Open Bug 1083392 Opened 6 years ago Updated 3 years ago

Adobe Flash now 15.0.0.189 - plug in check database needs updating [reported version is 15.0.0.152]

Categories

(Plugin Check :: Database, defect)

defect
Not set
normal

Tracking

(Not tracked)

UNCONFIRMED

People

(Reporter: educmale, Unassigned)

References

Details

Attachments

(1 file)

Adobe Flash now 15.0.0.189 - plug in check database needs updating [reported version is 15.0.0.152]
(In reply to john ruskin from comment #0)
> Adobe Flash now 15.0.0.189 - plug in check database needs updating [reported
> version is 15.0.0.152]

Win8 update showed updates, and I also ran plugin check on Fox 33.0, and the database showed version 152 as current.

Adobe ran its own update check on WinUpdate Reboot, and showed 189 as current
Component: Plug-ins → General
Product: Core → Plugin Check
See Also: → 1084700
Why hasn't this been fixed?  Win 7 x64 FF 31ESR and FF33 both reporting things fine with Flash 15.0.0.152, but on machine where Adobe auto-update has been installed, I'm warned to upgrade to 189.

How do we confirm this bug so it no longer shows "unconfirmed".
For what it's worth, after the update to the .189 version, the plug in check reports .189 as current 

(out of curiosity, is the plugin checker reporting 'current', or reporting that the current installed version is "newer or equal to" the database understanding of current . . . ? )  ((Thus, I am not sure if the database holds the correct and current version value, or not))

If the plugin check as currently programmed reports "current" for "newer or equal to", I propose that the plugin check be amended to show one of three traits:  "out of date", "Current", or "more recent" than the plugin check database.

Should I report that suggestion as a new bug, or leave it here . . . ?
First, note three other bugs:

Bug 1084537 "Flash sometimes displayed as up to date whilst vulnerable, on Windows 7"
Schalk knew, on 2014-10-17, that some people were getting the 'wrong result'
i.e. Flash "15.0.0.152" was being reported as "Up to Date" - IN ERROR.

Bug 1087185 "Update plugincheck for flash player 15.0.0.189"
This is another report: a possible Duplicate of this bug.

Bug 1083170 "October Flash updates"
Carsten Book updated the Plugincheck Database on 2014-10-15.

Second,
Adobe's Security Bulletin
> Security updates available for Adobe Flash Player
> Release date: October 14, 2014
> Vulnerability identifier: APSB14-22
> http://helpx.adobe.com/security/products/flash-player/apsb14-22.html


DJ-Leith wrote in bug 1084537 comment # 1:
> Schalk,
> 
> I've been away and offline.
> 
> When I returned, on 2014-10-15 in the evening, I did a plugincheck at
> 
> LIVE - in my GB case
> https://www.mozilla.org/en-GB/plugincheck
> 
> Using Windows 7 (64 bit OS) with Fx 33.
> 
> As I hoped and expected: 
> 
> Adobe Flash Player 15.0.0.152
> was correctly detected and reported as "vulnerable".
> 
> Carsten Book had done Bug 1083170 "October Flash updates" on
> 2014-10-15.  So, all was OK then on 2014-10-15.
> I updated Flash to 15.0.0.189 (both Fx and IE 9).

Since then, 'something has gone wrong'.
I think the 'communication from the Plugincheck Database'
to the 'plugincheck website' is NOT working correctly.

The evidence is in bug 1084537.


(In reply to john ruskin from comment #3)
> For what it's worth, after the update to the .189 version, the plug in check
> reports .189 as current 
> 
> (out of curiosity, is the plugin checker reporting 'current', or reporting
> that the current installed version is "newer or equal to" the database 
> understanding of current . . . ? )  ((Thus, I am not sure if the database holds
> the correct and current version value, or not))
> 
> If the plugin check as currently programmed reports "current" for "newer or 
> equal to", I propose that the plugin check be amended to show one of three traits: 
> "out of date", "Current", or "more recent" than the plugin check database.
> 
> Should I report that suggestion as a new bug, or leave it here . . . ?

John,
I agree with the thrust of your proposal:
to track 'newer' plugins
(i.e. the 'detected version' is newer
[has a higher 'version number']
than the 'version in the Plugincheck Database').

https://bug1020133.bugzilla.mozilla.org/attachment.cgi?id=8472629
Here is an example screenshot.
  Source, and discussion of this screenshot, is in bug 1020133 comment # 16.
  There are many screenshots in that bug.

Screenshot was taken on 2014-08-13.
Using Aurora (so using the 'JSON List' method), and the en-GB version of plugincheck.
This shows Flash as "vulnerable" - correct (in August)
and Reader as "vulnerable" - WRONG.


Being pedantic with the use of EXACT quotations from the 'plugincheck website'.

The "Status" column uses the phrases "Up to Date" and "vulnerable".

The coloured / colored 'buttons' in the "Action" column
have "Up to Date" on a 'green button' and
have "Update Now" on a 'red button'.

The word "current" is not used.

john ruskin wrote:
> (out of curiosity, is the plugin checker reporting 'current', or reporting
> that the current installed version is "newer or equal to" the database

It is reporting "newer or equal to" the version in the Database as "Up to Date".

Can the 'plugincheck website' detect "newer or equal to" plugins?
Yes, I believe it can (see bug 956905 comment # 68).

john ruskin wrote:
> Should I report that suggestion as a new bug, or leave it here . . . ?

See bug 850992 "Automate Plugincheck Script running on the Server to detect newest versions."
This was proposed on 2013-03-13.
I have commented there, today, and cited *this* bug.

In my opinion, if bug 850992 were implemented, there would be no need to have
the 'plugincheck website' SHOW a different result.

What I mean is, "Up to Date" could continue to cover
BOTH
'detected' a plugin which is a 'newer version than in the Plugincheck Database'
and
'detected' a plugin which matches the "latest" version in the Plugincheck Database

The reason I think this would be best is that there will often be cases
where there are 'some new version' is released, e.g. Adobe release another
version of Reader (or Flash).

ONE alert, as proposed in bug 850992, should be better than many, many
reports of 'I've just seen plugincheck tell me I've got a new version of 
XXXXXX that it does not know about, should I be reporting this?'.


Your good idea; to track 'newer' plugins, which had been proposed in bug 850992,
(had it been implemented) would have led to

TWO alerts in *this* case:

First, 
On 2014-1014 and 2014-10-15 BEFORE Bug 1083170 "October Flash updates" was done.

Second,
later on 2014-10-15 AFTER Bug 1083170 "October Flash updates" was closed,
and in many days since then, that *some* people, who had now updated
Flash to "15.0.0.189" (like you) were 'testing 15.0.0.189'.

The 'website thinks' (very anthropomorphic) that Flash 15.0.0.152 is the "latest".
This would trigger a SECOND 'new version alert'.

DJ-Leith
I'm seeing this again with FF ESR 31.2.0 on Windows 8.1.  Flash 15.0.0.223 is the current version, but 189 is installed and is reported in green as "up to date".
It's still broken.  Now Flash Player is at version 15.0.0.239, but version 15.0.0.223 is being shown as "up to date".  it's clear no one seems to care about making plugincheck work reliably (For Flash Player or Acrobat) and an unreliable "up to date" checker is just about worthless, as I have to go elsewhere to verify it's "really" up-to-date, or risk malware/viruses.

A unreliable "up to date" checker is disservice to the community.
"Fx-34-Flash-15-0-0-223-CORRECT-2014-12-04.png"

Please see screenshot "Fx-34-Flash-15-0-0-223-CORRECT-2014-12-04.png".

Using Windows 7 64 bit OS, with Fx 34 (en-GB), on 2014-12-04,
I have a CORRECT result for Flash 15.0.0.223 being reported as "vulnerable".

I have been getting this 'correct result for Flash' since 2014-11-26 13:00:00 PST.
On 2014-11-26 I was using Release which was Fx 33.1.1 then.
I still see the correct result on Fx 34 (current Release) today.

See bug 1105307, where Flash 15.0.0.239 was added to the 'Plugincheck Database'
(on 2014-11-26 at 07:36:12 PST).

  I have also, on another Windows 7 64 bit OS computer, using Fx 34 (en-GB)
  seen Flash 15.0.0.239 being reported as "Up to Date" correctly (on 2014-12-02).

In light of bug 1084537 "Flash sometimes displayed as up to date whilst vulnerable,
on Windows 7", I deliberately did NOT update Flash on this computer.

(In reply to javascriptjedi, on 2014-11-23 at 09:05:17 PST from comment # 5)
> I'm seeing this again with FF ESR 31.2.0 on Windows 8.1.  Flash 15.0.0.223 is 
> the current version, but 189 is installed and is reported in green as "up to date".

The 'Plugincheck Database' was updated to 15.0.0.239 on 2014-11-26 at 07:36:12 PST.
So you should, if 'everything was OK', have seen a 'more accurate result'
since then.
I speculated, in bug 1084537, that there may be an 'infrastructure issue' as part
of this saga. 

(In reply to javascriptjedi from comment #6)
> It's still broken.  Now Flash Player is at version 15.0.0.239, but version 15.0.0.223
> is being shown as "up to date".

We are getting different results.  This is not good.

> an unreliable "up to date" checker is just about worthless, as I have to go elsewhere
> to verify it's "really" up-to-date, or risk malware/viruses.

I agree.

javascriptjedi,
a screenshot, with information about OS, Fx version used and when you did the
'plugincheck test' might help diagnose why we are getting different results.

DJ-Leith
Flags: needinfo?(schalk.neethling.bugs)
I am just giving a general status update here, and will copy this over to any other relevant bugs where a needinfo request has been logged for me.

For the past quarter i.e. 1024-Q4, plugincheck has not been on my radar in any way, shape or form as I was moved to work on another project and 100% of my time was assigned to it. I have kept my eye on bugs etc. that has come an gone and have had the service in the back of my mind though and, from what I have seen this service is still very important to users and Mozilla for a variety of reasons which I will not go into here.

With all of that said, during this time there was also some out reach done to other groups within in Mozilla to take over part, or all, responsibility for plugincheck but, as of right now, there has been no takers.

AS I mentioned though, I completely understand and appreciate the importance of this service and, I also acknowledge that in it's recent, and current state, it does not provide the 'answers' users need but, I am moving pluginchck back as a top priority for myself in Q1 of 2015 and I am currently in the progress of planning for the year in general and then for Q1 specifically.

I want to open this up to the user base to get your input on what is important and the biggest pain points but, have not decided how I will do this.

Once all of these ducks are in a row, I will post a message to either a specific bug, to yammer or both. Please except my apologies for the steady decline of this service, thanks for your patience and continued feedback and I am certain that plugincheck is going to turn the corner in a positive way in 2015.
Flags: needinfo?(schalk.neethling.bugs)
The plugincheck page should be fixed properly or closed.  I spent a few minutes trying to figure out how to report it as a malware site to anti-malware vendors, but apparently it has to actually install malware to qualify rather than simply trick you into believing your plugins are up to date (which is almost as bad IMO).
Component: General → Database
You need to log in before you can comment on or make changes to this bug.