Closed Bug 1010132 Opened 6 years ago Closed 6 years ago

Flash 13.0.0.206 shown as up to date

Categories

(Websites :: plugins.mozilla.org, defect, P1)

defect

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: espressive, Assigned: espressive)

References

Details

(Whiteboard: [kb=1396300])

Attachments

(13 files)

Flash 13.0.0.206 shown as up to date even though it is known to be vulnerable. Detection is correct on release versions and other browsers but, incorrect on Fx beta and up.
(In reply to Schalk Neethling [:espressive] from comment #0)
> Flash 13.0.0.206 shown as up to date even though it is known to be
> vulnerable. Detection is correct on release versions and other browsers but,
> incorrect on Fx beta and up.

seems to work on windows 10.7 and very latest debug build from m-c at least
also works on ubuntu, with the caveats we are aware of with regards to flash detection on linux. So, the users this effects is Mac users using Fx Beta or newer.

I have implemented a fix and this will be pushed live later today.
"Fx29-0-1-about-addons.jpg"

Firefox 29.0.1, 4 Plugins.
Test done on 2014-05-14 (14 May 2014).
about:addons

Tab shows 4 plugins.

I am going to attach several (seven) schreenshots to illustrate the
'plugincheck service' as seen today.

All tests on Windows 7 (64 bit OS) with 32 bit Firfox / Aurora.

I do NOT get exactly the same result as Schalk Neethling.


See also:
"update flash for 13.0.0.214" bug 1010085

Where Carsten Book updated the plugincheck database.

DJ-Leith
"Fx29-0-1-plugincheck.jpg"

Firefox 29.0.1, 4 Plugins.
Test done on 2014-05-14 (14 May 2014).

Used the link (in about:addons) to do Plugincheck.
At en-GB version of Plugincheck.
Flash is NOT correct (see next Tab - in comment # 5).

This PC has Flash 13.0.0.206 installed.
APSB14-14 indicates that we should update to 13.0.0.214.

"Adobe has released security updates for Adobe Flash Player 13.0.0.206 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.356 and earlier versions for Linux. ..."

Adobe Security Bulletin
Security updates available for Adobe Flash Player

Release date: May 13, 2014

Vulnerability identifier: APSB14-14

http://helpx.adobe.com/security/products/flash-player/apsb14-14.html


This screenshot *does* show that "Unknown Plugins" are being 'detected'.
Good, how it has been for several years.

I am still keen that you keep bug 965812
(RFE an "About plugincheck" page, visible from plugincheck)
under review as is is helpful to be informed about "Unknown" plugins.

See comment # 7 - where there are NO "Unknown" plugins.

This screenshot is NOT the situation as described by Schalk Neethling in comment # 0.

(In reply to Schalk Neethling [:espressive] from comment #0)
> Flash 13.0.0.206 shown as up to date even though it is known to
> be vulnerable. Detection is correct on release versions and other
> browsers but, incorrect on Fx beta and up.

This is Release.

DJ-Leith
"Fx29-0-1-flash-about.jpg"

Firefox 29.0.1, 4 Plugins.
Test done on 2014-05-14 (14 May 2014).

Using Adobe's check page at http://www.adobe.com/software/flash/about/
This shows that Flash should be 13.0.0.214.

So Adobe's web site is OK.
Firefox 29.0.1 and plugincheck (as on comment # 4) is NOT OK.

BUT, see also comment # 9 - below - where it was OK (several hours later).

DJ-Leith
Attached image Fx31-about-addons.jpg
"Fx31-about-addons.jpg"

Firefox Aurora 31.0a2 (2014-05-13), 4 Plugins.
Test done on 2014-05-14 (14 May 2014).
about:addons

DJ-Leith
Attached image Fx31-plugincheck.jpg
"Fx31-plugincheck.jpg"

Firefox Aurora 31.0a2 (2014-05-13), 4 Plugins.
Test done on 2014-05-14 (14 May 2014).

