1410169 - Plugin block request: Adobe Flash player version 27.0.0.159 and earlier

Status: RESOLVED FIXED

(Toolkit :: Blocklist Policy Requests, enhancement)

Description

[Jorge Villalobos [:jorgev] (he/him)]

Version 27.0.0.159 and earlier of the Flash plugin are vulnerable and an active exploit exists for them in the wild:

https://helpx.adobe.com/security/products/flash-player/apsb17-32.html

Comment 1

[Jorge Villalobos [:jorgev] (he/him)]

The block is now staged. Bogdan, can you please test and then ping :TheOne to have it deployed? (I'll be traveling tomorrow)

Comment 2

[Jorge Villalobos [:jorgev] (he/him)]

Since this only affects ESR and Flash blocks are simpler now, let's skip the QA step. Sorry for the noise. Andreas, please push this block live.

Comment 3

[Andreas Wagner [:TheOne] [use NI]]

The block is now live.

Comment 5

[Tom_L_Martin@hotmail.com]

Based on the link initially provided, heavyoak is evidently the retarded element because even Adobe indicated that there is a security flaw in their product - which they fixed.  Amazingly complex software is never completely perfect, issues do creep in because it is simply unavoidable.

That said, there is still possibly a substantial problem with Firefox.  The Flash version that has an issue is 27.0.0.159 and earlier.  I updated to the most recent version provided, 27.0.0.187, which resolves the security issue reported by Adobe.  This should, presumably, resolve the Firefox conflict.  Unfortunately, according to the Firefox plug-in manager, it is only checking against version 27.0 r0, which means that it is not verifying the deeper version number - and in fact, declares it to still be 27.0.0.130 even though the dll is recognized as .187 which is safe.

Either Adobe mislabeled their version number in the installation process (pretty unlikely) or FireFox is not evaluating version numbers deeper than two iterations (which seems more likely).  This should be addressed for numerous reasons, not just to handle Flash - which is still a major requirement for MANY web apps.  I do understand that Flash is going to die at some point in the future (even according to Adobe), but insufficient version handling is still a problem for Firefox AND there is still a huge array of games and tools out there that are current products relying on a current version of Flash that is still maintained by Adobe.  Simply blocking it despite fixes by the other company hampers Mozilla users unnecessarily.  Please take this into account and address this quickly.

And yes, it still happens in Quantum.

Comment 6

[donmontalvo]

When a user hits "Allow and remember...", it comes up after every relaunch.

Where can I post for feedback on how to stifle this block for all our thousands of users?

Reason, updates to Adobe Flash have to go through a stringent Change Control process in enterprise, so we can't update yet.

TIA,
Don

Comment 7

[Ewan Higgs]

FF 58.0.2: going to Add-ons Manager, I'm told that "Shockwave Flash is known to be vulnerable and should be updated. [Update Now]". But when I click "Update Now" the resulting page is blocked because it has Flash content on it! This is not a useful interaction since I'm told to update but the update page is blocked.

Current flash version is 21.0.r0.

Comment 8

[Jorge Villalobos [:jorgev] (he/him)]

Plugin blocks should link to https://get.adobe.com/flashplayer/, which doesn't require Flash to work.