Closed Bug 1011824 Opened 6 years ago Closed 6 years ago

Plugin check page displays Flash plugin as vulnerable even if the latest version is installed in Beta30b4, Aurora31.0a2 and Nightly32.0a1

Categories

(Websites :: plugins.mozilla.org, defect, critical)

x86_64
Windows 7
defect
Not set
critical

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 1010132

People

(Reporter: alice0775, Unassigned)

References

Details

Plugin check page displays Flash plugin as Up to Date in Firefox29.0.1
However,
Plugin check page displays Flash plugin as vulnerable even if the latest version is installed  in  FirefoxBeta30b4, Aurora31.0a2 and Nightly32.0a1.

I installed latest Flash plugin	13.0.0.214.
Summary: Plugin check page displays Flash plugin as vulnerable even if the latest version is installed in Aurora31.0a2 and Nightly32.0a1 → Plugin check page displays Flash plugin as vulnerable even if the latest version is installed in Beta30b4, Aurora31.0a2 and Nightly32.0a1
(In reply to  Alice0775 White in comment # 0)
> Plugin check page displays Flash plugin as Up to Date in Firefox29.0.1
> However,
> Plugin check page displays Flash plugin as vulnerable even if the latest
> version is installed  in  FirefoxBeta30b4, Aurora31.0a2 and Nightly32.0a1.
> 
> I installed latest Flash plugin 13.0.0.214.

I can confirm (Firefox 29.0.1 and Aurora 31.0a2) at both
https://www.mozilla.org/en-US/plugincheck/ and
https://www.mozilla.org/en-GB/plugincheck/

See also
bug 1010132 "Flash 13.0.0.206 shown as up to date" 
bug 1008321 "/plugincheck page not working in Firefox > 30" and
bug 968726 "Need better ways for detecting flash version on linux".

(from bug 1010132 comment # 12)
> Summarising bug 1010132 comment # 3 to bug 1010132 comment # 10.
> 
> I have seen BOTH
> Fx 29.0.1 'detect and say "Up to Date" *IN ERROR* Flash 13.0.0.206' (comment # 4). 
> Fx 29.0.1 'detect and report as "vulnerable" Flash 13.0.0.206' (comment # 10).
> 
> I have also seen
> Fx 31 'detect and report as "vulnerable" Flash 13.0.0.206' (comment # 7).
On 2014-05-14, when the screenshots were taken, Flash was (deliberately) 13.0.0.206.

I have, since 2014-05-14, updated Flash to 13.0.0.214 - and can confirm this bug.

(Alice0775 White wrote in bug 1008321 comment # 2)
> UA spoofing helps.
> user_pref("general.useragent.override", "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) 
> Gecko/20100101 Firefox/29.0");

Using the idea of Spoofing the UA I can report that:

Using Fx 29.0.1 with
user_pref("general.useragent.override", "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0)
Gecko/20100101 Firefox/31.0a2");
I now get Flash 13.0.0.214 reported as "vulnerable".

The opposite, using Aurora 31.0a2 with
user_pref("general.useragent.override", "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0)
Gecko/20100101 Firefox/29.0.1");
I now get Flash 13.0.0.214 reported as "Up to Date".

Schalk Neethling [:espressive] 2014-05-14 12:24:42 PDT in 1010132 comment # 13 said: 
> Thanks DJ, I have finished my fix and I am testing locally. Will update the bug as soon
> as I am complete and list all the environments and configurations I have tested.

So I am CCing Schalk Neethling.

DJ-Leith
Hey DJ,

This fix will go live tomorrow (Monday). I set-up a bunch of different VMs so I can run it through it's paces, and that delayed the release of the fix.
Duplicate of this bug: 1016457
(In reply to Schalk Neethling [:espressive] from comment #2)
> This fix will go live tomorrow (Monday).

Did that happen? Because twelve days later I'm still seeing the problem, as is the filer of bug 1016457
Flags: needinfo?(schalk.neethling.bugs)
(Daniel Veditz [:dveditz] in comment # 4)

> Did that happen? Because twelve days later I'm still seeing the problem, as is the filer
> of bug 1016457

IIUC, Release (29.0.1) is using the 'existing, revised in 2013, version of plugincheck'.
Flash 13.0.0.214 is correctly Reported by plugincheck as "Up to Date".