Only 3 'reported on'.  There are no "Unknown" plugins.

FYI, I also - using about:config - changed
"plugins.enumerable_names" to "*" but this did NOT 'detect more plugins'.
There are (as I expect - see bug 965812) NO "Unknown" plugins.

I think, this result *MIGHT* be using the 'new plugincheck service' that
Schalk has been working on [1] because the Adobe Acrobat is being detected as
"Adobe Acrobat NAPAPI Plug-in".
On Fx 29.0.1 (see comment # 3) it is detected as "Adobe Acrobat".
In reality there is only ONE Plugin (both browsers are on the same PC).

[1] "Publish JSON list of all plugins for use on /plugincheck" (bug 956905)
went live on 2014-05-12.


The Flash plugin is correctly identified as "vulnerable" (see next Tab in comment # 8).

This screenshot is NOT the situation as described by Schalk Neethling in comment # 0.
(In reply to Schalk Neethling [:espressive] from comment #0)
> Flash 13.0.0.206 shown as up to date even though it is known to
> be vulnerable. Detection is correct on release versions and other
> browsers but, incorrect on Fx beta and up.

Here, in Firefox Aurora 31.0a2 (2014-05-13) 'detection is correct'
(which is good) but this bug is about being unable to correctly detect on 
> ... incorrect on Fx beta and up

DJ-Leith
Attached image Fx31-flash-about.jpg
"Fx31-flash-about.jpg"

Firefox Aurora 31.0a2 (2014-05-13), 4 Plugins.
Test done on 2014-05-14 (14 May 2014).

Using Adobe's check page at http://www.adobe.com/software/flash/about/
This shows that Flash should be 13.0.0.214.

DJ-Leith
Thanks for all of the comments DJ, it seems that there is a bunch of differences seen by different people on different OS, browsers, plugin version combinations. I am in the process of configuring different OS instances to test all of different scenarios.
"Fx29-0-1-plugincheck-v02.jpg"

Firefox 29.0.1, 4 Plugins.
Test done on 2014-05-14 (14 May 2014).

On doing a plugincheck again (several hours later) the 'plugincheck service' has been updated and now Flash 13.0.0.206 is correctly being detected as "vulnerable": very good.

This screenshot does show that "Unknown Plugins" are being 'detected'.
Good, how it has been for several years.

So, now closer to comment # 0.
(In reply to Schalk Neethling [:espressive] from comment #0)
> Flash 13.0.0.206 shown as up to date even though it is known to
> be vulnerable. Detection is correct on release versions and other
> browsers but, incorrect on Fx beta and up.

I wonder if it takes some time for the 'update of the database',
"update flash for 13.0.0.214" bug 1010085,
to 'propagate through *all* of the plugincheck service'.
I imagine there are many 'virtual web sites' and / or 'load balancers'.


Summarising comments # 3 to # 9.

I have seen BOTH
Fx 29.0.1 'detect and say "Up to Date" *IN ERROR* Flash 13.0.0.206 (comment # 4). 
Fx 29.0.1 'detect and report as "vulnerable" Flash 13.0.0.206' (comment # 9).

I have also seen
Fx 31 'detect and report as "vulnerable" Flash 13.0.0.206' (comment # 7).

I hope you find the pictures useful.

I am still keen that you keep bug 965812 under review.

DJ-Leith
(In reply to DJ-Leith from comment #3)
> Created attachment 8422406 [details]
> Fx29-0-1-about-addons.jpg
> 

hm i cannot reproduce this.

Just tested a new Win7 System with Firefox 29

.206 Flash -> marked as vulnerable
.214 -> up to date

maybe a problem of Fx 29 vs 29.0.1 ?
(In reply to Schalk Neethling [:espressive] from comment #9)
> Thanks for all of the comments DJ.

You and Carsten are welcome.  I appreciate all the hard work at your end!

