Opened 8 years ago

Closed 4 years ago

#5416 closed defect (fixed)

Tor Browser fails to prevent load of a plugin

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Keywords: tbb-firefox-patch
Cc: erinn, Sebastian Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

In TBB 2.2.35-8 a plugin is displayed in Add-ons Manager->Plugins. It's a regression - it never appeared in the previous version (2.2.35-7.1). Screen attached.

OS: Windows 7 SP1

Child Tickets

Attachments (1)

torbrowser-plugins.png (520.9 KB) - added by cypherpunks 8 years ago.
Plugins listed in Tor Browser

Download all attachments as: .zip

Change History (15)

Changed 8 years ago by cypherpunks

Attachment: torbrowser-plugins.png added

Plugins listed in Tor Browser

comment:1 Changed 8 years ago by cypherpunks

I have checked TBB 2.3.12-alpha-1 and the plugin isn't loaded there, so only 2.2.35-8 is affected.

comment:2 Changed 7 years ago by mikeperry

Cc: erinn Sebastian added

Cypherpunks: Is it possible for you to find the full filename for this plugin? Is this the only plugin on your system? It is weird that it got through and nothing else did.

Erinn/Sebastian: Are patches still falling out of random TBB builds? See also #5461, which looks suspiciously like another case where a patch failed to get applied to production builds.

comment:3 Changed 7 years ago by Sebastian

I don't believe so. I checked that TBB and it seems the patches are applied.

comment:4 in reply to:  2 Changed 7 years ago by cypherpunks

Replying to mikeperry:

Cypherpunks: Is it possible for you to find the full filename for this plugin? Is this the only plugin on your system? It is weird that it got through and nothing else did.

No, this is not the only plugin on my system, I have a few others. I used to see this particular plugin listed in Tor Browser's Add-ons Manager before, but it disappeared with TBB 2.2.32-4, now it reappeared in 2.2.35-8. The path is:

C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll

It is described in about:plugins as "Foxit Reader Plug-In For Firefox and Netscape", version 2.1.1.720. It comes with Foxit Reader 5.1.4.0104.

comment:5 Changed 7 years ago by cypherpunks

A small update: contrary to alpha-1, TBB 2.3.12-alpha-2 is affected.

comment:6 Changed 7 years ago by mikeperry

Bleh. This is crazy town. Every other build is mysteriously broken? We need #3688 in a hurry.

However, I don't see any immediate security risk to this plugin, because TorBrowserButton does still set it to disabled.

Thank eris for defense in depth....

comment:7 Changed 7 years ago by mikeperry

(Cypherpunks: My comments about your security risk are provisional. If the Foxit Reader Plugin is malicious, it could still potentially re-awaken itself various ways... But any software on your system can do that).

comment:8 in reply to:  6 Changed 7 years ago by erinn

Replying to mikeperry:

Bleh. This is crazy town. Every other build is mysteriously broken?

I don't think it's every other build or necessarily mysterious -- the major change that happened in both of the versions is Firefox 11. Maybe they changed something about plugin loading that your patch doesn't handle? Or maybe we need to lock it down some more with prefs.js?

comment:9 Changed 7 years ago by cypherpunks

Well, guess what - this and #5461 are not issues anymore in TBB 2.2.35-9. OTOH #4795 was OK for me in the previous version and now it's broken again. I have a feeling that if you haven't diagnosed any issue, we may revisit this bug some day.

comment:10 Changed 7 years ago by cypherpunks

Aaaaand after 10 months of no plugins in about:addons, here we go again, in Tor Browser Bundle 2.3.25-4 for Windows. This time it's not Foxit Reader Plugin - instead, Shockwave Flash 11.6.602.168 appeared in about:addons -> plugins. Can you just put MOZ_CRASH() before any code that attempts to load external plugins? I've been seeing plugins come and go in random versions of TBB for a long time, it's about time for the ultimate solution.

comment:11 Changed 7 years ago by mikeperry

The presence of flash is intentional. It should be disabled, though (unless you got bit by #8312 and accidentally enabled it).

comment:12 Changed 5 years ago by erinn

Keywords: tbb-firefox-patch added

comment:13 Changed 5 years ago by erinn

Component: Firefox Patch IssuesTor Browser
Owner: changed from mikeperry to tbb-team

comment:14 Changed 4 years ago by cypherpunks

Resolution: fixed
Status: newclosed

Should be fixed by #10280, totally.

Note: See TracTickets for help on using tickets.