dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
5991

Davesnothere
Change is NOT Necessarily Progress
Premium Member
join:2009-06-15
Canada

4 edits

1 recommendation

Davesnothere

Premium Member

[Extension] FireFox 52.9.0 ESR Disables Flash Video Downloader Extension

 
This version of FF and the FVD extension Version 16.3.7 had been getting along fine since January 26 of this year, when I had last updated and confirmed the operation of FVD, an extension which I and many others have used and trusted for years upon years.

Suddenly, the other day, amid all of the kerfuffle about a newer FireFox version disabling extensions en masse, I get a message after launching the browser, and without trying to use the extension in that session.

It said that the extension had been disabled due to security, stability, or performance reasons (did not specify which at that point), and suggested that I exit and restart FF.

I dismissed the message, but not before following and reading a series of linked pages, which I will present next below :

»blocked.cdn.mozilla.net/ ··· 073.html

»bugzilla.mozilla.org/sho ··· =1549444

»github.com/mozilla/addon ··· ues/1026

I have [also been using] other extensions which can do the same job as FVD (sometimes better, depending upon which browser and which versions of the browser and those other extensions), but thought that I would report what had occurred, since FVD is a popular addon, and as this had happened due to a different issue than a bug in FireFox 66.

The reason as explained seems logical, and in this case, Mozilla may have done a good thing, reacting quickly to a reported concern.

FWIW, the alleged [mis]behaviour of the extension had not yet inflicted itself upon me and my portable edition of FF 52.9.0 ESR.

therube
join:2004-11-11
Randallstown, MD

4 edits

therube

Member

So 16.3.7 worked in FF 52?
Was 16.3.7 a webextension extension?

Since Mozilla vanquishes everything related to blocked extensions, it's hard to know anything more then tidbits about what was.

This is only too funny :lol:.
quote:
The addon has been added to the repository under the new name:
»addons.mozilla.org/pl/fi ··· nloader/

I believe this is not safe to use it?
And it is still there, on AMO - they have not pulled it yet.

And it has 3999 "users" & 39 reviews, most glowing , 3.8 stars, yeah baby!

And, as usual, unless/until someone points it out to Mozilla, they are clueless.
Anything & everything.
quote:
Mozilla may have done a good thing
After the fact, of course.
quote:
reacting quickly to a reported concern.
Eh, quickly would have not had the situation occur at all.
Anything they do is only reactionary (IOW, meaningless).
Frodo
join:2006-05-05

1 edit

1 recommendation

Frodo

Member

I read:
quote:
I forgot to add: I have reviewed the code and found that it executes remote code, as explicitly forbidden by Mozilla's add-on policies.

Edit: And I see this:
»github.com/mozilla/addon ··· ues/1026
quote:
Flash Video Downloader (FVD) Installs .EXE to Modify Own .XPI with Possible Malware


Davesnothere
Change is NOT Necessarily Progress
Premium Member
join:2009-06-15
Canada

Davesnothere to therube

Premium Member

to therube
said by therube:

So 16.3.7 worked in FF 52?

Was 16.3.7 a webextension extension?....


Yes, those versions played nice until this issue presented itself.

I'm not sure whether it is a webextension extension, but I checked and noticed that it does NOT contain an 'install.rdf' file inside of the XPI.

I have not paid much attention to WE addons, nor do I plan to, if I can get away with it.

I/you could try to install FVD 16.3.7 into some other Moz browsers and see what happens, and what error msg is issued if it fails to install.

As for reactionary, what I observed is a lot more than we have seen from Microsoft on some occasions.
Davesnothere

2 edits

Davesnothere

Premium Member

said by Davesnothere:

....I/you could try to install FVD 16.3.7 into some other Moz browsers and see what happens, and what error msg is issued if it fails to install....


FOLLOWUP :

On attempt to manually install FVD 16.3.7 from the same offline XPI file from which I originally successfully installed it to FF 52.9.0 ESR, here are some responses :

Pale Moon 25.8.1 delivers a failure message calling the extension 'corrupt'.

New Moon 28.0.0.b5 [Roy Tam XP/Vista build] explicitly says that it cannot install it because it is a webextension extension and those are not supported.

SeaMonkey 2.40.0 refuses to install it, stating a "high risk of insecurity or instability" (very similar to the message delivered by my FF 52.9.0 ESR when it disabled the same already installed extension the other day).
tlbepson
Premium Member
join:2002-02-09
dc metro

1 recommendation

tlbepson

Premium Member

davesnothere:
>>Pale Moon 25.8.1 delivers a failure message calling the extension 'corrupt'.