(In reply to Carsten Book [:Tomcat] from comment #11)

> (In reply to DJ-Leith from comment #3)
> > Created attachment 8422406 [details]
> > Fx29-0-1-about-addons.jpg
> 
> 
> hm i cannot reproduce this.
> 
> Just tested a new Win7 System with Firefox 29
> 
> .206 Flash -> marked as vulnerable
> .214 -> up to date
> 
> maybe a problem of Fx 29 vs 29.0.1 ?

Carsten, see "Fx29-0-1-plugincheck-v02.jpg" - comment # 10
https://bug1010132.bugzilla.mozilla.org/attachment.cgi?id=8422417

> "Fx29-0-1-plugincheck-v02.jpg"
> 
> Firefox 29.0.1, 4 Plugins.
> Test done on 2014-05-14 (14 May 2014).
> 
> On doing a plugincheck again (several hours later) the 'plugincheck service' has been updated
> and now Flash 13.0.0.206 is correctly being detected as "vulnerable": very good.

So, I *also* got
> .206 Flash -> marked as vulnerable
when I did the plugincheck again. It was several hours later.

However, it *might* be Fx 29 vs 29.0.1.

I speculate that is more likely to be the time needed to
'propagate [changes] through *all* of the plugincheck service'.

> So, now closer to comment # 0.
> (In reply to Schalk Neethling [:espressive] from comment #0)
> > Flash 13.0.0.206 shown as up to date even though it is known to
> > be vulnerable. Detection is correct on release versions and other
> > browsers but, incorrect on Fx beta and up.

> I wonder if it takes some time for the 'update of the database',
> "update flash for 13.0.0.214" bug 1010085,
> to 'propagate through *all* of the plugincheck service'.
> I imagine there are many 'virtual web sites' and / or 'load balancers'.


I have edited my summary (from comment # 10 - because Schalk cross posted).

Summarising comments # 3 to # 10.

I have seen BOTH
Fx 29.0.1 'detect and say "Up to Date" *IN ERROR* Flash 13.0.0.206 (comment # 4). 
Fx 29.0.1 'detect and report as "vulnerable" Flash 13.0.0.206' (comment # 10).

I have also seen
Fx 31 'detect and report as "vulnerable" Flash 13.0.0.206' (comment # 7).


I hope you find the pictures useful.

I am still keen that you keep bug 965812 under review.
Please add it to your "Tracker for Bugs and Feature Requests PluginCheck.current" bug 990857.

DJ-Leith
Thanks DJ, I have finished my fix and I am testing locally. Will update the bug as soon as I am complete and list all the environments and configurations I have tested.
Below follows the configuration and test results for the tests I have personally run locally:

Operating System: Windows 7
Browser: IE10, Firefox Release, Firefox Aurora
Plugins: Java 7 update 55, Flash 13.0.0.206, Flash ActiveX 13.0.0.214

IE10
-----

Java 7 update 55 - Up to Date
Flash 13.0.0.206 - Not detected, uses ActiveX component
Flash ActiveX 13.0.0.214 - Up to Date
Windows Media Player Plug-in Dynamic Link Library - Up to Date

Firefox Release & Firefox Aurora
---------------------------------

Java 7 update 55 - Up to Date
Flash 13.0.0.206 - Vulnerable

*********

Operating System: Windows 7
Browser: IE8, Firefox Release, Firefox Nightly, Chrome 34.0.1847.137 m
Plugins: Flash 11.8.800.168, Chrome Running Latest Flash, Java 7u25

IE8
----

Flash 11.8.800.168 - Not detected, no ActiveX installed.
Java 7u25 - Vulnerable
Windows Media Player Plug-in Dynamic Link Library - Up to Date

Firefox Release
----------------

Flash 11.8.800.168 - Vulnerable
Java 7u25 - Vulnerable
Google Update - Up to Date

