Tor Browser fails to prevent load of a plugin

In TBB 2.2.35-8 a plugin is displayed in Add-ons Manager->Plugins. It's a regression - it never appeared in the previous version (2.2.35-7.1). Screen attached.

OS: Windows 7 SP1

added component::applications/tor browser owner::tbb-team priority::medium resolution::fixed status::closed tbb-firefox-patch type::defect labels

Trac:

Plugins listed in Tor Browser

I have checked TBB 2.3.12-alpha-1 and the plugin isn't loaded there, so only 2.2.35-8 is affected.

Cypherpunks: Is it possible for you to find the full filename for this plugin? Is this the only plugin on your system? It is weird that it got through and nothing else did.

Erinn/Sebastian: Are patches still falling out of random TBB builds? See also #5461 (closed), which looks suspiciously like another case where a patch failed to get applied to production builds.

Trac:
Cc: N/A to erinn, Sebastian

I don't believe so. I checked that TBB and it seems the patches are applied.

Replying to mikeperry:

Cypherpunks: Is it possible for you to find the full filename for this plugin? Is this the only plugin on your system? It is weird that it got through and nothing else did.

No, this is not the only plugin on my system, I have a few others. I used to see this particular plugin listed in Tor Browser's Add-ons Manager before, but it disappeared with TBB 2.2.32-4, now it reappeared in 2.2.35-8. The path is:

C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll

It is described in about:plugins as "Foxit Reader Plug-In For Firefox and Netscape", version 2.1.1.720. It comes with Foxit Reader 5.1.4.0104.

A small update: contrary to alpha-1, TBB 2.3.12-alpha-2 is affected.

Bleh. This is crazy town. Every other build is mysteriously broken? We need #3688 (closed) in a hurry.

However, I don't see any immediate security risk to this plugin, because TorBrowserButton does still set it to disabled.

Thank eris for defense in depth....

(Cypherpunks: My comments about your security risk are provisional. If the Foxit Reader Plugin is malicious, it could still potentially re-awaken itself various ways... But any software on your system can do that).

Replying to mikeperry:

Bleh. This is crazy town. Every other build is mysteriously broken?

I don't think it's every other build or necessarily mysterious -- the major change that happened in both of the versions is Firefox 11. Maybe they changed something about plugin loading that your patch doesn't handle? Or maybe we need to lock it down some more with prefs.js?

Well, guess what - this and #5461 (closed) are not issues anymore in TBB 2.2.35-9. OTOH #4795 (closed) was OK for me in the previous version and now it's broken again. I have a feeling that if you haven't diagnosed any issue, we may revisit this bug some day.

Aaaaand after 10 months of no plugins in about:addons, here we go again, in Tor Browser Bundle 2.3.25-4 for Windows. This time it's not Foxit Reader Plugin - instead, Shockwave Flash 11.6.602.168 appeared in about:addons -> plugins. Can you just put MOZ_CRASH() before any code that attempts to load external plugins? I've been seeing plugins come and go in random versions of TBB for a long time, it's about time for the ultimate solution.

The presence of flash is intentional. It should be disabled, though (unless you got bit by #8312 (closed) and accidentally enabled it).

Trac:
Keywords: N/A deleted, tbb-firefox-patch added

Trac:
Component: Firefox Patch Issues to Tor Browser
Owner: mikeperry to tbb-team

Should be fixed by #10280 (moved), totally.

Trac:
Resolution: N/A to fixed
Status: new to closed

closed

mentioned in issue #5461 (closed)

moved to tpo/applications/tor-browser#5416 (closed)