Just in case the addon has indeed become corrupted, you might take a look at the following which has lots and lots and lots (probably not all but close to) FF's addons: »legacycollector.org/fire ··· -addons/

If you do a page find (ctrl-f) on "flash video downloader" (no quotes), it's listed and you could see if this "fresh" version might work?



Davesnothere
Change is NOT Necessarily Progress
Premium Member
join:2009-06-15
Canada

1 edit

1 recommendation

Davesnothere

Premium Member

said by tlbepson:

....Just in case the addon has indeed become corrupted....


Thanks, but nope.

I have seen that message before from Pale Moon of that vintage and older, because it doesn't seem to know what a WebEx extension is.

The only corruption might be motive of the extension's author, if Mozilla is correct about what they were trying to do in their code.

All of the error messages from those 3 browsers make sense to me, given their ages and versions.

Around the same week as I put it into FF 52.9.0 ESR, I installed that same extension into another Roy Tam XP/Vista rebuild of the Pale Moon variant called Basilisk.

I will test that next and post another update.
tlbepson
Premium Member
join:2002-02-09
dc metro

tlbepson

Premium Member

davesnothere:
>>Thanks, but nope.

Good thing I didn't hold my breath...'-}}



Are any of the other video handling addons in that legacy list useful to you at all as a substitute?



Davesnothere
Change is NOT Necessarily Progress
Premium Member
join:2009-06-15
Canada

4 edits

1 recommendation

Davesnothere

Premium Member

 
UPDATE :

Roy Tam's Basilisk XP/Vista build has not rejected the already installed FVD 16.3.7, and the extension still functions, at least on any web pages which allow it to do so.

Why no rejection, you may ask ?

MY theory is that Basilisk in general (not just Tam's rebuild) does not talk to Mozilla's servers [any more, or mayhaps it never did].

The proof of this is that some other extensions which I have in that browser are saying "No Updates Available" when I ask to check, though I know that updates for at least a couple are in fact available and are compatible with Basilisk.

Furthermore, an Extension from a PM dev DID offer and successfully delivered an update, i.e. Justoff's 'Classic Add-ons Archive'.

I'm not sure whether official builds of newer Pale Moon talk to Mozilla's servers, as I do not run an OS which supports newer PM, but based on the message from SeaMonkey, I would say that SM still does.
Davesnothere

1 recommendation

Davesnothere to tlbepson

Premium Member

to tlbepson
said by tlbepson:

....Are any of the other video handling addons in that legacy list useful to you at all as a substitute?


I have some faves already, but will check - Thanks.

therube
join:2004-11-11
Randallstown, MD

1 recommendation

therube to Davesnothere

Member

to Davesnothere
SeaMonkey does not support webextensions.
Nor does Pale Moon.

Basilisk may have had some support - in earlier versions, but going forward, that has/will end.
RT's builds, I'm not familiar with, so he may still have some support for webextensions (sounds like it).

It's not unusual for a general "corrupt" message to come up on an extension install failure.
Trying to add a webextension into a browser that does not support webextensions will always report that.
therube

therube

Member

quote:
Was 16.3.7 a webextension extension?

Yes.
therube

3 edits

1 recommendation

therube to Davesnothere

Member

to Davesnothere
quote:
MY theory is that Basilisk in general (not just Tam's rebuild) does not talk to Mozilla's servers [any more, or mayhaps it never did].

The proof of this is that some other extensions which I have in that browser are saying "No Updates Available" when I ask to check, though I know that updates for at least a couple are in fact available and are compatible with Basilisk.

Furthermore, an Extension from a PM dev DID offer and successfully delivered an update, i.e. Justoff's Classic Extension Archive.

I'm not sure whether official builds of newer Pale Moon talk to Mozilla's servers, as I do not run an OS which supports newer PM, but based on the message from SeaMonkey, I would say that SM still does.
Updating & blocking are two different things.

As Mozilla deleted all non-webextension extensions (aka "Legacy") you will never find updates for legacy extensions (to a Mozilla server) from a (Mozilla) update check.

Legacy extension that do continue to update, have to come from somewhere else. Like NoScript comes from "https://secure.informaction.com/download/classic/?v=5.1.9rc1".

Blocking is done via "block lists".

If you are so inclined :evilgrin: to use your old version of FVD, seemingly you could set (an older/original copy of) blocklist.xml to read-only, hidden, system, which it seems is sufficient to cause it to not update, & by not updating it does not know that FVD is malicious, so continues upon its' malicious nature . (You will get, blocklist.xml.tmp & blocklist-addons.json & blocklist-plugins.json, but FVD will still continue to function.)

