Closed
Bug 828982
Opened 11 years ago
Closed 11 years ago
Plugin block request: Foxit Reader Plugin 2.2.1.530 and below due to critical vulnerability
Categories
(Toolkit :: Blocklist Policy Requests, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: philipp, Assigned: jorgev)
References
()
Details
(Whiteboard: [plugin])
Attachments
(1 file)
86.74 KB,
image/png
|
Details |
according to reports the foxit pdf browser plugin is affected by a highly critical vulnerability which can be exploited to inject malicious code: www.h-online.com/security/news/item/Current-Foxit-Reader-can-execute-malicious-code-1780636.html please consider blocking it up to the latest plugin version 2.2.1.530 in order to protect users...
Comment 1•11 years ago
|
||
philipp, you should have used the link in https://wiki.mozilla.org/Blocklisting#How_to_request_a_block Version 2.2.1.530 is the current version. Plugin name: Foxit Reader Plugin Plugin versions to block: 2.2.1.530 and below Applications, versions, and platforms affected: Windows Block severity: (hard/soft) How does this plugin appear in about:plugins? File: npFoxitReaderPlugin.dll Version: 2.2.1.530 Description: Foxit Reader Plug-In For Firefox and Netscape Homepage and other references and contact info: http://www.foxitsoftware.com/Secure_PDF_Reader/ Reasons: http://secunia.com/advisories/51733/
Status: UNCONFIRMED → NEW
Ever confirmed: true
Hardware: x86_64 → x86
Summary: blocklist npFoxitReaderPlugin.dll due to critical vulnerability → Plugin block request: Foxit Reader Plugin 2.2.1.530 and below due to critical vulnerability
Whiteboard: [plugin]
Assignee | ||
Comment 2•11 years ago
|
||
Staged: https://addons-dev.allizom.org/en-US/firefox/blocked/p263 It is currently staged as a CTP block, but I'm not sure if this is the right UX to provide in this case. I don't know if the PDF download will be triggered, or if the CTP UI will appear. If it doesn't, maybe we should go for a softblock.
Comment 3•11 years ago
|
||
The desired UI is the CTP block. I believe it should work, but QA should verify before we push this live.
Updated•11 years ago
|
QA Contact: anthony.s.hughes → jbecerra
Comment 4•11 years ago
|
||
I've tested this on staging. The block is CTP. When I try to open a PDF file I get the page showing the lego piece and the message saying the plugin has vulnerabilities. About:addons shows the plugin as enabled, but it shows the message that it is known to be vulnerable and to use with caution. If I click through it I can see the document. We can move to production when you are ready.
Comment 5•11 years ago
|
||
Comment 6•11 years ago
|
||
Let's give people on the security-group@mozilla.org mailing list an hour or two to respond with any last minute issues, and then move this to production.
Assignee | ||
Comment 7•11 years ago
|
||
The block is now live: https://addons.mozilla.org/en-US/firefox/blocked/p250
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Comment 8•11 years ago
|
||
This has been verified on production.
Updated•8 years ago
|
Product: addons.mozilla.org → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•