Firefox Nightly
--------------------------------

Flash 11.8.800.168 - Vulnerable
Java 7u25 - Up to date

Chrome 34.0.1847.137 m
-----------------------

Latest bundled Flash - Up to Date
Java 7u25 - Up to date

******************

Operating System: Windows 7
Browser: IE9, Firefox Nightly
Plugins: Java 8 update 5

IE9
---

Windows Media Player Plug-in Dynamic Link Library - Up to Date
Java 8 update 5 - Up to Date

Firefox Nightly
----------------

Java 8 update 5 - Up to Date

******************

Operating System: Window XP
Browser: IE8, Firefox Release, Firefox Nightly
Plugins: Windows Media Player Plug-in Dynamic Link Library v3.0.2.629, Flash 13.0.0.214

IE8
---

Flax ActiveX v6.0.79.0 - Vulnerable
Windows Media Player Plug-in Dynamic Link Library v9.0.0.4503 - Up to Date

Firefox Release
---------------

Windows Media Player Plug-in Dynamic Link Library v3.0.2.629 - Up to Date
Flash 13.0.0.214 - Up to Date
Microsoft DRM - Research (aka Unknown)

Firefox Nightly
---------------

Windows Media Player Plug-in Dynamic Link Library v3.0.2.629 - Vulnerable
Flash 13.0.0.214 - Up to Date
Microsoft DRM - Up to Date

*********************

Operating System: Windows 8.1
Browser: IE11
Plugins:

IE11
-----

PluginCheck does not work.

Firefox Release
----------------

No plugins detected

*******************

Operating System: Mac OSX 10.9.3
Browser: Firefox Release, Beta, Aurora, Nightly, Chrome 34.0.1847.137, Opera, Safari

Firefox Release
----------------

doubleTwist Web Plugin - Research (aka Unknown)

Google Talk Plugin Video Renderer  - Research (aka Unknown)
Version 5.3.1.18536

Default Browser Helper - Research (aka Unknown)

Silverlight Plug-In - Up to Date
5.1.20913.0

QuickTime Plug-in 7.7.3 - Up to Date

Google Talk Plugin  - Up to Date
Version 5.3.1.18536

Latest Flash - Up to Date


Firefox Beta, Aurora, Nightly
------------------------------

Silverlight Plug-In - Up to Date
5.1.20913.0

QuickTime Plug-in 7.7.3 - Up to Date

Google Talk Plugin  - Up to Date
Version 5.3.1.18536

Latest Flash - Up to Date

Java 7 update 55 - Up to Date

Opera Next & 17
---------------

Google Talk Plugin Video Renderer  - Research (aka Unknown)
Version 5.3.1.18536

Silverlight Plug-In - Up to Date
5.1.20913.0

QuickTime Plug-in 7.7.3 - Up to Date

Google Talk Plugin  - Up to Date
Version 5.3.1.18536

Latest Flash - Up to Date

Chrome
-------

Google Talk Plugin Video Renderer - Research (aka Unknown)
Version 5.3.1.18536

Silverlight Plug-In - Up to Date
5.1.20913.0

QuickTime Plug-in 7.7.3 - Up to Date

Google Talk Plugin  - Up to Date
Version 5.3.1.18536

Latest Flash - Up to Date

Safari 7.0.3
-------------

Google Talk Plugin Video Renderer - Research (aka Unknown)
Version 5.3.1.18536

Adobe Acrobat NPAPI Plug-in, Version 11.0.07 - Research (aka Unknown)

Silverlight Plug-In - Up to Date
5.1.20913.0

QuickTime Plug-in 7.7.3 - Up to Date

Google Talk Plugin  - Up to Date
Version 5.3.1.18536

Latest Flash - Up to Date

Java 7 update 55 - Up to Date

*****************

Operating System: Ubuntu 13.10
Browser: Firefox 24, Firefox Nightly
Plugins: IcedTea Java plugin

Needs testing
That is a *lot* of info and as you will see there are some problems on some specific platforms that I am looking into. However, I am going to go over all this again focusing on Flash and, if all of that is OK, I am going to ask for my latest changes to be pushed to production.