So check your various browser profiles for the timestamp of blocklist*.*.
If they are not current (like FF 52 ESR ships with a version from June 2018 - when it was last released), then you are leaving yourself open to vulnerabilities - like from FVD.

Oh, I forgot, but having set xpinstall.signatures.required;false in pref.js may be integral in having this "work".
therube

therube

Member

Ha!

If one is into "numbers", when looking at Addons Manager, one might have caught that a particular extension "updated".

But as Mozilla deemed it unnecessary (a hindrance, I guess) to display an extensions version number in Addons Manager (summary page), that avenue of detection is gone.

Instead, all you know is that you have "Flash Video Downloader" installed.
And so a silent, malicious update remains, silent & malicious.

Davesnothere
Change is NOT Necessarily Progress
Premium Member
join:2009-06-15
Canada

1 edit

Davesnothere

Premium Member

said by therube:

....Mozilla deemed it unnecessary (a hindrance, I guess) to display an extensions version number in Addons Manager (summary page), that avenue of detection is gone....


In any of my browsers which natively do not display the versions of addons, I installed an addon 'Add-ons Manager - Version Number', which lets that info revert to showing, written by Aris, the author of CTR.

Version 1.3.1 of this is currently working fine in my SeaMonkey 2.40.0 Portable Edition.

I think that for FireFox, the more recent versions of CTR have also integrated this capability.
Davesnothere

Davesnothere to therube

Premium Member

to therube
said by therube:

SeaMonkey does not support webextensions.
Nor does Pale Moon.

I figured as much, but as I illustrated upthread, they each have different ways of indicating this.
 
said by therube:

Basilisk may have had some support - in earlier versions, but going forward, that has/will end.
RT's builds, I'm not familiar with, so he may still have some support for webextensions (sounds like it).

There has been some discussion over at MSFT in Tam's thread, regarding whether or not he can and will try to keep WebEx support in his builds of Basilisk after Moonchild drops it from the 'official' releases of that app.

I should check back to see how that is going.
 
said by therube:

It's not unusual for a general "corrupt" message to come up on an extension install failure.
Trying to add a webextension into a browser that does not support webextensions will always report that.

Not always.

Again, as I posted upthread, 3 different browsers had 3 different narratives upon refusing to allow a WebEx extension to install, and only one of those 3 was explicit and clear as to the reason.
Davesnothere

1 edit

Davesnothere to therube

Premium Member

to therube
said by therube:

....Blocking is done via "block lists".

If you are so inclined :evilgrin: to use your old version of FVD, seemingly you could set (an older/original copy of) blocklist.xml to read-only, hidden, system, which it seems is sufficient to cause it to not update, & by not updating it does not know that FVD is malicious, so continues upon its' malicious nature . (You will get, blocklist.xml.tmp & blocklist-addons.json & blocklist-plugins.json, but FVD will still continue to function.)

So check your various browser profiles for the timestamp of blocklist*.*.
If they are not current (like FF 52 ESR ships with a version from June 2018 - when it was last released), then you are leaving yourself open to vulnerabilities - like from FVD....


Thanks for the tip on that.

I will check my installs and report back.

So I guess that if I took a computer offline, did a fresh install of a portable Moz browser, and then tried to install a questionable (listed as blocked, but not necessarily WebEx) extension into it, I would initially succeed, but then it would fail (actually become blocked) when I took the computer back online and the local blocklist became updated, yes ?

therube
join:2004-11-11
Randallstown, MD

therube to Davesnothere

Member

to Davesnothere
(
quote:
Version 1.3.1 of this is currently working fine
add_ons_manager_version_number-1.5-fx+sm+tb.xpi, for whatever the difference may be.
quote:
in my SeaMonkey 2.40.0
/seamonkey/releases/2.49.4/
or better
WG9s SeaMonkey 2.49 Builds

Imagine for "portable" you can simply replace the /bin/ directory with newer, kind of thing.)

Davesnothere
Change is NOT Necessarily Progress
Premium Member
join:2009-06-15
Canada

3 edits

Davesnothere

Premium Member

said by therube:

....Imagine for "portable" you can simply replace the /bin/ directory with newer, kind of thing....


I have a feeling that you're correct, but usually I do a fresh install of a new portable offering when available, and then copy my extensions, custom CSS, places, and sessionstore files across from their relative positions in my existing install.

In the past, I sometimes was successful at asking portable installs to seek an in-place upgrade, or overwriting them from the installer of the newer version, but for how infrequently I update any more, a fresh install is not much more work.