IIUC, Beta30b4, Aurora31.0a2 and Nightly32.0a1 are using the 'new in 2014 version of plugincheck'.
The 'new plugincheck' uses the 'JSON list'
(from bug 956905 - the 'JSON list' went live on 2014-05-12) and does *NOT* use enumeration.

The circumstantial evidence for this includes the UA spoofing I have done,
e.g. see https://bugzilla.mozilla.org/show_bug.cgi?id=1010132#c19
and the slightly different descriptions of 'tested plugins' as seen
in the 'existing plugincheck' vs the 'new in 2014 version of plugincheck'.

Bug 1010132 has examples.

Schalk Neethling [:espressive] said, in comment # 2:
> ... I set-up a bunch of different VMs so I can run it through it's paces ...

These are listed in bug 1010132 comment # 14

The 'new in 2014 version of plugincheck' also has issues with Adobe Acrobat
(see https://bugzilla.mozilla.org/show_bug.cgi?id=1010132#c17, 18, 19 and 20).

DJ-Leith
schalk is this another case where the plugincheck database doing tricks with u, also as dan mentioned did the fix went live ?
(In reply to Schalk Neethling [:espressive] from comment # 2)
> This fix will go live tomorrow (Monday).
I think that the "This fix" that Schalk is referring to is his fix for
plugincheck - the difficulty of dealing with having both Java 7 Uxx
and Java 8 Uxx plugins.

In April 2014 these were (see bug 985968 comment # 41)
> Java 7 (1.7.0.51) AKA "10.51.2.13" and
> Java 8 (1.8.0.0)  AKA "11.0.2.132"
Since then, both Java 7 and Java 8 have had new versions.

In bug 1008321 comment # 4 Schalk Neethling [:espressive] on Monday 2014-05-12 01:06:52 PDT said:
> > (In reply to Kohei Yoshino [:kohei] from bug 1008321 comment # 3)
> > Regressed in
> > https://github.com/ossreleasefeed/Perfidies-of-the-Web/commit/e98b448 ?
> 
> Not regressed, it is new functionality that 'slipped' in as part of the Java 7/8 bug. 
> Fix for this one will land today. This will then also enable the navigator.plugins
> enumeration to be turned of.

I also think that the
> ... the Java 7/8 bug.
is bug 985968
"Mozilla Plugin check page displays Java plugin as vulnerable even if the latest
Java 7 version is installed" (and the Duplicates).

Schalk should know: he can correct or confirm my understanding - in this comment and comment # 5.
(from comment # 5)
> IIUC, Release (29.0.1) is using the 'existing, revised in 2013, version of plugincheck'.
> Flash 13.0.0.214 is correctly Reported by plugincheck as "Up to Date".
> 
> IIUC, Beta30b4, Aurora31.0a2 and Nightly32.0a1 are using the 'new in 2014 version of plugincheck'.
> The 'new plugincheck' uses the 'JSON list'
> (from bug 956905 - the 'JSON list' went live on 2014-05-12) and does *NOT* use enumeration.

Another question is:
Is the new in 2014 version of plugincheck ready for Fx 30 on 2014-06-09?
Should it be delayed until Fx 31 - in July?

DJ-Leith
Couple of things here:

The fix mentioned earlier has not gone live yet but, will today. There is a LOT of testing to be done to not only ensure that the bug is fixed but, to also ensure that no regressions are introduced so, it took longer than expected.

> Another question is:
> Is the new in 2014 version of plugincheck ready for Fx 30 on 2014-06-09?
> Should it be delayed until Fx 31 - in July?

After the fix above is released, I reckon we need to run it's through it's paces again and then someone needs to decide whether they want to flip the bits to turn enumeration of.

I am continuing to work on this and, at the same time, I am putting together a page that gives us in indication of where we are in terms of stability and accuracy of the service.
Flags: needinfo?(schalk.neethling.bugs)
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1010132
You need to log in before you can comment on or make changes to this bug.