Closed Bug 980772 Opened 7 years ago Closed 7 years ago

White listing of McAfee Security Scanner + NPAPI plug in

Categories

(Firefox Graveyard :: Plugin Click-To-Activate Whitelist, defect)

defect
Not set
normal

Tracking

(Not tracked)

VERIFIED FIXED
Firefox 30

People

(Reporter: shilin_nk, Assigned: benjamin)

Details

(Whiteboard: application complete - accepted - qa complete)

Plugin name: McAfee Security Scanner
Vendor: McAfee
Point of contact: shilin_nk@mcafee.com
Current version: 3.8.141.0
Download URL: http://home.mcafee.com/store/free-services 
Sample URL of plugin in use: http://get.adobe.com/reader/ 

Plugin details:

McAfee Security Scanner
File: npMcAfeeMSS.dll
Path: C:\Program Files\McAfee Security Scan\3.8.141\npMcAfeeMSS.dll
Version: 3.8.141.0
State: Enabled
McAfee MSS+ NPAPI Plugin
MIME Type	Description	Suffixes
application/mcafeeMssPlus-plugin	npMcAfeeMss	


Are there any variations in the plugin file name, MIME types, description, or version from one release to the next?
No

Are there any known security issues in current or older versions of the plugin?
No
Millions of Firefox users have already installed MSS+.  Therefore our plug-in helps prevents unnecessary downloads of our product and streamlines their web browsing experience.
What does the plugin itself do for users or websites?
Flags: needinfo?(shilin_nk)
Role of Plugin :  
NPAPI Plug-in lets Adobe® installers to detect McAfee Security Scan+ software on the PC.

Why MSS+ Plugin can be whitelisted: 
NPAPI plug-in helps Adobe installer page to detect if McAfee Security Scan+ software is installed on the PC. It just satisfies the basic stub plugin implementation for NP_GetEntryPoints/NP_Initialize/NP_Shutdown/NP_GetMIMEDescription.
Only key Implementation is MIME description which returns the name of plugin as application/mcafeeMssPlus-plugin. Considering the functionality of the Plugin described, we are requesting for whitelisting the plugin for now.  

Plan of Action for deprecate Plugin:
Considering Mozilla’s stand on Plugin free browser, McAfee plans to deprecate the MSS+ NPAPI plugin and develop an extension/SDK, which would open up some form of API that allows a page to automatically detect MSS+ on a PC. This plan of action will be executed in 1-2 months of timeframe NPAPI plug-in’s whitelisting.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(shilin_nk)
Whiteboard: application complete
Whiteboard: application complete → application complete - accepted
Builds for testing are now available at http://people.mozilla.org/~bsmedberg/plugin-whitelisting-91f6f3380041/

Please do a QA pass using a new Firefox profile to ensure that the plugin activates without a popup and appears as "Always Activate" in the addon manager. Report back in this bug when QA is complete. Please try to complete QA by the end of this week.
Flags: needinfo?(shilin_nk)
We have completed all testing, whitelisting works as expected.
Flags: needinfo?(shilin_nk)
Whiteboard: application complete - accepted → application complete - accepted - qa complete
Fixed for Firefox 30 beta in bug 992995.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Target Milestone: --- → Firefox 30
MSS itself is vulnerable: see <http://seclists.org/fulldisclosure/2014/Apr/226>
Firefox should not allow its users to infect their PCs with MSS!
Product: Firefox → Firefox Graveyard
You need to log in before you can comment on or make changes to this bug.