That all said, last year with Pale Moon Portable, I was successful at emptying the folder tree containing the main app, and copying in the equivalent tree from Roy Tam's New Moon distribution archive, and having it function as it should as a portable, when launched from the existing portable launcher executable.

Roy did not bother to create a specific portable version (his primary objective was OS compatibility), and someone else (I think at MSFN) either suggested that idea, and/or tried it before I did.

As for SM 2.49.4, I did try it when it was released (portable of course), and it did not behave properly on a site which is important to me, so I returned to the newest version which did, which was 2.40.0
tlbepson
Premium Member
join:2002-02-09
dc metro

tlbepson

Premium Member

davesnothere:
>>I do a fresh install of a new portable offering when available, and then copy

Me too...I like having the older versions around to use when I need an extra browser session to check on something while working in another browser. Also, while I don't consider myself an eary adopter of new browser versions, installing to a new folder semi-sandboxes if things go off-kilter with the new for any reason.

I did just recently--as in the last few days--create a new desktop folder and dragged my old PM's and FF's portables shortcuts that I've not used in a while to sort of tidy up the desktop browser clutter which left me with 2 FF portable versions and 4 PM portable versions still on the desktop--I do use each of them with some regularity for different recurring online tasks.



Anon799e3
@77.64.254.x

Anon799e3

Anon

So is there any option to work with Flash Video Downloader in Firefox again or not? I am no IT expert but very interested to know because I have been loving and using this Addon for many years.

therube
join:2004-11-11
Randallstown, MD

therube

Member

If you can trust something that in not trustworthy, sure go ahead.
(And I'm not just talking about FF itself.)

Davesnothere
Change is NOT Necessarily Progress
Premium Member
join:2009-06-15
Canada

4 edits

Davesnothere to Anon799e3

Premium Member

to Anon799e3
said by Anon799e3 :

So is there any option to work with Flash Video Downloader in Firefox again or not?

I am no IT expert but very interested to know because I have been loving and using this Addon for many years.


Me too, and your post prompted me to do an online search for that name.

Bing gave me a link to an invalid AMO page where it looks like FVD used to be available.

I searched again, this time ON the AMO site, and got this next page, created only a couple of days after they had added the 'old' FVD to the blocklists for FireFox and SeaMonkey.

(To TheRube : Yes, I checked those files in my local portable installs of those browsers last night, and found that new entries for the 'old' FVD had indeed been added to the blocklist files of both my FF and my SM, at about the date/time that I had noticed my issue.)

Here is the new AMO page for FVD :

»addons.mozilla.org/en-US ··· c=search

It has a new author associated with the add-on, and disavows (makes no reference to) the previous add-on of that name, nor its author.

Obviously the new FVD is a WebEx extension, as AMO hosts nothing else anymore.

AMO says that it is compatible with FF 50+

I successfully installed it to my FF 52.9.0 ESR Portable, after first removing the older FVD which FF had disabled and restarting FF.

It looks to be the same extension, it seems to work OK at YouTube, and seems to have removed the functions to which Mozilla had originally objected in the 'old' FVD.

Here is a page where I tested it :

»www.youtube.com/watch?v= ··· youtu.be

therube
join:2004-11-11
Randallstown, MD

4 edits

therube

Member

quote:
So is there any option to work with Flash Video Downloader in Firefox again or not?
You could use an older, unbanned, version of FVD - presumably not malicious :cough: & set it to not update.
(The guy [Dan] who found all this even has a copy of v16.2.9, which presumably is unmodified & presumably will install?
A valid signature should confirm that it is valid. Oh, but wait, hasn't it now been determined that that is immaterial. Isn't that the whole point.)

Or, you could look at things... & ponder...

Day 1, "Flash Video Downloader" (FVD) by artur.dubovoy@gmail.com is banned
("Autor dodatków" means "Add-ons developer", in Polish.)
Day 2, "Flash Video Downloader" by "Donald" (ductloanphuok@gmail.com) magically appears
(Donald's "home page", is fflashgames.com - if you want to play a game :irony:?)

Now, given the license, there is probably nothing wrong with "Donald" taking "artur's" code & doing whatever he wants to do with it, but really?

Much of the (basic) code (files) is identical.
The .js code (the actual meat & potatoes) is more "obscured" in Donald's version.
(Code is a single [long] line. Nothing wrong with that, but it makes it harder to compare [say against artur's code].)
quote:
It looks to be the same extension ... and seems to have removed the functions to which Mozilla had originally objected in the 'old' FVD.
And you know this how?
quote:
Anything & everything.
Mozilla allows anything & everything.
They check nothing. They do nothing - unless its pointed out to them.
Donald could be found malicious, today, & Duck will magically have a new extension up there tomorrow - probably called "Flash Video Downloader".

