MozillaZine

Mozilla 1.6 ActiveX Control Installer and Scriptable ActiveX Plugin for Mozilla 1.6 Released

Tuesday January 20th, 2004

Adam Lock writes: "Following in the wake of Mozilla 1.6, I'm happy to announce the release of the new standalone Mozilla 1.6 ActiveX Control installer and the Scriptable ActiveX Plugin for Mozilla 1.6. Both are available from my website.

"New features for the control include support for view-source: and data: protocols, plus it ships with the ActiveX plugin so it is possible to host ActiveX content from inside the control. The installer is slightly smaller (4.5Mb) thanks to bzip2 compression.

"There are no new features in the plugin but Mozilla 1.6 is unencumbered by the regression that disabled scripting support in 1.5."

#1 Flash

by ericdere

Tuesday January 20th, 2004 10:17 PM

Macromedia Flash player still does not work after installing this plugin.

#2 Re: Flash

by locka

Wednesday January 21st, 2004 3:13 AM

You'll have to be more specific - how doesn't it work? Raise a bug, attach a simple example that specifics the OBJECT tag with the CLSID and describe what you see against what you expect to see.

#7 Re: Flash

by ericdere

Wednesday January 21st, 2004 8:17 AM

Flash pages are displayed properly, however links in flash pages do not work. For example:

http://www.sade.com/

Try it with the Fllash pluging: everything works fine. Install ActiveX plugin: only the main page is displayed, URL“s in the page do not work.

#3 Re: Flash

by bugs4hj

Wednesday January 21st, 2004 3:30 AM

How is this related to the ActiveX Plugin for Mozilla?

Are you saying that the Macromedia Flash player no longer works, after you've installed the ActiveX Plugin for Mozilla, or that the Macromedia Flash player never worked for you?

P.s. are you aware of: http://plugindoc.mozdev.org/

#4 Re: Flash

by bugs4hj

Wednesday January 21st, 2004 3:37 AM

How is this related to the ActiveX Plugin for Mozilla?

Are you saying that the Macromedia Flash player no longer works, after you've installed the ActiveX Plugin for Mozilla, or that the Macromedia Flash player never worked for you?

P.s. are you aware of: http://plugindoc.mozdev.org/

#5 Oops

by bugs4hj

Wednesday January 21st, 2004 3:39 AM

Hm, great. I must have clicked the reload button (: Sorry folks.

P.s. no word on security on Adams page. I wonder why...

#6 Re: Oops

by locka

Wednesday January 21st, 2004 6:38 AM

There are plenty of words on security on the plugin page from a technical perspective. Read how many times I talk about activex.js and nsAxSecurityPolicy.js.

However, the default behaviour is to host & script controls marked safe for scripting and to download and offer to install signed controls. All other controls (e.g. those not marked safe) are not hosted. You can change these settings if you like from activex.js which is fully documented. The plugin also honours the IE blacklist as well as allowing you to set up your own blacklist / whitelist.

However, overall I don't think think security is a big deal yet. I'd rather have people exercising the functionality rather than disabling it all by default. I would obviously change the policy if the plugin shipped by default with Firebird / Mozilla. The same thing happened in NS7.1 where the plugin was locked down to host the Windows Media Player control only.

But then again ActiveX security is not what Mozilla users should be worrying about. Ask yourself how many XPI files are signed for example and what a black hat could do with that knowledge if they felt so inclined.

#8 I'll rather pass, and so should other people......

by bugs4hj

Wednesday January 21st, 2004 8:01 PM

"There are plenty of words on security on the plugin page from a technical perspective. Read how many times I talk about activex.js and nsAxSecurityPolicy.js."

You 'obviously' don't care about security YET... That info is way to hard to locate for the average joe user

"But then again ActiveX security is not what Mozilla users should be worrying about. Ask yourself how many XPI files are signed for example and what a black hat could do with that knowledge if they felt so inclined."

Oh perfect, this one is new to me. Hey, I'm not questioning your work, nor should you have to worry about work of add-on/extension writers like me. This is all about evil ActiveX code out on the internet that can harm you anytime.

Security IS a real issue, especially ActiveX related features.

"I would obviously change the policy if the plugin shipped by default with Firebird / Mozilla. The same thing happened in NS7.1 where the plugin was locked down to host the Windows Media Player control only."

Why is that obviously? Why was that done? Remember, we don't have to worry about security, right?