Will update this bug with updates with regards to progress.
I also should have added that except for Firefox versions Beta and up, the tests were run against the same code that is in production.
(In reply to Schalk Neethling [:espressive] from comment #15)
> That is a *lot* of info and as you will see there are some problems on some specific
> platforms that I am looking into. However, I am going to go over all this again
> focusing on Flash and, if all of that is OK, I am going to ask for my latest changes
> to be pushed to production.
> 
> Will update this bug with updates with regards to progress.

I *appreciate* all the hard work.  I am glad that you now have many test VMs.
My opinion / point of view remains that it is better to get things working correctly
than to rush meeting a deadline.


I might be able to shed some light on one of these 'loose ends': the Adobe Acrobat plugin.


(from comment # 14)
> Operating System: Mac OSX 10.9.3
> Browser: Firefox Release, Beta, Aurora, Nightly, Chrome 34.0.1847.137, Opera, Safari 

I note that this platform is nearly OK.  Not a surprise, as I imagine many Mozilla Devs
use a similar computer and they report bugs.

(from comment # 14)
> Safari 7.0.3
> -------------
> ... ...
> Adobe Acrobat NPAPI Plug-in, Version 11.0.07 - Research (aka Unknown)

There does not seem to be an "Adobe Acrobat" plugin for Firefox (Release, Beta, Aurora
or Nightly) on this Mac.

N.B. Carsten Book [:Tomcat] has updated the plugincheck database for Adobe Acrobat.
"May updates for Adobe Acrobat 11.x and 10.x" bug 1010086


 
One User, who I support, has been away.

Their laptop had not had the '13 May 2014 Microsoft Patch Tuesday updates' nor
'plugin updates'.  I was able to take some screenshots and document settings
before and after patching.


*********
Windows 7 (64 bit OS)
Firefox 29.0.1 and Aurora 31.0a2 (2014-05-20), 5 plugins.

IE 10 - never used by the User (but the AV updates etc use 'parts of IE' so,
like nearly every Windows computer, there is IE [and one has to patch, patch, patch]).

Before update:
Adobe Acrobat was 11.0.6.70
Adobe Flash was 13.0.0.206

After update:
Adobe Acrobat is 11.0.7.79
Adobe Flash is 13.0.0.214

----------

First, the good news:
- IE 10 was able to detect Flash 13.0.0.206 (ActiveX) as "vulnerable" - correct.
- IE 10 after updating Flash to 13.0.0.214 (ActiveX) reported "Up to Date" - correct.

Less good news (but I personally would use Microsoft's "Windows Update" to 'check this and Update as 
required'):

- IE 10 was able to detect Windows Media Player Plug-in Dynamic Link Library 12.0.7601.17514 as "Up to 
Date" - I don't think this is correct.

- IE 10 after updating, Windows Media Player Plug-in Dynamic Link Library 12.0.7601.18150 reported "Up to 
Date" - correct.

Also, FYI
"TrueSuite Website Log On" by AuthenticTec, Inc was 'pre-installed at the factory'.
It is NOT detected by the plugincheck web site.


Now see the attached "Fx29-0-1-about-addons-before-update-2014-05-20.jpg" for the
list of 'Firefox plugins'.

I would expect (if all was working 100%):
Adobe Acrobat - "vulnerable"
Google Earth - "Up to Date"
Google Update - "Unknown" - very useful to know
NPCIG.dll - "Unknown"  - very useful to know
Shockwave Flash - "vulnerable"

DJ-Leith 

continued in comment # 18
Look at the attached "Fx29-0-1-plugincheck-before-update-2014-05-20.jpg".

Shockwave Flash - "vulnerable" - expected and correct.

NPCIG.dll - "Unknown"  - very useful to know.
Google Update - "Unknown" - very useful to know.

Google Earth - "Up to Date" - expected and correct.

Adobe Acrobat - "Up to Date".  This is wrong.

about:plugins

Adobe Acrobat

    File: nppdf32.dll,nppdf32.dll
    Path: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll,C:\Program Files (x86)\Adobe
\Reader 11.0\Reader\browser\nppdf32.dll
    Version: 11.0.6.70
    State: Enabled
    Adobe PDF Plug-In For Firefox and Netscape 11.0.06

I did wonder if the plugin database had been updated.

Remember also
(from comment # 14)
> Safari 7.0.3
> -------------
> ... ...
> Adobe Acrobat NPAPI Plug-in, Version 11.0.07 - Research (aka Unknown)

If the database had NOT been updated then this could account for this:
BOTH
11.0.06 being reported as "Up to Date" and
11.0.07 reported as "Unknown".

Carsten Book [:Tomcat] has updated the plugincheck database for Adobe Acrobat.
"May updates for Adobe Acrobat 11.x and 10.x" bug 1010086

DJ-Leith
See the attached "Fx31-plugincheck-before-update-2014-05-20.jpg".

Using Aurora, only 3 of the 5 are reported.


Flash
This is now reported as "Adobe Flash Player" (it was "Shockwave Flash") and
it is "vulnerable" - expected and correct.

Acrobat
This is now reported as "Adobe Acrobat NPAPI Plug-in" (it was "Adobe Acrobat").
It is detected as the correct version 11.0.6.70
BUT this is wrong. 

So, this Report is using the 'new plugincheck service'.


After I updated:
Adobe Flash to 13.0.0.214 
Adobe Acrobat to 11.0.7.79

I got a very similar Report.

"Adobe Flash Player" reported as "vulnerable" - (expected, *only because of this bug*) and wrong.
"Adobe Acrobat NPAPI Plug-in" version 11.0.7.79 "Up to Date" - correct.

No screenshot posted of this result.


Also, while I was doing this, I changed

user_pref("general.useragent.override", "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0)
Gecko/20100101 Firefox/29.0.1");

And
"plugins.enumerable_names" preference set to "" (empty string) 

Now, due to the UA change 'tests were done using enumeration'
(at the Release part of the 'plugincheck service').
NO Plugins were found.
This is the 'expected result' in *this* case.

I have not posted as screenshot of this (and I have reversed the about:config changes).

DJ-Leith
So, to conclude.

First, my understanding includes the following:

If you install Adobe Reader / Adobe Acrobat, using a browser to 'collect it
from Adobe', you are also given the 'plugin for the browser used to collect
the software' as part of the 'Acrobat install'.

Even if a user often uses "PDF.js", in Firefox, to read PDF files they might
still have the plugins installed on their computer.

One of the many reasons to use plugincheck.

I speculate that the Mac
(from comment # 14)
> Safari 7.0.3
> -------------
> ... ...
> Adobe Acrobat NPAPI Plug-in, Version 11.0.07 - Research (aka Unknown)
has Adobe Acrobat and that it was installed using Safari, and there is
a plugin (from Adobe) 'working with Safari'.

In the examples I have posted in comment # 17, 18, 19 and 20.

There are 'Acrobat plugins for Firefox' (and Aurora - they are 'machine wide').
There are no Acrobat plugins for IE (because IE was not used).

I have seen the same for Flash.  In IE 9, which comes with 32bit and 64bit versions, I used to have to update the 32bit Flash separately from the 64bit Flash (both ActiveX)as well as the 'Flash for Firefox'. Recently Adobe have improved the IE Flash installer and I have found that updating the 64bit has also updated the 32bit Flash.
I still check BOTH versions of IE at http://www.adobe.com/software/flash/about/ 

Same for Java (32bit and 64bit). 


Carsten Book [:Tomcat] has updated the plugincheck database for Adobe Acrobat.
"May updates for Adobe Acrobat 11.x and 10.x"
He did say in bug 1010086 comment # 1
> plugincheck production updated, just might need QA check

Perhaps the QA check could include testing more browsers?

My comments are:

1. In
https://bug1010132.bugzilla.mozilla.org/attachment.cgi?id=8426510
from comment # 18
we see "Adobe Acrobat", 11.0.6.70 - "Up to Date".  This is wrong.
Uses the 'release plugincheck', Fx 29.0.1.


2. In
https://bug1010132.bugzilla.mozilla.org/attachment.cgi?id=8426513
from comment # 19
we see "Adobe Acrobat NPAPI Plug-in", 11.0.6.70 - "Up to Date".  This is wrong.
Uses the 'new plugincheck', Fx 31.

Both are 'a false sense of security'. 

I think it would be good to see what is in the database and how it was possible for both the 'current' and the 'new' versions of plugincheck to report "Up to Date" 11.0.6.70 and 11.0.7.79 - see next.

Now, see the attached "Fx29-0-1-plugincheck-after-update-2014-05-20.jpg".

This is the Release (Fx 29.0.1) after the '13 May 2014 Microsoft Patch Tuesday updates'
and 'plugin updates'.

This is good:

NPCIG.dll - "Unknown"  - very useful to know.
Google Update - "Unknown" - very useful to know.

Google Earth - "Up to Date" - expected and correct.
Adobe Acrobat 11.0.7.79 - "Up to Date" - expected and correct.
Shockwave Flash 13.0.0.214 - "Up to Date" - expected and correct.

I would be excellent to get the Aurora result as good as this.

DJ-Leith
Pull request opened to get this change live:
https://github.com/mozilla/bedrock/pull/2073
Whiteboard: [kb=1396300]
Commits pushed to master at https://github.com/mozilla/bedrock

https://github.com/mozilla/bedrock/commit/83cf3243c41ad3b55f5556c96ddf9e3c19c3410f
Fix Bug 1010132, improved Flash reporting for beta plus versions of Fx

https://github.com/mozilla/bedrock/commit/1c2889188970246361f3230a56a27dde12dc8f55
Merge pull request #2073 from ossreleasefeed/bug1010132-flash13_0_0_206_incorrectly_shown_as_latest

Fix Bug 1010132, improved Flash reporting for beta plus versions of Fx
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Hey Matt, is there someone who can do some QA on this? It will be on stage i.e.

https://www.allizom.org/en-US/plugincheck/

Tests I have already done are listed here but, definitely test these scenarios again:
https://github.com/ossreleasefeed/Perfidies-of-the-Web/pull/7#issue-34546051

I reckon the most important is to tests that this bugs particular issue, i.e. Flash, is resolved and that no regressions are introduced. Thanks!
Flags: needinfo?(mbrandt)
Duplicate of this bug: 1011824
Changes are not on stage just yet, will update the bug as soon as it has been pushed.
(In reply to Schalk Neethling [:espressive] from comment #23)
> Hey Matt, is there someone who can do some QA on this? It will be on stage i.e.
> 
> https://www.allizom.org/en-US/plugincheck/
> 
> Tests I have already done are listed here but, definitely test these scenarios again:
> https://github.com/ossreleasefeed/Perfidies-of-the-Web/pull/7#issue-34546051
> 
> I reckon the most important is to tests that this bugs particular issue, i.e. Flash, is resolved
> and that no regressions are introduced. Thanks!

***
Main point - Flash is better BUT Acrobat is worse!
***

Tests were done on 2014-06-03.

Method:

Used Aurora on Stage:
https://www.allizom.org/en-US/plugincheck/

See "Fx31-plugincheck-STAGE-2014-06-03.jpg".

Here, "Adobe Flash Player" 13.0.0.214 is Reported as "Up to Date" - correct - good.
BUT, "Adobe Acrobat NPAPI Plug-in" is Reported as "vulnerable" - WRONG.

    It also shows the version "11.0.7.79",
    see bug 1017483 "Always expose version number of plugin",
    in my opinion, a VERY GOOD enhancement.

DJ-Leith

continued in comment # 28
Compared to Aurora on Live:
https://www.mozilla.org/en-GB/plugincheck/ (in my GB case).

See "Fx31-plugincheck-LIVE-2014-06-03.jpg".

This screenshot shows Acrobat "11.0.7.79" as "Up to Date" - which is the
'correct result'.

    Has Adobe released another Acrobat version?
    I don't think so.
    I have checked Adobe, and I can NOT find any reference to say that
    Acrobat "11.0.7.79" is "vulnerable".

    Security Updates available for Adobe Reader and Acrobat
    Release date: May 13, 2014
    Vulnerability identifier: APSB14-15
    http://helpx.adobe.com/security/products/reader/apsb14-15.html

You will recall from comment # 17, 18, 19 and 20 - I have already reported that
Acrobat is 'not reported correctly'.


I am also *puzzled* as to why
Bug 1011824 has been declared as a Duplicate of this bug AND THEN
this bug (i.e. 1010132) has been declared "Status: RESOLVED FIXED" when

Schalk Neethling [:espressive] on 2014-06-02 at 00:02:13 PDT, in bug 1011824 comment # 8, said:

> Couple of things here:
> 
> The fix mentioned earlier has not gone live yet but, will today. There is a LOT of testing
> to be done to not only ensure that the bug is fixed but, to also ensure that no regressions
> are introduced so, it took longer than expected.
> 
> (quoting from bug 1011824 comment # 7)
> > Another question is:
> > Is the new in 2014 version of plugincheck ready for Fx 30 on 2014-06-09?
> > Should it be delayed until Fx 31 - in July?
> 
> After the fix above is released, I reckon we need to run it's through it's paces again and
> then someone needs to decide whether they want to flip the bits to turn enumeration of.
> 
> I am continuing to work on this and, at the same time, I am putting together a page that
> gives us in indication of where we are in terms of stability and accuracy of the service.

There does not seem to be an open bug to report that all is NOT quite fixed.
I have seen the 
https://github.com/ossreleasefeed/Perfidies-of-the-Web/pull/7#issue-34546051
cited in comment # 23 but this bug seems to me the best way to report this.

So, I have posted here.

> and that no regressions are introduced. 
I think the Acrobat result, on Stage, is a regression.

DJ-Leith
Flags: needinfo?(schalk.neethling.bugs)
(In reply to DJ-Leith from comment #28)

Hey DJ,

Thanks for testing and your feedback. So, first why the dupe on Bug 1011824, well, as with this bug, it relates to the incorrect categorisation of the .206 release of Flash as up to date. In terms of the code that is one stage now, this (and the duped) bug is fixed.

I acknowledge the problem(s) reported regarding Acrobat but, I do believe we need to track this as a separate bug and I will open one as such.
Flags: needinfo?(schalk.neethling.bugs)
Here then is the bug to track the problems experienced with Acrobat:
https://bugzilla.mozilla.org/show_bug.cgi?id=1020133
QA verified based off the STR in comment 0 -- Firefox + plugincheck report the correct suggestion to upgrade if Flash needs to be upgrade. Inversely Flash is correctly reported as being up-to-date.

Verified on:
- OSX 10.9.3 Firefox [RC, Beta, Aurora, Nightly]
- Vista Firefox [RC, Beta, Aurora, Nightly]
- Win7 Firefox [RC, Beta, Aurora, Nightly]
- Win 8 Firefox [RC, Beta, Aurora, Nightly]
- Mint  Firefox [RC, Beta, Nightly

DJ-Leith, a big thank you for your enthusiasm and help testing that Flash versions are correctly reported by plugincheck. A small suggestion when testing, if you find errant behavior outside of the STR in comment 0 file separate bugs for those regressions. Also, please feel free to join us in #plugincheck, sometimes a conversation in irc can clear up questions/bug suggestions.
Status: RESOLVED → VERIFIED
Flags: needinfo?(mbrandt)
You need to log in before you can comment on or make changes to this bug.