Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Why is IE9 shown vulnerable to a *Mozilla* plugin?

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
VideoLAN
And, this specific program:
VLC media player 1.x

This thread has been marked as locked.
msimpson_baymcp Why is IE9 shown vulnerable to a *Mozilla* plugin?
Member 23rd Apr, 2011 08:12
Ranking: 3
Posts: 2
User Since: 24th Mar, 2011
System Score: N/A
Location: US
Under "Secure Browsing" for IE 9, VLC media player 1.x is listed as "Unpatched, no vendor solution".

In fact, there is no VLC media player plugin for Internet Explorer, and there never has been. The Status and Advisory links are directed to the listing about the *Mozilla* plugin.

I've given up on expecting the issue of "detection" of the Mozilla plugin when it is not even installed for Mozilla; that false detection of a non-installed plugin will apparently never be fixed. I've never had the plugin installed, yet PSI always has claimed it is making Firefox "not secure".

But claiming that the same Mozilla plugin somehow also makes IE 9 "Not secure for browsing"? What is THAT?

Did I mention that the plugin is not installed on my system at all anyway?

I'm sure this will somehow be blamed on VideoLAN or Microsoft.

mogs RE: Why is IE9 shown vulnerable to a *Mozilla* plugin?
Expert Contributor 23rd Apr, 2011 10:19
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Last edited on 23rd Apr, 2011 10:24
Hello.
Have you tried double clicking on the entry in Secure Browsing (tho' there's no + sign on the left of ), after having clicked alongside the main IE/Mozilla entry ..............it should present you with a Quick facts panel which should include details and File Path etc..

Hope this helps........regards,

--
Was this reply relevant?
+1
-0
msimpson_baymcp RE: Why is IE9 shown vulnerable to a *Mozilla* plugin?
Member 25th Apr, 2011 06:46
Score: 3
Posts: 2
User Since: 24th Mar 2011
System Score: N/A
Location: US
Yes, I have tried double-clicking on the program name, and it is not helpful. I know the path/filename/etc. I'm very familiar with the program - enough to know (unlike PSI) that there is no IE 9 plug-in for VLC Media player.

In fact, double-clicking the program takes me to the information about the program itself, and not the plugin, which is yet another misfeature of PSI. I'm glad you mentioned it - it's not really germane - but it is quite misleading that double-clicking at that point on ANY plug-in doesn't tell you about the plug-in itself in cases like this where the plug-in is ancillary to, or an optional feature of, another installed program.

In any case, in the secure browsing page, under the supposed "IE 9 plug-in" for VLC Media Player, I have clicked where it says "Unpatched, no vendor solution", and where it says "SA41810", and both links take me to information about the Mozilla plug-in for VLC Media Player.

So... two issues:

1. There is no IE 9 plug-in, and IE doesn't use the Mozilla plug-in, therefore PSI is falsely reporting that my IE 9 browser is not secure.

2. I don't even have the Mozilla plug-in installed, therefore PSI is also falsely reporting that my Firefox browser is not secure.

My point is: false reporting undermines my confidence in the secure browsing part of PSI, and therefore in PSI and CSI overall. If I can't trust what PSI says about this, how can I trust the other things it reports?

The best thing I can say about this is that it displays a lack of attention to detail.
Was this reply relevant?
+3
-0
mogs RE: Why is IE9 shown vulnerable to a *Mozilla* plugin?
Expert Contributor 25th Apr, 2011 09:14
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@msimpson baymcp

Understandably frustrating. To be clear then...you go to the Secure Browsing feature/page....click on the + sign alongside IE or FF...and in both cases an entry for the VLC plug-in is shown, for both, as vulnerable ? You then click on either/each of the plug-in entries, and a panel appears but with no filepath to : it takes you to info about the program ? Have I got it correct ?
I know there's still outstanding consternation on at least one other thread....where users do have the plug-in....and even so havn't got a resolution.
In my experience if Secunia has detected an insecurity it's usually found something; but obviously; if you can't find the file path...you can't go any further.
I can only think that it's a matter of detection rules being amended. That of course won't be till after the holiday.....when hopefully Support will pick up on this thread.

--
Was this reply relevant?
+0
-0
Anthony Wells RE: Why is IE9 shown vulnerable to a *Mozilla* plugin?
Expert Contributor 25th Apr, 2011 14:30
Score: 2437
Posts: 3,323
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 25th Apr, 2011 14:46
Hi ,

This subject is almost done to death , it just won't lie down .

The default installation of the VLC Player version 1.1.9 is with the "Mozilla Plug-in" not selected but with the "ActiveX" selected , as in for IE , as in the same for Flash Player for example . This is what will be showing/detected by the PSI in IE9 .

The problem of the "secure browsing" detection is a known and accepted bug and cannot be rectified by changing the PSI detection rules at the moment .

Secunia are on record as looking/trying to find a solution :-

http://secunia.com/community/forum/thread/show/737...

Also , try reading here :-

http://secunia.com/community/forum/?forum=2&vendor...

I am unsure why "a" known , established and accepted bug would cause someone to put the whole concept and reliability of Secunia , the CSI , the PSI and the OSI at risk !! Nothing , except death and taxes , is 100% guaranteed , so a little imagination is paramount .

VideoLAN have not fixed the "Mozilla" bug and have/cannot change their bundling , nor do they seem likely to do anything with the "plug-in" saga for the forseeable future ; probably because they are short of developers as per this and the contained Forum link(s) :-

http://secunia.com/community/forum/thread/show/820...

http://forum.videolan.org/viewtopic.php?f=14&t=877...

Enjoy the Easter break :))

Take care

Anthony



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
This user no longer exists RE: Why is IE9 shown vulnerable to a *Mozilla* plugin?
Member 26th Apr, 2011 08:52
Hi,

The Secure Browsing section is only intended for advanced users. The information presented here can be less "polished" and so may require some technical knowledge to use.

In the case of VLC, it is not possible for the PSI to discriminate on configuration changes. As such, VLC is grouped for both NPAPI and activex (only IE) browsers, because this is the surface it might expose to vulnerabilities.

hope this helps.
Was this reply relevant?
+0
-0
Narration RE: Why is IE9 shown vulnerable to a *Mozilla* plugin?
Member 28th Apr, 2011 18:10
Score: 13
Posts: 9
User Since: 28th Apr 2011
System Score: N/A
Location: AQ
Last edited on 28th Apr, 2011 18:26
[Edit] Actually, I am rescinding what I said here, after reading the links finally provided which show that VideoLan has let this vulnerability exist since 2008!

In that case, I am happy enough to be warned to the extent that I removed this recent install from my machine, precision errors of reporting or not.

I'd installed it in the first place because of persistent slant that VLC might be more secure than original video players. Clearly not the case, and with all due regard to having a prominent developer leave. Perhaps the issue in gaining another has to do with uncertainty surrounding replicated codecs, etc., which is another question about VLC.

Again (if you read the original comment), Emil, I do appreciate the challenge in what Secunia does, and appreciate what it provides.

Regards,
Clive

Was this reply relevant?
+7
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability