Closed Bug 1068357 Opened 11 years ago Closed 11 years ago

Adobe Reader and Acrobat for Windows and Macintosh - plugins vulnerable 2014-09-16 - APSB14-20

Categories

(Plugin Check Graveyard :: Database, defect)

Product:
Plugin Check Graveyard
Component:
Database
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: dj.4bug, Assigned: espressive)

Details

Attachments

(5 files, 4 obsolete files)

AdobeReaderXI-11-0-08_2014-09-20.jpg
148.10 KB, image/jpeg
Details
Firefox_32-0-02_2014-09-20.jpg
175.23 KB, image/jpeg
Details
Firefox_32-0-02_AddOns_2014-09-20.jpg
228.51 KB, image/jpeg
Details
Firefox_32-0-02_AddOns-MORE_2014-09-20.jpg
201.82 KB, image/jpeg
Details
Firefox_32-0-02_PluginCheck_2014-09-20.jpg
217.59 KB, image/jpeg
Details
Adobe Security Bulletin Security Updates available for Adobe Reader and Acrobat Release date: September 16, 2014 Vulnerability identifier: APSB14-20 http://helpx.adobe.com/security/products/reader/apsb14-20.html Please add to the Plugincheck Database. Schalk and Carsten, I have tested 'Reader' version "11.0.8.4" and it is reported as "Up to Date" (using Fx 32.0.1 i.e. with enumeration) just prior to opening this bug. I can't find a bug report for this. Now that Adobe have released, what Adobe call "11.0.09", plugincheck should report "11.0.8.4" as "vulnerable". See also, for Reader ESR, lower on the Adobe Security Bulletin > For users of Adobe Acrobat X (10.1.11) and earlier versions, who cannot update > to version 11.0.09, Adobe has made available version 10.1.12. Useful blog: "Adobe Product Security Incident Response Team (PSIRT) Blog" http://blogs.adobe.com/psirt/ I said, at the end of the 33rd comment in bug 1020133 comment # 33, on 2014-09-10: > ... ... > Finally, > I was expecting Adobe to release a new Reader on 2014-09-09 > but Adobe have delayed the release: see > > "Adobe Product Security Incident Response Team (PSIRT) Blog" > http://blogs.adobe.com/psirt/ FYI, On Windows 7, using Firefox 32.0.1 the 'actual plugin version', for the NEW plugin, is "11.0.9.29" (in about:addons and about:plugins) and plugincheck (i.e. with enumeration) also 'finds it' as version "11.0.9.29". Using Aurora, it is - as I expect but WRONG - "11.0.9.29" BUT in the "Outdated Plugins" section with a red "Update Now" button and the 'red button links back to plugincheck'. This is the long standing 'plugincheck using the JSON List' bug, i.e. bug 1020133 "Improve Adobe Acrobat plugin reporting". DJ-Leith
Assignee: nobody → schalk.neethling.bugs
Database updated
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
@schalk: See Bug #1020133 Comment#54 > Today (Sept 19) I installed the new FF 32.0.2 release. > > Then Adobe issued an update to READER XI which I installed right away too. Version of the program > from HELP/ABOUT is "11.0.09" (zero nine). File properties (metadata) says "11.0.9.29". Internal > plugins are "11.0.9.xx" (where xx is usually "29", sometimes "0" on a few). > > I ran the plugin check for FF 32.0.2 prior to installing the new Reader. It showed as 11.0.8 > (11.0.8.4) which we know, and said "up-to-date" -- not quite correct. There is no indication from > Adobe whether the older plugin is now vulnerable -- can't find their release notes or anything > useful on their supper-whizzy new website! -- so I have to trust it is still OK. After installing > new Reader, I ran plugin check again -- gave the correct info and says "up-to-date" as expected. > > The browser plugin (nppdf32.dll) is now "11.0.09.29" according to metadata (and MORE). The new > plugin resides naturally within the Adobe realm in Program Files and got placed in the FF plugin > folder. Interestingly, the plugin is now also copied directly into MS Windows Explorer folder too. I have a laptop running Win7, just updated to FF 32.0.2, and running Adobe Reader 11.0.08 (11.0.8.4). The old-style plugincheck correctly shows all the version info, but the button still says "up-to-date". I would expect to see "out-of-date" in the best case, or "vulnerable" which I understand to be the case here. (See time-stamped screenshots to follow.) -dan-
Attached image AdobeReaderXI-11-0-08_2014-09-20.jpg (obsolete) —
@schalk: Adobe Version 11.0.08 (plugin would be 11.0.8 and 11.0.8.4)
Attached image Firefox_32-0-02_2014-09-20.jpg (obsolete) —
@schalk: FF 32.0.2 is running...
Attached image Firefox_32-0-02_AddOns_2014-09-20.jpg (obsolete) —
@schalk: Adobe Reader XI plugin version is 11.0.8 / 11.0.8.4...
@schalk: Adobe Reader XI - plugincheck shows correct version (11.0.8 etc) but button says "up-to-date" - NOT CORRECT!
@schalk: Adobe Version 11.0.08 (plugin would be 11.0.8 and 11.0.8.4) (butterfingers messed up my screen capture -- I've done the sequence over again -- five shots)
Attachment #8492651 - Attachment is obsolete: true
Attachment #8492652 - Attachment is obsolete: true
Attachment #8492654 - Attachment is obsolete: true
Attachment #8492655 - Attachment is obsolete: true
@schalk: FF 32.0.2 is running...
@schalk: Adobe Reader XI plugin version is 11.0.8 / 11.0.8.4...
@schalk: Adobe Reader XI plugin MORE version is 11.0.8 / 11.0.8.4...
@schalk: Adobe Reader XI - plugincheck shows correct version (11.0.8 etc) but button says "up-to-date" - NOT CORRECT!
Attachments in Comments 7,8,9,10,11 are current and correct. (sorry, something didn't paste correctly in the previous attempt). Note also in attachment 8492661 [details]: The plugin file name appears TWICE ("nppdf32.dll, nppdf32.dll"). Is this correct? Is this a 'typo'? Signal about multiple current versions? Finding duplicate files (one in FF folder, one in Adobe folder?
Dan, It is very good that you have documented this. https://bug1068357.bugzilla.mozilla.org/attachment.cgi?id=8492662 clearly shows that plugincheck is saying "Up to Date", on 2014-09-20, which is AFTER Schalk updated the Database. This is a 'false sense of security' and needs fixing. I have seen 'data output from the Database' that shows BOTH the new plugin 11.0.9.29 AKA 11.0.9 AKA 11.0.09 and the > 0260 'vulnerability_description': > 'Adobe has released security updates for Adobe Reader and Acrobat for Windows and Macintosh.', > 0261 'vulnerability_url': > 'http://helpx.adobe.com/security/products/reader/apsb14-20.html', > 0262 'version': '11.0.8.0', which show that the Database has been updated. (In reply to Dan Pernokis from comment #12) > Note also in attachment 8492661 [details]: The plugin file name appears > TWICE ("nppdf32.dll, nppdf32.dll"). Is this correct? Is this a 'typo'? > Signal about multiple current versions? Finding duplicate files (one in > FF folder, one in Adobe folder? As we saw in bug 1038685, "about:plugins" should also find the plugin, and it also uses the 'File Version', in the plugin metadata, to show the "11.0.9.29". Here is my "about:plugins", Windows 7 64bit, the section on what we are calling 'Adobe Reader' > Adobe Acrobat <== this is also from the "nppdf32.dll" metadata > > File: nppdf32.dll,nppdf32.dll > Path: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\browser\nppdf32.dll, > C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll > Version: 11.0.9.29 > State: Enabled > Adobe PDF Plug-In For Firefox and Netscape 11.0.9 So, I think that the two "nppdf32.dll" are the 'Adobe AIR' and the 'Adobe Reader' plugins. I am going to continue the discussion about WHY "11.0.8.4" was NOT declared "vulnerable" in bug 1020133 "Improve Adobe Acrobat plugin reporting". DJ-Leith
@DJ-Leith: Your Comment #13 (reply my Comment #12) >> So, I think that the two "nppdf32.dll" are the 'Adobe AIR' and the 'Adobe Reader' plugins. Sorry, that's not the correct context of the problem. When I say "two" or "twice", I mean that the name of the plugin file is shown twice on the AddOns MORE page for the nppdf32.dll plugin. I'm questioning why the name occurs twice. See attachment 8492661 [details] -- the FILE line. Yes, the same nppdf32.dll file does exist multiple times (4x on my machine: In Adobe Reader, Adobe Air, FF Plugins, and MSIE Plugins, but that isn't the issue either. When I suggested multiple current versions, I was wild-eyed speculating that having a name twice mean there are at the time two different valid (safe) versions of the plugin (say, 11.0.8 and 11.0.9) -- which I now understand is not the case (11.0.8 is bad).
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: