Closed Bug 1053417 Opened 9 years ago Closed 9 years ago
Adobe Reader for Windows - plugins vulnerable 2014-08-12 - APSB14-19
Security Updates available for Adobe Reader and Acrobat Release date: August 12, 2014 Vulnerability identifier: APSB14-19 http://helpx.adobe.com/security/products/reader/apsb14-19.html > Adobe has released security updates for Adobe Reader and Acrobat XI (11.0.07) > and earlier versions for Windows. These updates address a vulnerability that > could allow an attacker to circumvent sandbox protection on the Windows > platform. Adobe Reader and Acrobat for Apple's OS X are not affected. ... lower down > For users of Adobe Reader X (10.1.10) and earlier versions for Windows, > who cannot update to version 11.0.08, Adobe has made available version 10.1.11. This ESR version would be for bug 986588 I don't think the 'detection and reporting of the ESR verson of Adobe reader' is working on the 'Plugincheck service' but I think is should. Please add the plugins to the Database. DJ-Leith
Assignee: nobody → schalk.neethling.bugs
Priority: -- → P1
"Plugincheck-Screenshot-Win7-Fx31-After-Flash-Before-Reader-update-shows-Reader-WRONG-20140819.png" I have not been able to test this until today because I had already updated Reader before I started to collect evidence (on 13th July). We are getting this WRONG result for Reader. DJ-Leith
See https://bug1053417.bugzilla.mozilla.org/attachment.cgi?id=8475528 "Plugincheck-Screenshot-Win7-Fx31-After-Flash-Before-Reader-update-shows-Reader-WRONG-20140819.png" which I attached in comment # 1. Here "Adobe Acrobat" (AKA Adobe Reader) version "220.127.116.11" is reported as "Up to Date". This is WRONG. It should be "vulnerable". This is a 'false sense of security'. From comment # 0 > Please add the plugins to the Database. Has anybody updated the Database for Reader (as in comment # 0)? I can't test this as I have now completed the updating of all the PCs that I support - all now have "Adobe Reader XI 11.0.08" which Plugincheck (on Fx 31) reports as "18.104.22.168". DJ-Leith
Thanks for the info DJ, I am looking into all of this today. I have been pulled to another project for a while and had no time to look at this.
The database has now been finally updated. One thing I have noticed though is that in the database we have, for example, a version such as 22.214.171.124 but, in the security bulletin by Adobe they refer to it as 11.0.07 and that the update is 11.0.08 Now I wonder is this an anomaly such as with java version that all start with 1. or do we actually have the version numbers wrong in the database?
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Hmmm, looking at what is reported by the browser, it is neither 126.96.36.199 nor 11.0.07 but in fact 11.0.7
This problem persists as Bug #1068357. Adobe 11.0.08 (188.8.131.52) has just been superseded by 11.0.09 (184.108.40.206), but 8 still shows as "up-to-date" in the plugincheck on FF 32.0.2 release. And re Comment #5 and Comment #6: I posted a comment previously in Bug 1038685 (re VLC plugin in a similar situation) -- my guess that the extra digit looks to be a 'file version' on the release, since it is part of the metadata (Windows file directory info): >> The metadata for npvlc.dll says "220.127.116.11". So the plugin file's metadata contains the >> trailing ".0" -- makes sense, so they can build/create and issue several renditions of >> a file without changing the inherent version ID. So for Adobe, "11.0.9" would be the version of the plugin (nppdf32.dll) accompanying Adobe Reader XI version 11.0.09 -- and it happens that this is the 29th issue/build/whatever of the file under that version, hence "18.104.22.168". The "29" does not appear anywhere in the plugin file if you look with an appropriate text-type viewer. (Previously 22.214.171.124 -- and the 4 didn't appear anywhere else.)
