defect)

Product:
Toolkit
Component:
Blocklist Policy Requests
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
2013-07-04

People

(Reporter: mcsmurf, Assigned: jorgev)

References

Details

(Whiteboard: [plugin]) 

Plugin name: QuickTime
Plugin versions to block: 7.7.2
Applications, versions, and platforms affected: At least Windows
Block severity: (hard/soft) dunno...

How does this plugin appear in about:plugins?
    File:  npqtplugin7.dll/npqtplugin6.dll/npqtplugin5.dll/npqtplugin4.dll/npqtplugin3.dll/npqtplugin2.dll/npqtplugin.dll
    Version: 7.7.2.0
    Description: QuickTime Plug-in 7.7.2

Homepage and other references and contact info: 

Reasons: I'm not sure if the QT plugin matches all the criteria for blocklisting. I mainly wonder if it should be blocked because the QT 7.7.2 plugin is marked as vulnerable (see http://support.apple.com/kb/HT5581 for more information) on https://www.mozilla.org/en-US/plugincheck/. But it's not included in the plugin blocklist.
Do we want to block vulnerable versions of the Quick Time plugin?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(release-mgmt)
Yeah, let's block all but latest on Windows/Mac if testing shakes out with QA. It can also be our first CTP without specifying a minimum version.

Jorge, what info do you need to perform the block? Descriptions, version numbers, DLLs? Let's discuss in tomorrow's channel meeting.
Flags: needinfo?(release-mgmt) → needinfo?(dveditz)
For all 3 platforms, I need the about:plugins data for the QuickTime plugin, except for the mime types table. I need at least a sample for the latest version and an older version, but having more version samples is better.
(In reply to Jorge Villalobos [:jorgev] from comment #3)
> For all 3 platforms

Actually, that should be just Windows and Mac.
QA Contact: anthony.s.hughes
I've managed to grab many of the strings back to Quicktime 5.0.2 on Windows. I couldn't get earlier versions to register in Firefox. I hope this is sufficient.

I'm now moving on to retrieve the strings for Mac OSX.
I've been having considerable difficulty getting the information needed on Mac OSX. I can only seem to get the latest version to install and register within Firefox. It seems as though on Mac OSX 10.8 the only way to get Quicktime installed is through the App Store and that only serves you the latest (Quicktime 7.7.1). I checked http://support.apple.com/downloads#quicktime but it only seems to have Quicktime downloads for Windows or Mac OSX 10.5 and earlier. I also tried http://www.oldapps.com/mac/quicktime.php but it seems to be a similar story.

You can see all my results here:
https://wiki.mozilla.org/QA/Plugins/About:Plugins#Apple_QuickTime

In summary, we now have the strings for QuickTime 5.0.2 -> 7.7.4 on Windows and 7.7.1 on Mac OSX, and that's the best we're going to get I think.
Added two blocks to stage:

QuickTime Plugin 7.7.3 and lower (click-to-play), Windows
https://addons-dev.allizom.org/en-US/firefox/blocked/p359

QuickTime Plugin 7.7.0 and lower (click-to-play), Mac OS X
https://addons-dev.allizom.org/en-US/firefox/blocked/p357
Keywords: qawanted
Flags: needinfo?(dveditz)
The blocklist works fine on staging (see the test plan for details - https://wiki.mozilla.org/QA/Desktop_Firefox/Plugins/Blocklisting/Apple_Quicktime#Staging). 

The only issue I noticed is that there is no notification in the Add-ons Manager that the plug-in is outdated.

Is this known?

On Mac OS X 10.8 - I also bumped into the same issue as described in Comment 6 and I couldn't test the blocklist on a QuickTime Plug-in lower than version 7.7.1.
(In reply to Simona B [QA] from comment #8)
> The only issue I noticed is that there is no notification in the Add-ons
> Manager that the plug-in is outdated.
> 
> Is this known?

Both blocks have the "Update Available" flag set, so the CTP UI should tell you to update. I don't know if the Add-ons Manager should say anything about it.

> On Mac OS X 10.8 - I also bumped into the same issue as described in Comment
> 6 and I couldn't test the blocklist on a QuickTime Plug-in lower than
> version 7.7.1.

That's fine, thanks.
(In reply to Simona B [QA] from comment #8)
> The only issue I noticed is that there is no notification in the Add-ons
> Manager that the plug-in is outdated.

This is a bug in the Add-ons Manager and does not impact deploying this blocklist in my opinion (see bug 886895). Note that this appears to only affect certain plugins. Flash and Java are identified as out of date while Quicktime and JDK are not.
The blocks are now live:

https://addons.mozilla.org/en-US/firefox/blocked/p408 (OS X)
https://addons.mozilla.org/en-US/firefox/blocked/p410 (Windows)
Assignee: nobody → jorge
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → 2013-07-04
quicktime 7.6.6 is apparently the highest version available for mac os x 10.6 users - is this covered by the blocklist intentionally?

(sumo question https://support.mozilla.org/en-US/questions/963505 )
morons
I'm switching to Chrome. I'm tired of you morons at Mozilla. your organization takes in so much money yet you claim you're "short staffed". What a joke.
As phillipp points out, quicktime 7.6.6 is apparently the highest version available for mac os x 10.6 users - is this covered by the blocklist intentionally?

(see question https://support.mozilla.org/en-US/questions/963505 )


Are you going to allow this combination, or do I need to switch to Chrome, too?
Mozilla are a pack of idiots.
Blocks: 888747
No need to get upset here, we'll fix the issue.

Jorge: Need to remove the QT block again to make sure things work on OS X 10.6 again. Looks like a bit of research is needed what is the latest available Quicktime version on OS X 10.6. Or just exclude OS X 10.6 from the plugin block..
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
this page seems to list the latest downloads available: http://support.apple.com/downloads/#quicktime
Just wondering though: Isn't Quicktime X (QT 10) the version-to-use on OS 10.6 and higher? But then I don't use a Mac, so I don't know that much about QT.
Before the reopening of this bug the we verified that the blocklist works fine on Windows (with the ID p410).
https://wiki.mozilla.org/QA/Desktop_Firefox/Plugins/Blocklisting/Apple_Quicktime#Production

Waiting for a resolution on this bug or on Bug 888747 before testing the blocklist on Mac OS X.
I've modified the block for OS X so it only covers versions up to 7.6.5. We can't filter by OS version, so we either block 7.6.6 for all Mac OS users, or we don't. Unless there's a critical security problem, I think it's better to keep the block like this until either Apple upgrades the plugin for 10.6 or we stop supporting it.
Status: REOPENED → RESOLVED
Closed: 10 years ago10 years ago
Resolution: --- → FIXED
I've also verified the blocklist in production on Mac OS X:
- QuickTime 7.7.1 is not blocked on Mac OS X 10.8.3 
and 
- QuickTime 7.6.6 is not blocked on Mac OS X 10.6.8.

More details are available here: https://wiki.mozilla.org/QA/Desktop_Firefox/Plugins/Blocklisting/Apple_Quicktime#Production
Status: RESOLVED → VERIFIED
Keywords: qawanted
Product: addons.mozilla.org → Toolkit
You need to log in before you can comment on or make changes to this bug.