Firefox says Plugin "outdated""vulnerable"

[DewiMorgan]

So everyone: Go file the problem with Mozilla!

VLC ticket: https://trac.videolan.org/vlc/ticket/13228

Mozilla tickets: https://bugzilla.mozilla.org/show_bug.cgi?id=1089012 and https://bugzilla.mozilla.org/show_bug.cgi?id=1097853

[Rémi Denis-Courmont]

The fact that they are released separately is not an excuse to do nothing and not increment their version number:

Indeed, it is not an excuse: Rather it is a good reason to do nothing and not increment the version number.

If there was a security issue in VLC 2.1.4, distributions will pick up VLC 2.1.5. They wouldn't pick up a would-be browser plugin version 2.1.5 that is exactly identical to version 2.1.4 other than the version number. And the end result is that Firefox would still fail, at least if/when it gets updated due to whatever reasons (for instance a separate security issue in Firefox itslef).

[wensveen]

@DewiMorgan: You *are* a special snowflake, everyone is

@RDC:

And the end result is that Firefox would still fail, at least if/when it gets updated due to whatever reasons (for instance a separate security issue in Firefox itslef).

Could you elaborate on this? I don't understand what you mean by failing.

@alfs:
So, let me start with this

*BUT* you are now considering the "branding version" from Microsoft, and your assumption about "a software suite, with all software having the same version" is false.

You got me there. Tried to beat you at your own game, but you were up for it. Shall we call it a draw ?

I run both Windows 7 and Linux (Debian sid/unstable). I looked at it from both viewpoints. The problem is somewhat smaller on Linux (most distro's, probably) because users are used to getting the latest versions through their package managers. I'd trust that over something Firefox/Iceweasel told me (although I'd be sure to update just to make sure). At the moment, in sid, the versions are equal, but I don't know if that's the case everywhere, and whether or not the package maintainers user their own versioning.
In short, I don't think Linux should be something to worry about right now.

Windows, however is a completely different story. I can't imagine any user on Windows downloading the VLC plugin and VLC program separately. Or updating for that matter. How would you even know when to update the plugin? (The plugin doesn't do version checks, does it?) So what one does, as a Windows user (including me with my Windows hat on), is to go to videolan.org and download the latest VLC version. The whole of it. Which has, ostensibly, one version number.

The browser should not care one single bit about other software I am running on my computer except for the browser itself and its plugins.

and

Why on the earth should Firefox care about which version of VLC (or Libre Office or Adobe Acrobat or whatever) I am running on my computer? I have a system distributor for that (in my case Canonical, providing timely updates to any package I have installed via Ubuntu Software market) *AND* this is the exact reason why VLC media player is checking for new versions at startup just like you point out yourself. I don't want Mozilla to start checking whatever runs on my computer, and I really don't think you do either.

Not everything, no. Just the things that may be involved in running content from the websites I'm visiting, that may or may not be trustworthy. But this is just my opinion. You could argue that you have the same problem when you just download the same movie clip from the website, rather than running it via the plugin, but people are less aware of the content being from an untrustworthy source when it's inside the browser. It's just content, like everything else.
I'm not sure the player does a version check when running content via the plugin? That would help, in any case.

I asked: "What do you do when the plugin has a bug which is fixed? Does the VLC program (and suite) version remain the same?" And from my point of view your answer was unsatisfying. On Linux, I agree, the updated plugin is pushed through via the package manager and everybody's happy. On Windows though, the only way the users are going to get a new plugin version, is by downloading vlc-install.exe (vlc-2.5.1-win32.exe). When the version check of VLC player detects an outdated version (does it even detect outdated plugin versions? probably not), you get sent to the download page of the suite. Re-downloading the same installer would be pointless, so we'd have to have a new version of the installer containing VLC player (same version, 2.5.1) and the updated plugin (2.1.4?). Do we need to keep a seperate version of the installer? vlc-2.5.1a-win32.exe might work. But it seems convoluted and kind of pointless. OTOH, this scenario is probably less likely to occur.

Consider the following scenario: VLC player version 3.0.0. is installed on a user's computer, alongside some VLC plugin version that is guaranteed to be secure (no updates will ever be made because it's proven to be and stay secure until the end of time). Some bug is found in the player, allowing executables to be executed on the user's computer when they are named virus.exe.avi. An update is made and whenever someone opens the VLC player or clicks a video file in Windows explorer and thereby opening VLC player, they are warned that a new version is available fixing a critical security issue. Fine, desktop users are happy. But meanwhile, shady websites are putting virus.exe.avi on their pages to be played via the VLC plugin. Users aren't warned by Firefox that a new version of the plugin is available, because there isn't, and on top of that VLC doesn't warn them either because VLC's version check isn't executed either. End result: chaos and mayhem (not necessarily in that order).
To me: "Hey, let's give the plugin the same version of the player so that users can be alerted when a new version of the player is available, even though that is technically slightly incorrect", sounds like a simple solution. If you can convince Firefox to only look at the plugin version, and to get them to acknowledge that this is not the same as the player version. And on top of that make sure the player version check is always run even when content is played via the plugin. That would work for me.