No. I would not touch "Flash Video Downloader" by artur or Donald or Duck with a 10' pole.

Davesnothere
Change is NOT Necessarily Progress
Premium Member
join:2009-06-15
Canada

4 edits

Davesnothere

Premium Member

said by therube:

quote:
It looks to be the same extension ... and seems to have removed the functions to which Mozilla had originally objected in the 'old' FVD.
And you know this how?...


I don't.

However, the extra buttons in the download dialogue popup (leading to the opportunity to download and install other software [FFMPEG or similar, as had been bundled with FVD for several previous versions] to convert/combine separate audio and video streams) are now gone, leaving only the buttons for direct downloading of the natively combined streams currently being offered by YouTube, which are 360p and 720p in MP4, and 360p in WebM, at least in the example which I linked, which I had used to perform my test of the new 'Donald' edition of FVD.

According to the pages to which I linked early during this topic, the presence of those extra buttons was one of the two problems leading to AMO banning the 16.3.x versions of FVD, the other allegedly being self-updating of the FVD addon itself by alternate direct internal method, to a version not yet approved by AMO.

= = =

BTW, if you open the XPI for the Donald version of FVD, and then open the manifest file within, it contains a different website URL than that game place which is linked from the new AMO page, and the line of code reads :

"homepage_url": "http://www.fvdmedia.com/"

This might only be something which Donald (et al) overlooked or did not bother to change, because at least some of the help found there is specific to earlier recent FVD versions which bundled FFMPEG.

How any of this translates into trustability, I do not know for sure, but there ARE other addons (and standalone websites running scripts) which can do for me what FVD did, while running one Mozilla-based browser or another.
Davesnothere

2 edits

Davesnothere

Premium Member

 
UPDATE :

The 'Donald' version of FVD (aka 6.3.10 or 6.3.11) seems to also have been removed from the AMO site - The link in my earlier post is now bad.

I have searched and found no mention anywhere of a reason, and this version still seems to work as it should on my FF 52.9.0 ESR.

The blocklist files in my install of that browser have today's date, but the browser has not rejected the FVD 6.3.11 addon.

therube
join:2004-11-11
Randallstown, MD

1 recommendation

therube

Member

quote:
UPDATE :

The 'Donald' version of FVD (aka 6.3.10 or 6.3.11) seems to also have been removed from the AMO site - The link in my earlier post is now bad.

I have searched and found no mention anywhere of a reason
Same (non-)conclusion I've been able to come up with.
But then that is Mozilla in its' "openness".
stander
join:2019-05-23
Parkville, MD

stander to Davesnothere

Member

to Davesnothere
It would seem that the FVD version added to an older FF profile remains intact and perfectly usable as long as I remember to turn off auto updates in FF before I open that profile. Do I dare use it? Seems to be a difference of opinion in this thread.

Davesnothere
Change is NOT Necessarily Progress
Premium Member
join:2009-06-15
Canada

1 edit

Davesnothere

Premium Member

said by stander:

It would seem that the FVD version added to an older FF profile remains intact and perfectly usable as long as I remember to turn off auto updates in FF before I open that profile. Do I dare use it? Seems to be a difference of opinion in this thread.


No disrespect intended to anyone, but if you have version 16.2.9 or lower of FVD, and do what you said, even with a new profile, I would say fair enough.

I regard Mozilla's own recent conduct in general as a larger evil.

I am currently using the Donald version 6.3.11 of FVD at my own risk, and it has behaved as I described above, and so far not blocked by Mozilla in my browser.

I have the file to install 16.2.7 and some earlier versions, but have been too lazy to bother.

Generally speaking, a newer version of this type of extension has more success in capturing SOME video file to download if it is YouTube, as Google regularly keeps changing how that site works.
Davesnothere

Davesnothere

Premium Member

said by Davesnothere:

....I am currently using the Donald version 6.3.11 of FVD at my own risk, and it has behaved as I described above, and so far not blocked by Mozilla in my browser....


UPDATE :

I stopped bothering for a while, but last night, I checked for updates of addons in the browser where I have the Donald edition of FVD installed (FF 52.9.0 ESR Portable), and it offered me an update.

I checked at AMO, and the above-linked page for that version is once again active, offering me the same version as the Addons Manager is.

Here is the 'all versions' page for Donald's FVD at AMO, now showing only the newest 6.3.14 version.

»addons.mozilla.org/en-US ··· ersions/

I'll be testing the latest version 6.3.14 and will report back....