This is still broken. I have Acrobat 126.96.36.199 installed (as reported by Plugin Check), but it's reported in green as "Up to Date" (FF33 and FF31 ESR, Windows 7 x64). This is wrong - spectacularly so since there are 3 newer versions (11.0.9 is current). It's absolutely critical to be able to trust Plugin Check or it's worthless, since we then have to go somewhere else to "really" check or risk malware/viruses. Is it really that hard for Mozilla to have one machine configured for automatic updates of these products that can be configured to report the versions?
I am just giving a general status update here, and will copy this over to any other relevant bugs where a needinfo request has been logged for me. For the past quarter i.e. 1024-Q4, plugincheck has not been on my radar in any way, shape or form as I was moved to work on another project and 100% of my time was assigned to it. I have kept my eye on bugs etc. that has come an gone and have had the service in the back of my mind though and, from what I have seen this service is still very important to users and Mozilla for a variety of reasons which I will not go into here. With all of that said, during this time there was also some out reach done to other groups within in Mozilla to take over part, or all, responsibility for plugincheck but, as of right now, there has been no takers. AS I mentioned though, I completely understand and appreciate the importance of this service and, I also acknowledge that in it's recent, and current state, it does not provide the 'answers' users need but, I am moving pluginchck back as a top priority for myself in Q1 of 2015 and I am currently in the progress of planning for the year in general and then for Q1 specifically. I want to open this up to the user base to get your input on what is important and the biggest pain points but, have not decided how I will do this. Once all of these ducks are in a row, I will post a message to either a specific bug, to yammer or both. Please except my apologies for the steady decline of this service, thanks for your patience and continued feedback and I am certain that plugincheck is going to turn the corner in a positive way in 2015.
>> I have also posting this to Bug 1020133. I recently upgraded FF to 34.0 (on 01-DEC-2014, the day of release, I believe). At that time, the plugin check (TOOLS menu) said everything was "up to date". (The VLC "2.1.3" plugin comes up "vulnerable, but I really have 2.1.5 which is the latest.) On 07-Dec-2014, I updated TB to 31.3.0, and at that time all plugins were still showing "up to date" (except VLC). Late evening 10-Dec-2014 (crossing midnight Eastern Standard Time here in North America), I was doing a wide range of updates on the laptop. I had checked FF and TB earlier -- both latest versions and all plugins up to date. I updated Windows, which rebooted and triggered version checks of Adobe AIR and FLASH PLAYER. Both had updates available. (AIR is not reported by plugin-checker; FLASH had shown OK.) I updated both, and plugin check showed all up-to-date. THEN I checked Adobe READER -- it had Update 11.0.10 available. Next morning, I updated the Tower -- FLASH was now correctly showing "vulnerable". But I also noticed something really odd: the "Adobe Acrobat" (nppdf32.dll) being reported was "188.8.131.526" -- the version for the genuine Acrobat PDF Creator program (which it never reported before) -- and it DID NOT report the version of READER at all, even though the ADD-ONs MANAGER clearly showed both installed. I confirmed this behaviour on the Laptop too. Recall some time ago we discussed this situation -- my Acrobat PDF Creator is old, and its plugin (a copy of the same for READER back at 9.5.5) is in a different location. Looks like the READER location is not being looked at now by plugin-check. To recap: Adobe Flash was reported late, Adobe Reader isn't being checked at all (unless once it sees the Acrobat version, it skips the Reader one). And just for the record: The proper nppdf32.dll plugin verbally describes itself as "Adobe Acrobat 184.108.40.206" and "Adobe PDF Plug-In For Firefox and Netscape 11.0.10" -- the key word being "Acrobat", whether used for Reader or genuine Acrobat. The same plugin is used by both Acrobat and Reader (and AIR, for that matter) -- same file, but from different locations. My Reader is current, so plugin-check should find and report the 11.0.10 file (same as AIR). My Acrobat is old, only 9.5.5, and that gets reported. But the report shows only the 9.5.5 file, not both.
You need to log in before you can comment on or make changes to this bug.