Again, security IS a key factor, at least for me it is, and I'm sure for a lot more other people too.

#9 Signed XPI installation

by bugs4hj

Wednesday January 21st, 2004 8:04 PM

I will bring this up to the mozdev.org project owners, thanks for sharing this.

#10 Re: I'll rather pass, and so should other people..

by locka

Thursday January 22nd, 2004 1:57 AM

It's pretty straightforward - the plugin is used a miniscule fraction of Mozilla users who explicitly want ActiveX support and go to my website and install it. And of those I expect most if not all of them are developers or one kind or another.

Even so, the plugin ships with a reasonable set of security flags (equivalent to Medium in IE) that allow safe for scripting controls and control download & install with signing. The user is prompted by the usual signature checking dialogs during installation. The flags do not allow unsafe controls to run and any controls blacklisted by IE are also excluded. If you don't like these settings, don't install the plugin or change the flags. I'm glad the page is intimidating because I don't care about (or get paid) to support normal users. At this stage I am interested in developer feedback, bug reports etc.

If the plugin ships by default in Mozilla and becomes a 'consumer' distribution the settings will tighten to reflect that. But not until that happens.

A hacker would find it much easier to ship a malacious .xpi or plugin. How hard would it be to write an extension that replaced a DLL, installed a backdoor or submited the wallet data to an #irc channel? Not hard at all. What's more, the Firebird Extension site makes it simple to submit the extension and put it within easy reach of hundreds of thousands of people.

And Firebird users habitually install extensions without a seconds thought. So that's what you should be worrying about. Mozilla / Firebird advocates have traditionally complained about how insecure ActiveX is (trust model etc.) and then go and rely on something even worse. I'm surprised a malacious extension hasn't appeared actually. I'm sure there will be a big flap when it does too.

The situation could be immediately improved if Mozilla mandated signed XPI files. Better yet if certs were easier to get. For example Mozilla.org could hand out certs for a $200 deposit, and would be in an ideal position to revoke them as fast if need be.

ActiveX really is the least of your problems.

#11 Re: Re: I'll rather pass, and so should other peop

by bugs4hj

Thursday January 22nd, 2004 9:12 AM

"A hacker would find it much easier to ship a malacious .xpi or plugin. How hard would it be to write an extension that replaced a DLL, installed a backdoor or submited the wallet data to an #irc channel? Not hard at all. What's more, the Firebird Extension site makes it simple to submit the extension and put it within easy reach of hundreds of thousands of people."

True, that would be very easy...

"I'm surprised a malacious extension hasn't appeared actually. I'm sure there will be a big flap when it does too."

I believe none of the mozdev.org developers will ever do that, but we can't be sure of that, and not every project is hosted on mozdev.org. Thanks God for that. I think this might become a bigger problem when more people start using mozilla as their browser of choice.

Again, this is something we should start worry about now, not when it's already to late...

Thanks for sharing your point of view. We're off topic but this is very important.

/HJ

#12 Problem with Flash Plug-In

by xdc33

Sunday February 1st, 2004 1:03 PM

I'm experiencing exactly the same problem ericdere described with ( Mozilla Firebird 0.7german ). I first installed the Flash Plugin ( 7,0,19,0 ) and it worked perfectly fine. But after installing the latest version of the Active-X Plugin ( post 19/01/2004 ) Adam offers the Links in Flash-Animations stopped working. Removin the npxxx.dll file of the Active-X Plugin from the Plugins-Folder the Flash Plugin worked fine again. I don't know too much about this software, but well this thread started with this question and i think there hasn't been a real answer to it yet ( which will change soon hopefully :)

#13 Re: Problem with Flash Plug-In

by sedination

Sunday February 15th, 2004 4:09 PM

Confirmed. As an example, try the links in the flash menu at www.nhl.com (on the left side of the page). they don't work if you have the activex plugin installed.

#14 Signed XPI's are Possible

by obiwan

Monday June 28th, 2004 11:53 AM

I have submitted an ehnancement bug report to the NSS project to add a new option to signtool that would create valid signed XPI's. Please view the bug report and give your support for the enhancement. Even if the patch isn't from me, we need it. In a world of security and no trust it's hard to get non-techies to use Mozilla as it is and even harder to get some of them to install anything that's not trusted.

#15 oops forgot link

by obiwan

Monday June 28th, 2004 11:55 AM

http://bugzilla.mozilla.org/show_bug.cgi?id=248751