Maybe we should just agree to disagree. In the end, VLC remains a great piece of software. So many thanks to the developers.

[myvlc_version]

why no Vlc will create a fake dll with correct info version 2.1.5.0

i did and no more notify from Firefox

[John connor]

This has been bugging me for a long time with Mozilla saying the VLC web plugin is outdated. I looked at the plugin date and it says from July of last year. I guess this is a Mozilla problem? I shall raise cane with them then.

[robvw]

I guess Mozilla refuses to admit that there version checks are a big failure because they have no other solutions.

What would you the Mozilla devs do? How do you think they should handle version checking on plugins? Saying "it is not my fault, their design is broken" is easy, but it sounds like an excuse, unless you also explain (roughly; no need to actually implement it) what you think is the correct way (which would let them solve the problem, without you making modifications on your end).

In my opinion, this suggestion by DewiMorgan seems very reasonable:

4) I'll release a version 1.0.1 which prevents (or at least warns) users from running it with known-flawed SSL versions, and recommends or requires they upgrade. The browser manufacturers can just check my version number. I acknowledge in this way that it is my responsibility to check that the applications called through me cannot be exploited.

That suggestion doesn't give you any extra work! Inserting those extra checks is a really good idea (or, actually, it's necessary) anyway, especially since you yourself point out how mismatched versions of VLC and the VLC Browser Plugin might get installed. Then when those checks have been inserted, bumping the version number makes a ton of sense; checking for vulnerable dependencies is a new feature.

Of course, until someone actually files a bug with them, this is only guessing. (I don't use their crap anymore so don't count on me to file a bug.)

With all due respect, don't you think it's rather odd to even have a Firefox plugin, if you outright refuse to use that browser? Why include it in the standard installer if there are known issues, which you won't solve? Wouldn't it make a lot more sense to discontinue the Firefox plugin (or, at least, remove it from the default installation) if this is how you feel about it?

Right now you don't want to update the plugin, but what happens when there's a bug in the VLC core which can only be exploited through the plugin? Would you fix such an issue, or would you also say "let Mozilla fix it" in that case...!?


Don't get me wrong, I really like VLC itself, but now that I've finally bothered looking into these weird errors, I'm not really sure what to think of the VLC Browser Plugin.

[Rémi Denis-Courmont]

In my opinion, this suggestion by DewiMorgan seems very reasonable

I don't know and I don't care how reasonable you think it is. It does not make sense: just like Mozilla, it is based on assumptions that are not actually met in reality. This has been explained several times in this very thread already (and at other times in other places).

If you cannot understand or refuse to, then there is no point explaining again.

With all due respect, don't you think it's rather odd to even have a Firefox plugin, if you outright refuse to use that browser?

No. There are several browsers and I use those I like the best.

Why include it in the standard installer if there are known issues, which you won't solve?

Some people evidently want to use it. Why would I remove it? What would I gain from removing it?

I won't solve the problem because I cannot solve it. The problem is in Mozilla code that I have neither permission nor competency to fix.

Wouldn't it make a lot more sense to discontinue the Firefox plugin (or, at least, remove it from the default installation) if this is how you feel about it?

The plugin is not specific to current Firefox versions. It works with any NPAPI-capable browser. Only recent Firefox versions (deliberately) fail to run it.

Right now you don't want to update the plugin, but what happens when there's a bug in the VLC core which can only be exploited through the plugin? Would you fix such an issue, or would you also say "let Mozilla fix it" in that case...!?

If there is a security bug in the plugin and it gets fixed, the plugin will get a new version number. That version might or might not be higher than 2.1.5 (indeed the next available minor version number is 2.1.4).

[robvw]

The plugin is not specific to current Firefox versions. It works with any NPAPI-capable browser. Only recent Firefox versions (deliberately) fail to run it.

They run it just fine... after you override a security warning.

It does not make sense: just like Mozilla, it is based on assumptions that are not actually met in reality.

Then explain how you think it should work. Filing a bug report with Mozilla "your plugin versioning sucks" is not helpful and is guaranteed to be ignored; to have any chance at all to get them to change things, we need an alternative. The approach I consider most reasonable (quoted above) you don't like, fine, but then what? Do you want them to completely forget about blocking vulnerable plugins, do you think they should use a method other than version numbers, do you want them to look at the versions of all code a plugin uses...; in a perfect world, what do you want them to do!?